[PATCH] drm/i915/gvt: Prevent use-after-free in ppgtt_free_all_spt()

[PATCH] drm/i915/gvt: Prevent use-after-free in ppgtt_free_all_spt()

[Chris Wilson]

ppgtt_free_all_spt() iterates the radixtree as it is deleting it,
forgoing all protection against the leaves being freed in the process
(leaving the iter pointing into the void).

A minimal fix seems to be to use the available post_shadow_list to
decompose the tree into a list prior to destroying the radixtree.

Alerted by the sparse warnings:

drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in assignment (different address spaces)
drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void **slot
drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void [noderef] <asn:4> **
drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in assignment (different address spaces)
drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void **slot
drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void [noderef] <asn:4> **
drivers/gpu/drm/i915/gvt/gtt.c:758:45: warning: incorrect type in argument 1 (different address spaces)
drivers/gpu/drm/i915/gvt/gtt.c:758:45:    expected void [noderef] <asn:4> **slot
drivers/gpu/drm/i915/gvt/gtt.c:758:45:    got void **slot
drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in argument 1 (different address spaces)
drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void [noderef] <asn:4> **slot
drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void **slot
drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in assignment (different address spaces)
drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void **slot
drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void [noderef] <asn:4> **

This would also have been loudly warning if run through CI for the
invalid RCU dereferences.

Fixes: b6c126a39345 ("drm/i915/gvt: Manage shadow pages with radix tree")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Changbin Du <changbin.du@intel.com>
Cc: Zhenyu Wang <zhenyuw@linux.intel.com>
Cc: Zhi Wang <zhi.a.wang@intel.com>
---
 drivers/gpu/drm/i915/gvt/gtt.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index cf133ef03873..9814773882ec 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -750,14 +750,20 @@ static void ppgtt_free_spt(struct intel_vgpu_ppgtt_spt *spt)
 
 static void ppgtt_free_all_spt(struct intel_vgpu *vgpu)
 {
-	struct intel_vgpu_ppgtt_spt *spt;
+	struct intel_vgpu_ppgtt_spt *spt, *spn;
 	struct radix_tree_iter iter;
-	void **slot;
+	LIST_HEAD(all_spt);
+	void __rcu **slot;
 
+	rcu_read_lock();
 	radix_tree_for_each_slot(slot, &vgpu->gtt.spt_tree, &iter, 0) {
 		spt = radix_tree_deref_slot(slot);
-		ppgtt_free_spt(spt);
+		list_move(&spt->post_shadow_list, &all_spt);
 	}
+	rcu_read_unlock();
+
+	list_for_each_entry_safe(spt, spn, &all_spt, post_shadow_list)
+		ppgtt_free_spt(spt);
 }
 
 static int ppgtt_handle_guest_write_page_table_bytes(
-- 
2.20.1

_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: [PATCH] drm/i915/gvt: Prevent use-after-free in ppgtt_free_all_spt()

[Zhenyu Wang]

[-- Attachment #1.1: Type: text/plain, Size: 3368 bytes --]

