From: Zhenyu Wang <zhenyuw@linux.intel.com>
To: Chris Wilson <chris@chris-wilson.co.uk>
Cc: intel-gfx@lists.freedesktop.org, intel-gvt-dev@lists.freedesktop.org
Subject: Re: [PATCH] drm/i915/gvt: Prevent use-after-free in ppgtt_free_all_spt()
Date: Mon, 8 Apr 2019 10:27:09 +0800 [thread overview]
Message-ID: <20190408022709.GT2322@zhen-hp.sh.intel.com> (raw)
In-Reply-To: <155436551568.7532.6039435513500149424@skylake-alporthouse-com>
[-- Attachment #1.1: Type: text/plain, Size: 3915 bytes --]
On 2019.04.04 09:11:55 +0100, Chris Wilson wrote:
> Quoting Zhenyu Wang (2019-04-04 08:48:34)
> > On 2019.04.04 08:30:56 +0100, Chris Wilson wrote:
> > > ppgtt_free_all_spt() iterates the radixtree as it is deleting it,
> > > forgoing all protection against the leaves being freed in the process
> > > (leaving the iter pointing into the void).
> > >
> > > A minimal fix seems to be to use the available post_shadow_list to
> > > decompose the tree into a list prior to destroying the radixtree.
> > >
> > > Alerted by the sparse warnings:
> > >
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in assignment (different address spaces)
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9: expected void **slot
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9: got void [noderef] <asn:4> **
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in assignment (different address spaces)
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9: expected void **slot
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9: got void [noderef] <asn:4> **
> > > drivers/gpu/drm/i915/gvt/gtt.c:758:45: warning: incorrect type in argument 1 (different address spaces)
> > > drivers/gpu/drm/i915/gvt/gtt.c:758:45: expected void [noderef] <asn:4> **slot
> > > drivers/gpu/drm/i915/gvt/gtt.c:758:45: got void **slot
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in argument 1 (different address spaces)
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9: expected void [noderef] <asn:4> **slot
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9: got void **slot
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9: warning: incorrect type in assignment (different address spaces)
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9: expected void **slot
> > > drivers/gpu/drm/i915/gvt/gtt.c:757:9: got void [noderef] <asn:4> **
> > >
> > > This would also have been loudly warning if run through CI for the
> > > invalid RCU dereferences.
> > >
> > > Fixes: b6c126a39345 ("drm/i915/gvt: Manage shadow pages with radix tree")
> > > Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> > > Cc: Changbin Du <changbin.du@intel.com>
> > > Cc: Zhenyu Wang <zhenyuw@linux.intel.com>
> > > Cc: Zhi Wang <zhi.a.wang@intel.com>
> > > ---
> > > drivers/gpu/drm/i915/gvt/gtt.c | 12 +++++++++---
> > > 1 file changed, 9 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> > > index cf133ef03873..9814773882ec 100644
> > > --- a/drivers/gpu/drm/i915/gvt/gtt.c
> > > +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> > > @@ -750,14 +750,20 @@ static void ppgtt_free_spt(struct intel_vgpu_ppgtt_spt *spt)
> > >
> > > static void ppgtt_free_all_spt(struct intel_vgpu *vgpu)
> > > {
> > > - struct intel_vgpu_ppgtt_spt *spt;
> > > + struct intel_vgpu_ppgtt_spt *spt, *spn;
> > > struct radix_tree_iter iter;
> > > - void **slot;
> > > + LIST_HEAD(all_spt);
> > > + void __rcu **slot;
> > >
> > > + rcu_read_lock();
> > > radix_tree_for_each_slot(slot, &vgpu->gtt.spt_tree, &iter, 0) {
> > > spt = radix_tree_deref_slot(slot);
> > > - ppgtt_free_spt(spt);
> > > + list_move(&spt->post_shadow_list, &all_spt);
> > > }
> > > + rcu_read_unlock();
> > > +
> > > + list_for_each_entry_safe(spt, spn, &all_spt, post_shadow_list)
> > > + ppgtt_free_spt(spt);
> > > }
> > >
> >
> > As we ensure to flush post shadow list, so this is safe to reuse.
>
> Phew! I looked, couldn't see that it would be used at this point, so
> hoped for the best.
>
> > Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com>
>
> Will you take both of these patches through your tree?
Yes.
Thanks!
--
Open Source Technology Center, Intel ltd.
$gpg --keyserver wwwkeys.pgp.net --recv-keys 4D781827
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 159 bytes --]
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
next prev parent reply other threads:[~2019-04-08 2:27 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-04 7:30 [PATCH] drm/i915/gvt: Prevent use-after-free in ppgtt_free_all_spt() Chris Wilson
2019-04-04 7:48 ` Zhenyu Wang
2019-04-04 8:11 ` Chris Wilson
2019-04-08 2:27 ` Zhenyu Wang [this message]
2019-04-04 8:07 ` ✗ Fi.CI.SPARSE: warning for " Patchwork
2019-04-04 8:25 ` ✓ Fi.CI.BAT: success " Patchwork
2019-04-04 22:33 ` ✓ Fi.CI.IGT: " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190408022709.GT2322@zhen-hp.sh.intel.com \
--to=zhenyuw@linux.intel.com \
--cc=chris@chris-wilson.co.uk \
--cc=intel-gfx@lists.freedesktop.org \
--cc=intel-gvt-dev@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.