• Chris Wilson's avatar
    drm/i915: Hold rcu_read_lock when iterating over the radixtree (objects) · 23e87338
    Chris Wilson authored
    Kasan spotted
    
        [IGT] gem_tiled_pread_pwrite: exiting, ret=0
        ==================================================================
        BUG: KASAN: use-after-free in __i915_gem_object_reset_page_iter+0x15c/0x170 [i915]
        Read of size 8 at addr ffff8801359da310 by task kworker/3:2/182
    
        CPU: 3 PID: 182 Comm: kworker/3:2 Tainted: G     U          4.14.0-rc6-CI-Custom_3340+ #1
        Hardware name: Intel Corp. Geminilake/GLK RVP1 DDR4 (05), BIOS GELKRVPA.X64.0062.B30.1708222146 08/22/2017
        Workqueue: events __i915_gem_free_work [i915]
        Call Trace:
         dump_stack+0x68/0xa0
         print_address_description+0x78/0x290
         ? __i915_gem_object_reset_page_iter+0x15c/0x170 [i915]
         kasan_report+0x23d/0x350
         __asan_report_load8_noabort+0x19/0x20
         __i915_gem_object_reset_page_iter+0x15c/0x170 [i915]
         ? i915_gem_object_truncate+0x100/0x100 [i915]
         ? lock_acquire+0x380/0x380
         __i915_gem_object_put_pages+0x30d/0x530 [i915]
         __i915_gem_free_objects+0x551/0xbd0 [i915]
         ? lock_acquire+0x13e/0x380
         __i915_gem_free_work+0x4e/0x70 [i915]
         process_one_work+0x6f6/0x1590
         ? pwq_dec_nr_in_flight+0x2b0/0x2b0
         worker_thread+0xe6/0xe90
         ? pci_mmcfg_check_reserved+0x110/0x110
         kthread+0x309/0x410
         ? process_one_work+0x1590/0x1590
         ? kthread_create_on_node+0xb0/0xb0
         ret_from_fork+0x27/0x40
    
        Allocated by task 1801:
         save_stack_trace+0x1b/0x20
         kasan_kmalloc+0xee/0x190
         kasan_slab_alloc+0x12/0x20
         kmem_cache_alloc+0xdc/0x2e0
         radix_tree_node_alloc.constprop.12+0x48/0x330
         __radix_tree_create+0x274/0x480
         __radix_tree_insert+0xa2/0x610
         i915_gem_object_get_sg+0x224/0x670 [i915]
         i915_gem_object_get_page+0xb5/0x1c0 [i915]
         i915_gem_pread_ioctl+0x822/0xf60 [i915]
         drm_ioctl_kernel+0x13f/0x1c0
         drm_ioctl+0x6cf/0x980
         do_vfs_ioctl+0x184/0xf30
         SyS_ioctl+0x41/0x70
         entry_SYSCALL_64_fastpath+0x1c/0xb1
    
        Freed by task 37:
         save_stack_trace+0x1b/0x20
         kasan_slab_free+0xaf/0x190
         kmem_cache_free+0xbf/0x340
         radix_tree_node_rcu_free+0x79/0x90
         rcu_process_callbacks+0x46d/0xf40
         __do_softirq+0x21c/0x8d3
    
        The buggy address belongs to the object at ffff8801359da0f0
        which belongs to the cache radix_tree_node of size 576
        The buggy address is located 544 bytes inside of
        576-byte region [ffff8801359da0f0, ffff8801359da330)
        The buggy address belongs to the page:
        page:ffffea0004d67600 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
        flags: 0x8000000000008100(slab|head)
        raw: 8000000000008100 0000000000000000 0000000000000000 0000000100110011
        raw: ffffea0004b52920 ffffea0004b38020 ffff88015b416a80 0000000000000000
        page dumped because: kasan: bad access detected
    
        Memory state around the buggy address:
         ffff8801359da200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
         ffff8801359da280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        >ffff8801359da300: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
    			     ^
         ffff8801359da380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
         ffff8801359da400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
        ==================================================================
        Disabling lock debugging due to kernel taint
    
    which looks like the slab containing the radixtree iter was freed as we
    traversed the tree, taking the rcu read lock across the loop should
    prevent that (deferring all the frees until the end).
    Reported-by: default avatarTomi Sarvela <tomi.p.sarvela@intel.com>
    Fixes: 96d77634 ("drm/i915: Use a radixtree for random access to the object's backing storage")
    Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
    Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
    Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20171026130032.10677-1-chris@chris-wilson.co.ukReviewed-by: default avatarMatthew Auld <matthew.william.auld@gmail.com>
    (cherry picked from commit bea6e987)
    Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
    23e87338
i915_gem.c 144 KB