On 2019.04.04 08:30:56 +0100, Chris Wilson wrote:
> ppgtt_free_all_spt() iterates the radixtree as it is deleting it,
> forgoing all protection against the leaves being freed in the process
> (leaving the iter pointing into the void).
> 
> A minimal fix seems to be to use the available post_shadow_list to
> decompose the tree into a list prior to destroying the radixtree.
> 
> Alerted by the sparse warnings:
> 
> drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in assignment (different address spaces)
> drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void **slot
> drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void [noderef] <asn:4> **
> drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in assignment (different address spaces)
> drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void **slot
> drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void [noderef] <asn:4> **
> drivers/gpu/drm/i915/gvt/gtt.c:758:45: warning: incorrect type in argument 1 (different address spaces)
> drivers/gpu/drm/i915/gvt/gtt.c:758:45:    expected void [noderef] <asn:4> **slot
> drivers/gpu/drm/i915/gvt/gtt.c:758:45:    got void **slot
> drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in argument 1 (different address spaces)
> drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void [noderef] <asn:4> **slot
> drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void **slot
> drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in assignment (different address spaces)
> drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void **slot
> drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void [noderef] <asn:4> **
> 
> This would also have been loudly warning if run through CI for the
> invalid RCU dereferences.
> 
> Fixes: b6c126a39345 ("drm/i915/gvt: Manage shadow pages with radix tree")
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Changbin Du <changbin.du@intel.com>
> Cc: Zhenyu Wang <zhenyuw@linux.intel.com>
> Cc: Zhi Wang <zhi.a.wang@intel.com>
> ---
>  drivers/gpu/drm/i915/gvt/gtt.c | 12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> index cf133ef03873..9814773882ec 100644
> --- a/drivers/gpu/drm/i915/gvt/gtt.c
> +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> @@ -750,14 +750,20 @@ static void ppgtt_free_spt(struct intel_vgpu_ppgtt_spt *spt)
>  
>  static void ppgtt_free_all_spt(struct intel_vgpu *vgpu)
>  {
> -	struct intel_vgpu_ppgtt_spt *spt;
> +	struct intel_vgpu_ppgtt_spt *spt, *spn;
>  	struct radix_tree_iter iter;
> -	void **slot;
> +	LIST_HEAD(all_spt);
> +	void __rcu **slot;
>  
> +	rcu_read_lock();
>  	radix_tree_for_each_slot(slot, &vgpu->gtt.spt_tree, &iter, 0) {
>  		spt = radix_tree_deref_slot(slot);
> -		ppgtt_free_spt(spt);
> +		list_move(&spt->post_shadow_list, &all_spt);
>  	}
> +	rcu_read_unlock();
> +
> +	list_for_each_entry_safe(spt, spn, &all_spt, post_shadow_list)
> +		ppgtt_free_spt(spt);
>  }
>

As we ensure to flush post shadow list, so this is safe to reuse.

Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com>

thanks!

>  static int ppgtt_handle_guest_write_page_table_bytes(
> -- 
> 2.20.1
> 

-- 
Open Source Technology Center, Intel ltd.

$gpg --keyserver wwwkeys.pgp.net --recv-keys 4D781827

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 159 bytes --]

_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

✗ Fi.CI.SPARSE: warning for drm/i915/gvt: Prevent use-after-free in ppgtt_free_all_spt()

[Patchwork]

== Series Details ==

Series: drm/i915/gvt: Prevent use-after-free in ppgtt_free_all_spt()
URL   : https://patchwork.freedesktop.org/series/58985/
State : warning

== Summary ==

$ dim sparse origin/drm-tip
Sparse version: v0.5.2
Commit: drm/i915/gvt: Prevent use-after-free in ppgtt_free_all_spt()
-O:drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void [noderef] <asn:4>**slot
-O:drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void **slot
-O:drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void **slot
-O:drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void **slot
-O:drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void [noderef] <asn:4>**
-O:drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void [noderef] <asn:4>**
-O:drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void [noderef] <asn:4>**
-O:drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void **slot
-O:drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in argument 1 (different address spaces)
-O:drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in assignment (different address spaces)
-O:drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in assignment (different address spaces)
-O:drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in assignment (different address spaces)
-O:drivers/gpu/drm/i915/gvt/gtt.c:758:45:    expected void [noderef] <asn:4>**slot
-O:drivers/gpu/drm/i915/gvt/gtt.c:758:45:    got void **slot
-O:drivers/gpu/drm/i915/gvt/gtt.c:758:45: warning: incorrect type in argument 1 (different address spaces)

_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: [PATCH] drm/i915/gvt: Prevent use-after-free in ppgtt_free_all_spt()

[Chris Wilson]

Quoting Zhenyu Wang (2019-04-04 08:48:34)
> On 2019.04.04 08:30:56 +0100, Chris Wilson wrote:
> > ppgtt_free_all_spt() iterates the radixtree as it is deleting it,
> > forgoing all protection against the leaves being freed in the process
> > (leaving the iter pointing into the void).
> > 
> > A minimal fix seems to be to use the available post_shadow_list to
> > decompose the tree into a list prior to destroying the radixtree.
> > 
> > Alerted by the sparse warnings:
> > 
> > drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in assignment (different address spaces)
> > drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void **slot
> > drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void [noderef] <asn:4> **
> > drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in assignment (different address spaces)
> > drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void **slot
> > drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void [noderef] <asn:4> **
> > drivers/gpu/drm/i915/gvt/gtt.c:758:45: warning: incorrect type in argument 1 (different address spaces)
> > drivers/gpu/drm/i915/gvt/gtt.c:758:45:    expected void [noderef] <asn:4> **slot
> > drivers/gpu/drm/i915/gvt/gtt.c:758:45:    got void **slot
> > drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in argument 1 (different address spaces)
> > drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void [noderef] <asn:4> **slot
> > drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void **slot
> > drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in assignment (different address spaces)
> > drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void **slot
> > drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void [noderef] <asn:4> **
> > 
> > This would also have been loudly warning if run through CI for the
> > invalid RCU dereferences.
> > 
> > Fixes: b6c126a39345 ("drm/i915/gvt: Manage shadow pages with radix tree")
> > Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> > Cc: Changbin Du <changbin.du@intel.com>
> > Cc: Zhenyu Wang <zhenyuw@linux.intel.com>
> > Cc: Zhi Wang <zhi.a.wang@intel.com>
> > ---
> >  drivers/gpu/drm/i915/gvt/gtt.c | 12 +++++++++---
> >  1 file changed, 9 insertions(+), 3 deletions(-)
> > 
> > diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> > index cf133ef03873..9814773882ec 100644
> > --- a/drivers/gpu/drm/i915/gvt/gtt.c
> > +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> > @@ -750,14 +750,20 @@ static void ppgtt_free_spt(struct intel_vgpu_ppgtt_spt *spt)
> >  
> >  static void ppgtt_free_all_spt(struct intel_vgpu *vgpu)
> >  {
> > -     struct intel_vgpu_ppgtt_spt *spt;
> > +     struct intel_vgpu_ppgtt_spt *spt, *spn;
> >       struct radix_tree_iter iter;
> > -     void **slot;
> > +     LIST_HEAD(all_spt);
> > +     void __rcu **slot;
> >  
> > +     rcu_read_lock();
> >       radix_tree_for_each_slot(slot, &vgpu->gtt.spt_tree, &iter, 0) {
> >               spt = radix_tree_deref_slot(slot);
> > -             ppgtt_free_spt(spt);
> > +             list_move(&spt->post_shadow_list, &all_spt);
> >       }
> > +     rcu_read_unlock();
> > +
> > +     list_for_each_entry_safe(spt, spn, &all_spt, post_shadow_list)
> > +             ppgtt_free_spt(spt);
> >  }
> >
> 
> As we ensure to flush post shadow list, so this is safe to reuse.

Phew! I looked, couldn't see that it would be used at this point, so
hoped for the best.
 
> Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com>

Will you take both of these patches through your tree?
-Chris
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

✓ Fi.CI.BAT: success for drm/i915/gvt: Prevent use-after-free in ppgtt_free_all_spt()

[Patchwork]

== Series Details ==

Series: drm/i915/gvt: Prevent use-after-free in ppgtt_free_all_spt()
URL   : https://patchwork.freedesktop.org/series/58985/
State : success

== Summary ==

CI Bug Log - changes from CI_DRM_5869 -> Patchwork_12680
====================================================

Summary
-------

  **SUCCESS**

  No regressions found.

  External URL: https://patchwork.freedesktop.org/api/1.0/series/58985/revisions/1/mbox/

Known issues
------------

  Here are the changes found in Patchwork_12680 that come from known issues:

### IGT changes ###

#### Issues hit ####

  * igt@amdgpu/amd_basic@userptr:
    - fi-kbl-8809g:       PASS -> DMESG-WARN [fdo#108965]

  * igt@gem_exec_basic@gtt-bsd2:
    - fi-byt-clapper:     NOTRUN -> SKIP [fdo#109271] +57

  * igt@kms_busy@basic-flip-a:
    - fi-bsw-n3050:       NOTRUN -> SKIP [fdo#109271] / [fdo#109278] +1

  * igt@kms_busy@basic-flip-c:
    - fi-byt-clapper:     NOTRUN -> SKIP [fdo#109271] / [fdo#109278]

  * igt@kms_chamelium@hdmi-crc-fast:
    - fi-bsw-n3050:       NOTRUN -> SKIP [fdo#109271] +62

  * igt@kms_frontbuffer_tracking@basic:
    - fi-byt-clapper:     NOTRUN -> FAIL [fdo#103167]

  * igt@kms_pipe_crc_basic@suspend-read-crc-pipe-a:
    - fi-byt-clapper:     NOTRUN -> FAIL [fdo#103191] / [fdo#107362] +3

  * igt@runner@aborted:
    - fi-bxt-dsi:         NOTRUN -> FAIL [fdo#109516]

  
#### Possible fixes ####

  * igt@i915_selftest@live_execlists:
    - fi-apl-guc:         INCOMPLETE [fdo#103927] / [fdo#109720] -> PASS

  * igt@prime_vgem@basic-fence-flip:
    - fi-ilk-650:         FAIL [fdo#104008] -> PASS

  
  [fdo#103167]: https://bugs.freedesktop.org/show_bug.cgi?id=103167
  [fdo#103191]: https://bugs.freedesktop.org/show_bug.cgi?id=103191
  [fdo#103927]: https://bugs.freedesktop.org/show_bug.cgi?id=103927
  [fdo#104008]: https://bugs.freedesktop.org/show_bug.cgi?id=104008
  [fdo#107362]: https://bugs.freedesktop.org/show_bug.cgi?id=107362
  [fdo#108965]: https://bugs.freedesktop.org/show_bug.cgi?id=108965
  [fdo#109271]: https://bugs.freedesktop.org/show_bug.cgi?id=109271
  [fdo#109278]: https://bugs.freedesktop.org/show_bug.cgi?id=109278
  [fdo#109516]: https://bugs.freedesktop.org/show_bug.cgi?id=109516
  [fdo#109720]: https://bugs.freedesktop.org/show_bug.cgi?id=109720


Participating hosts (47 -> 41)
------------------------------

  Additional (3): fi-bxt-dsi fi-byt-clapper fi-bsw-n3050 
  Missing    (9): fi-ilk-m540 fi-bdw-samus fi-hsw-4200u fi-byt-squawks fi-bsw-cyan fi-ctg-p8600 fi-icl-y fi-blb-e6850 fi-skl-6600u 


Build changes
-------------

    * Linux: CI_DRM_5869 -> Patchwork_12680

  CI_DRM_5869: 03f8f3298b90c7f80da6a98c3eb8413d7aeaa52b @ git://anongit.freedesktop.org/gfx-ci/linux
  IGT_4926: c9a9cf357b6b2a304623790bf8dae797e12888a8 @ git://anongit.freedesktop.org/xorg/app/intel-gpu-tools
  Patchwork_12680: 104723ada2173f759a30427d2f8e14991637962a @ git://anongit.freedesktop.org/gfx-ci/linux


== Linux commits ==

104723ada217 drm/i915/gvt: Prevent use-after-free in ppgtt_free_all_spt()

== Logs ==

For more details see: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_12680/
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

✓ Fi.CI.IGT: success for drm/i915/gvt: Prevent use-after-free in ppgtt_free_all_spt()

[Patchwork]

== Series Details ==

Series: drm/i915/gvt: Prevent use-after-free in ppgtt_free_all_spt()
URL   : https://patchwork.freedesktop.org/series/58985/
State : success

== Summary ==

CI Bug Log - changes from CI_DRM_5869_full -> Patchwork_12680_full
====================================================

Summary
-------

  **SUCCESS**

  No regressions found.

  

Known issues
------------

  Here are the changes found in Patchwork_12680_full that come from known issues:

### IGT changes ###

#### Issues hit ####

  * igt@gem_create@create-clear:
    - shard-snb:          NOTRUN -> INCOMPLETE [fdo#105411]

  * igt@gem_exec_schedule@preempt-other-chain-blt:
    - shard-snb:          NOTRUN -> SKIP [fdo#109271] +112

  * igt@gem_mmap_gtt@hang:
    - shard-iclb:         PASS -> FAIL [fdo#109677]

  * igt@gem_tiled_blits@normal:
    - shard-iclb:         PASS -> TIMEOUT [fdo#109673]

  * igt@gem_tiled_swapping@non-threaded:
    - shard-iclb:         PASS -> INCOMPLETE [fdo#108686]

  * igt@kms_atomic_transition@1x-modeset-transitions-nonblocking-fencing:
    - shard-apl:          PASS -> FAIL [fdo#109660]

  * igt@kms_atomic_transition@5x-modeset-transitions:
    - shard-skl:          NOTRUN -> SKIP [fdo#109271] / [fdo#109278] +5

  * igt@kms_busy@extended-modeset-hang-newfb-render-a:
    - shard-kbl:          PASS -> DMESG-WARN [fdo#110222]

  * igt@kms_busy@extended-modeset-hang-newfb-render-f:
    - shard-snb:          NOTRUN -> SKIP [fdo#109271] / [fdo#109278] +12

  * igt@kms_busy@extended-modeset-hang-newfb-with-reset-render-a:
    - shard-snb:          NOTRUN -> DMESG-WARN [fdo#110222]
    - shard-skl:          NOTRUN -> DMESG-WARN [fdo#110222]

  * igt@kms_content_protection@legacy:
    - shard-kbl:          NOTRUN -> FAIL [fdo#108739] / [fdo#110321]

  * igt@kms_flip@2x-flip-vs-wf_vblank-interruptible:
    - shard-skl:          NOTRUN -> SKIP [fdo#109271] +49

  * igt@kms_frontbuffer_tracking@fbcpsr-rgb101010-draw-mmap-cpu:
    - shard-iclb:         PASS -> FAIL [fdo#105682] / [fdo#109247]

  * igt@kms_frontbuffer_tracking@psr-1p-primscrn-cur-indfb-draw-pwrite:
    - shard-iclb:         PASS -> FAIL [fdo#109247] +8

  * igt@kms_frontbuffer_tracking@psr-2p-pri-indfb-multidraw:
    - shard-apl:          NOTRUN -> SKIP [fdo#109271] +10

  * igt@kms_frontbuffer_tracking@psr-2p-primscrn-shrfb-pgflip-blt:
    - shard-kbl:          NOTRUN -> SKIP [fdo#109271] +8

  * igt@kms_lease@lease_again:
    - shard-snb:          PASS -> SKIP [fdo#109271]

  * igt@kms_pipe_crc_basic@read-crc-pipe-d:
    - shard-kbl:          NOTRUN -> SKIP [fdo#109271] / [fdo#109278]

  * igt@kms_plane_alpha_blend@pipe-a-alpha-opaque-fb:
    - shard-skl:          NOTRUN -> FAIL [fdo#108145]

  * igt@kms_plane_alpha_blend@pipe-b-coverage-7efc:
    - shard-skl:          PASS -> FAIL [fdo#107815]

  * igt@kms_plane_scaling@pipe-c-scaler-with-rotation:
    - shard-glk:          PASS -> SKIP [fdo#109271] / [fdo#109278]

  * igt@kms_psr@cursor_mmap_cpu:
    - shard-iclb:         PASS -> FAIL [fdo#107383] / [fdo#110215]

  * igt@kms_psr@psr2_cursor_render:
    - shard-iclb:         PASS -> SKIP [fdo#109441] +4

  * igt@kms_rotation_crc@multiplane-rotation:
    - shard-kbl:          PASS -> DMESG-FAIL [fdo#105763]

  * igt@kms_setmode@basic:
    - shard-skl:          NOTRUN -> FAIL [fdo#99912]

  * igt@kms_vblank@pipe-c-ts-continuation-dpms-suspend:
    - shard-apl:          PASS -> FAIL [fdo#104894]

  * igt@perf@blocking:
    - shard-iclb:         PASS -> FAIL [fdo#108587]

  
#### Possible fixes ####

  * igt@gem_eio@in-flight-suspend:
    - shard-kbl:          INCOMPLETE [fdo#103665] -> PASS

  * igt@i915_selftest@live_workarounds:
    - shard-iclb:         DMESG-FAIL [fdo#108954] -> PASS

  * igt@kms_busy@extended-modeset-hang-newfb-render-c:
    - shard-iclb:         DMESG-WARN [fdo#110222] -> PASS

  * igt@kms_cursor_crc@cursor-256x256-onscreen:
    - shard-iclb:         FAIL [fdo#103232] -> PASS

  * igt@kms_cursor_crc@cursor-64x64-suspend:
    - shard-skl:          INCOMPLETE [fdo#104108] -> PASS

  * igt@kms_cursor_legacy@cursor-vs-flip-toggle:
    - shard-iclb:         FAIL [fdo#103355] -> PASS

  * igt@kms_flip@dpms-vs-vblank-race:
    - shard-glk:          FAIL [fdo#103060] -> PASS

  * igt@kms_flip@plain-flip-ts-check-interruptible:
    - shard-skl:          FAIL [fdo#100368] -> PASS

  * igt@kms_frontbuffer_tracking@fbc-1p-pri-indfb-multidraw:
    - shard-iclb:         FAIL [fdo#103167] -> PASS

  * igt@kms_frontbuffer_tracking@fbcpsr-1p-primscrn-pri-indfb-draw-blt:
    - shard-iclb:         FAIL [fdo#109247] -> PASS +11

  * igt@kms_frontbuffer_tracking@fbcpsr-rgb101010-draw-blt:
    - shard-iclb:         FAIL [fdo#105682] / [fdo#109247] -> PASS +1

  * igt@kms_plane@pixel-format-pipe-c-planes:
    - shard-glk:          SKIP [fdo#109271] -> PASS +1

  * igt@kms_plane_scaling@pipe-b-scaler-with-rotation:
    - shard-glk:          SKIP [fdo#109271] / [fdo#109278] -> PASS

  * igt@kms_psr2_su@page_flip:
    - shard-iclb:         SKIP [fdo#109642] -> PASS

  * igt@kms_psr@cursor_blt:
    - shard-iclb:         FAIL [fdo#107383] / [fdo#110215] -> PASS +1

  * igt@kms_psr@psr2_sprite_plane_move:
    - shard-iclb:         SKIP [fdo#109441] -> PASS +1

  * igt@kms_vblank@pipe-c-ts-continuation-modeset-hang:
    - shard-apl:          FAIL [fdo#104894] -> PASS

  * igt@kms_vblank@pipe-c-ts-continuation-suspend:
    - shard-iclb:         FAIL [fdo#104894] -> PASS

  
#### Warnings ####

  * igt@i915_pm_rpm@dpms-non-lpsp:
    - shard-skl:          SKIP [fdo#109271] -> INCOMPLETE [fdo#107807]

  * igt@kms_busy@extended-pageflip-modeset-hang-oldfb-render-b:
    - shard-snb:          DMESG-WARN [fdo#110222] -> SKIP [fdo#109271] / [fdo#109278]

  
  [fdo#100368]: https://bugs.freedesktop.org/show_bug.cgi?id=100368
  [fdo#103060]: https://bugs.freedesktop.org/show_bug.cgi?id=103060
  [fdo#103167]: https://bugs.freedesktop.org/show_bug.cgi?id=103167
  [fdo#103232]: https://bugs.freedesktop.org/show_bug.cgi?id=103232
  [fdo#103355]: https://bugs.freedesktop.org/show_bug.cgi?id=103355
  [fdo#103665]: https://bugs.freedesktop.org/show_bug.cgi?id=103665
  [fdo#104108]: https://bugs.freedesktop.org/show_bug.cgi?id=104108
  [fdo#104894]: https://bugs.freedesktop.org/show_bug.cgi?id=104894
  [fdo#105411]: https://bugs.freedesktop.org/show_bug.cgi?id=105411
  [fdo#105682]: https://bugs.freedesktop.org/show_bug.cgi?id=105682
  [fdo#105763]: https://bugs.freedesktop.org/show_bug.cgi?id=105763
  [fdo#107383]: https://bugs.freedesktop.org/show_bug.cgi?id=107383
  [fdo#107807]: https://bugs.freedesktop.org/show_bug.cgi?id=107807
  [fdo#107815]: https://bugs.freedesktop.org/show_bug.cgi?id=107815
  [fdo#108145]: https://bugs.freedesktop.org/show_bug.cgi?id=108145
  [fdo#108587]: https://bugs.freedesktop.org/show_bug.cgi?id=108587
  [fdo#108686]: https://bugs.freedesktop.org/show_bug.cgi?id=108686
  [fdo#108739]: https://bugs.freedesktop.org/show_bug.cgi?id=108739
  [fdo#108954]: https://bugs.freedesktop.org/show_bug.cgi?id=108954
  [fdo#109247]: https://bugs.freedesktop.org/show_bug.cgi?id=109247
  [fdo#109271]: https://bugs.freedesktop.org/show_bug.cgi?id=109271
  [fdo#109278]: https://bugs.freedesktop.org/show_bug.cgi?id=109278
  [fdo#109441]: https://bugs.freedesktop.org/show_bug.cgi?id=109441
  [fdo#109642]: https://bugs.freedesktop.org/show_bug.cgi?id=109642
  [fdo#109660]: https://bugs.freedesktop.org/show_bug.cgi?id=109660
  [fdo#109673]: https://bugs.freedesktop.org/show_bug.cgi?id=109673
  [fdo#109677]: https://bugs.freedesktop.org/show_bug.cgi?id=109677
  [fdo#110215]: https://bugs.freedesktop.org/show_bug.cgi?id=110215
  [fdo#110222]: https://bugs.freedesktop.org/show_bug.cgi?id=110222
  [fdo#110321]: https://bugs.freedesktop.org/show_bug.cgi?id=110321
  [fdo#99912]: https://bugs.freedesktop.org/show_bug.cgi?id=99912


Participating hosts (10 -> 9)
------------------------------

  Missing    (1): shard-hsw 


Build changes
-------------

    * Linux: CI_DRM_5869 -> Patchwork_12680

  CI_DRM_5869: 03f8f3298b90c7f80da6a98c3eb8413d7aeaa52b @ git://anongit.freedesktop.org/gfx-ci/linux
  IGT_4926: c9a9cf357b6b2a304623790bf8dae797e12888a8 @ git://anongit.freedesktop.org/xorg/app/intel-gpu-tools
  Patchwork_12680: 104723ada2173f759a30427d2f8e14991637962a @ git://anongit.freedesktop.org/gfx-ci/linux
  piglit_4509: fdc5a4ca11124ab8413c7988896eec4c97336694 @ git://anongit.freedesktop.org/piglit

== Logs ==

For more details see: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_12680/
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: [PATCH] drm/i915/gvt: Prevent use-after-free in ppgtt_free_all_spt()

[Zhenyu Wang]

[-- Attachment #1.1: Type: text/plain, Size: 3915 bytes --]

On 2019.04.04 09:11:55 +0100, Chris Wilson wrote:
> Quoting Zhenyu Wang (2019-04-04 08:48:34)
> > On 2019.04.04 08:30:56 +0100, Chris Wilson wrote:
> > > ppgtt_free_all_spt() iterates the radixtree as it is deleting it,
> > > forgoing all protection against the leaves being freed in the process
> > > (leaving the iter pointing into the void).
> > > 
> > > A minimal fix seems to be to use the available post_shadow_list to
> > > decompose the tree into a list prior to destroying the radixtree.
> > > 
> > > Alerted by the sparse warnings:
> > > 
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in assignment (different address spaces)
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void **slot
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void [noderef] <asn:4> **
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in assignment (different address spaces)
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void **slot
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void [noderef] <asn:4> **
> > > drivers/gpu/drm/i915/gvt/gtt.c:758:45: warning: incorrect type in argument 1 (different address spaces)
> > > drivers/gpu/drm/i915/gvt/gtt.c:758:45:    expected void [noderef] <asn:4> **slot
> > > drivers/gpu/drm/i915/gvt/gtt.c:758:45:    got void **slot
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in argument 1 (different address spaces)
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void [noderef] <asn:4> **slot
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void **slot
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in assignment (different address spaces)
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9:    expected void **slot
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9:    got void [noderef] <asn:4> **
> > > 
> > > This would also have been loudly warning if run through CI for the
> > > invalid RCU dereferences.
> > > 
> > > Fixes: b6c126a39345 ("drm/i915/gvt: Manage shadow pages with radix tree")
> > > Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> > > Cc: Changbin Du <changbin.du@intel.com>
> > > Cc: Zhenyu Wang <zhenyuw@linux.intel.com>
> > > Cc: Zhi Wang <zhi.a.wang@intel.com>
> > > ---
> > >  drivers/gpu/drm/i915/gvt/gtt.c | 12 +++++++++---
> > >  1 file changed, 9 insertions(+), 3 deletions(-)
> > > 
> > > diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> > > index cf133ef03873..9814773882ec 100644
> > > --- a/drivers/gpu/drm/i915/gvt/gtt.c
> > > +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> > > @@ -750,14 +750,20 @@ static void ppgtt_free_spt(struct intel_vgpu_ppgtt_spt *spt)
> > >  
> > >  static void ppgtt_free_all_spt(struct intel_vgpu *vgpu)
> > >  {
> > > -     struct intel_vgpu_ppgtt_spt *spt;
> > > +     struct intel_vgpu_ppgtt_spt *spt, *spn;
> > >       struct radix_tree_iter iter;
> > > -     void **slot;
> > > +     LIST_HEAD(all_spt);
> > > +     void __rcu **slot;
> > >  
> > > +     rcu_read_lock();
> > >       radix_tree_for_each_slot(slot, &vgpu->gtt.spt_tree, &iter, 0) {
> > >               spt = radix_tree_deref_slot(slot);
> > > -             ppgtt_free_spt(spt);
> > > +             list_move(&spt->post_shadow_list, &all_spt);
> > >       }
> > > +     rcu_read_unlock();
> > > +
> > > +     list_for_each_entry_safe(spt, spn, &all_spt, post_shadow_list)
> > > +             ppgtt_free_spt(spt);
> > >  }
> > >
> > 
> > As we ensure to flush post shadow list, so this is safe to reuse.
> 
> Phew! I looked, couldn't see that it would be used at this point, so
> hoped for the best.
>  
> > Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com>
> 
> Will you take both of these patches through your tree?

Yes.

Thanks!

-- 
Open Source Technology Center, Intel ltd.

$gpg --keyserver wwwkeys.pgp.net --recv-keys 4D781827

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 159 bytes --]

_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx