[PATCH] tests/amdgpu: add fuzzing tests

[PATCH] tests/amdgpu: add fuzzing tests

[vitaly.prosyak]

From: Vitaly Prosyak <vitaly.prosyak@amd.com>

Joonkyo Jung was using customized Syzkaller with KAZAN
enabled to find the bugs in amdgpu and the drm scheduler.
Those new tests would help to keep the job state machine
of the drm scheduler and amdgpu in the correct state to
ensure that the wrong call sequence or invalid parameters
do not cause a kernel crash.

The sub-test 'user ptr fuzzing' sends
DRM_IOCTL_AMDGPU_GEM_USERPTR the invalid address and
2 GB allocation size.
The sub-test 'cs fuzzing' sends DRM_IOCTL_AMDGPU_WAIT_CS
for several IP types without previously submitted jobs.

Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: Christian Koenig <christian.koenig@amd.com>
Cc: Joonkyo Jung <joonkyoj@yonsei.ac.kr>
Cc: Jesse Zhang <Jesse.Zhang@amd.com>
Signed-off-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
---
 tests/amdgpu/amd_fuzzing.c | 99 ++++++++++++++++++++++++++++++++++++++
 tests/amdgpu/meson.build   |  1 +
 2 files changed, 100 insertions(+)
 create mode 100644 tests/amdgpu/amd_fuzzing.c

diff --git a/tests/amdgpu/amd_fuzzing.c b/tests/amdgpu/amd_fuzzing.c
new file mode 100644
index 000000000..11a85f46c
--- /dev/null
+++ b/tests/amdgpu/amd_fuzzing.c
@@ -0,0 +1,99 @@
+// SPDX-License-Identifier: MIT
+/*
+ * Copyright 2024 Advanced Micro Devices, Inc.
+ */
+
+#include "lib/amdgpu/amd_memory.h"
+#include "lib/amdgpu/amd_gfx.h"
+
+/*
+ * The bug was found using customized Syzkaller and with Kazan enabled.
+ * It can be triggered by sending a single amdgpu_gem_userptr_ioctl
+ * to the AMDGPU DRM driver on any ASICs with an invalid address and size.
+ * The bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>.
+ * The following test ensures that the found bug is no longer reproducible.
+ */
+static
+void amd_gem_userptr_fuzzing(int fd)
+{
+	/*
+	 * use-after-free bug in the AMDGPU DRM driver
+	 * fix in amdgpu commit 6dbd33a9c8747dbf1d149484509ad667cbdb3059
+	 * The error dump is available in dmesg only when KAZAN is enabled
+	 */
+
+	struct drm_amdgpu_gem_userptr user_ptr;
+	int r;
+
+	user_ptr.addr = 0xffffffffffff0000;
+	user_ptr.size = 0x80000000; /*2 Gb*/
+	user_ptr.flags = 0x7;
+	r = drmIoctl(fd, DRM_IOCTL_AMDGPU_GEM_USERPTR, &user_ptr);
+	igt_info("%s DRM_IOCTL_AMDGPU_GEM_USERPTR ret %d", __func__, r);
+	igt_assert_neq(r, 0);
+}
+
+/*
+ *  The bug was found using customized Syzkaller and with Kazan enabled.
+ *  The bug can be triggered by sending an amdgpu_cs_wait_ioctl for ip types:
+ *  AMD_IP_VCE, AMD_IP_VCN_ENC, AMD_IP_VCN_JPEG, AMD_IP_VPE
+ *  to the AMDGPU DRM driver on any ASICs with valid context.
+ *  The bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>.
+ *
+ */
+static
+void amd_cs_wait_fuzzing(int fd, const enum amd_ip_block_type types[], int size)
+{
+	/*
+	 * null-ptr-deref and the fix in the DRM scheduler
+	 * The test helps keep the job state machine of the drm scheduler and
+	 * amdgpu in the correct state to ensure that the wrong call sequence does
+	 * not cause a crash.
+	 */
+
+	union drm_amdgpu_ctx ctx;
+	union drm_amdgpu_wait_cs cs_wait;
+	int r, i;
+
+	memset(&ctx, 0, sizeof(union drm_amdgpu_ctx));
+	ctx.in.op = AMDGPU_CTX_OP_ALLOC_CTX;
+	r = drmIoctl(fd, DRM_IOCTL_AMDGPU_CTX, &ctx);
+	igt_info("%s DRM_IOCTL_AMDGPU_CTX ret %d", __func__, r);
+
+	for (i = 0; i < size; i++) {
+		memset(&cs_wait, 0, sizeof(union drm_amdgpu_wait_cs));
+		cs_wait.in.handle = 0x0;
+		cs_wait.in.timeout = 0x2000000000000;
+		cs_wait.in.ip_type = types[i];
+		cs_wait.in.ip_instance = 0x0;
+		cs_wait.in.ring = 0x0;
+		cs_wait.in.ctx_id = ctx.out.alloc.ctx_id;
+		r = drmIoctl(fd, DRM_IOCTL_AMDGPU_WAIT_CS, &cs_wait);
+		igt_info("$s AMDGPU_WAIT_CS ret %d", __func__, r);
+		igt_assert_eq(r, 0);
+	}
+}
+
+igt_main
+{
+	int fd = -1;
+	const enum amd_ip_block_type arr_types[] = {
+			AMD_IP_VCE, AMD_IP_VCN_ENC, AMD_IP_VCN_JPEG, AMD_IP_VPE };
+
+	igt_fixture {
+		fd = drm_open_driver(DRIVER_AMDGPU);
+		igt_require(fd != -1);
+	}
+
+	igt_describe("Check user ptr fuzzing with huge size and not valid address");
+	igt_subtest("userptr-fuzzing")
+		amd_gem_userptr_fuzzing(fd);
+
+	igt_describe("Check cs wait fuzzing");
+	igt_subtest("cs-wait-fuzzing")
+		amd_cs_wait_fuzzing(fd, arr_types, ARRAY_SIZE(arr_types));
+
+	igt_fixture {
+		drm_close_driver(fd);
+	}
+}
diff --git a/tests/amdgpu/meson.build b/tests/amdgpu/meson.build
index a58d18ad3..ce3ba5520 100644
--- a/tests/amdgpu/meson.build
+++ b/tests/amdgpu/meson.build
@@ -12,6 +12,7 @@ if libdrm_amdgpu.found()
 			  'amd_cs_nop',
 			  'amd_deadlock',
 			  'amd_dp_dsc',
+			  'amd_fuzzing',
 			  'amd_freesync_video_mode',
 			  'amd_hotplug',
 			  'amd_gang_cs' ,
-- 
2.25.1

✓ CI.xeBAT: success for tests/amdgpu: add fuzzing tests

[Patchwork]

[-- Attachment #1: Type: text/plain, Size: 13515 bytes --]

== Series Details ==

Series: tests/amdgpu: add fuzzing tests
URL   : https://patchwork.freedesktop.org/series/131209/
State : success

== Summary ==

CI Bug Log - changes from XEIGT_7768_BAT -> XEIGTPW_10849_BAT
====================================================

Summary
-------

  **SUCCESS**

  No regressions found.

  

Participating hosts (0 -> 4)
------------------------------

  Additional (4): bat-pvc-2 bat-dg2-oem2 bat-adlp-7 bat-atsm-2 

Known issues
------------

  Here are the changes found in XEIGTPW_10849_BAT that come from known issues:

### IGT changes ###

#### Issues hit ####

  * igt@kms_addfb_basic@addfb25-x-tiled-legacy:
    - bat-pvc-2:          NOTRUN -> [SKIP][1] ([i915#6077]) +30 other tests skip
   [1]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-pvc-2/igt@kms_addfb_basic@addfb25-x-tiled-legacy.html

  * igt@kms_addfb_basic@addfb25-y-tiled-small-legacy:
    - bat-dg2-oem2:       NOTRUN -> [SKIP][2] ([Intel XE#623])
   [2]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-dg2-oem2/igt@kms_addfb_basic@addfb25-y-tiled-small-legacy.html

  * igt@kms_addfb_basic@invalid-set-prop-any:
    - bat-atsm-2:         NOTRUN -> [SKIP][3] ([i915#6077]) +30 other tests skip
   [3]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-atsm-2/igt@kms_addfb_basic@invalid-set-prop-any.html

  * igt@kms_cursor_legacy@basic-flip-after-cursor-atomic:
    - bat-pvc-2:          NOTRUN -> [SKIP][4] ([Intel XE#1024] / [Intel XE#782]) +5 other tests skip
   [4]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-pvc-2/igt@kms_cursor_legacy@basic-flip-after-cursor-atomic.html

  * igt@kms_cursor_legacy@basic-flip-before-cursor-legacy:
    - bat-atsm-2:         NOTRUN -> [SKIP][5] ([Intel XE#1024] / [Intel XE#782]) +5 other tests skip
   [5]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-atsm-2/igt@kms_cursor_legacy@basic-flip-before-cursor-legacy.html

  * igt@kms_dsc@dsc-basic:
    - bat-atsm-2:         NOTRUN -> [SKIP][6] ([Intel XE#1024] / [Intel XE#784])
   [6]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-atsm-2/igt@kms_dsc@dsc-basic.html
    - bat-pvc-2:          NOTRUN -> [SKIP][7] ([Intel XE#1024] / [Intel XE#784])
   [7]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-pvc-2/igt@kms_dsc@dsc-basic.html
    - bat-dg2-oem2:       NOTRUN -> [SKIP][8] ([Intel XE#455])
   [8]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-dg2-oem2/igt@kms_dsc@dsc-basic.html
    - bat-adlp-7:         NOTRUN -> [SKIP][9] ([Intel XE#455])
   [9]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-adlp-7/igt@kms_dsc@dsc-basic.html

  * igt@kms_flip@basic-flip-vs-dpms:
    - bat-pvc-2:          NOTRUN -> [SKIP][10] ([Intel XE#1024] / [Intel XE#947]) +3 other tests skip
   [10]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-pvc-2/igt@kms_flip@basic-flip-vs-dpms.html

  * igt@kms_flip@basic-flip-vs-modeset:
    - bat-atsm-2:         NOTRUN -> [SKIP][11] ([Intel XE#1024] / [Intel XE#947]) +3 other tests skip
   [11]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-atsm-2/igt@kms_flip@basic-flip-vs-modeset.html

  * igt@kms_force_connector_basic@force-connector-state:
    - bat-pvc-2:          NOTRUN -> [SKIP][12] ([Intel XE#540]) +3 other tests skip
   [12]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-pvc-2/igt@kms_force_connector_basic@force-connector-state.html
    - bat-atsm-2:         NOTRUN -> [SKIP][13] ([Intel XE#540]) +3 other tests skip
   [13]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-atsm-2/igt@kms_force_connector_basic@force-connector-state.html

  * igt@kms_force_connector_basic@prune-stale-modes:
    - bat-dg2-oem2:       NOTRUN -> [SKIP][14] ([i915#5274])
   [14]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-dg2-oem2/igt@kms_force_connector_basic@prune-stale-modes.html

  * igt@kms_frontbuffer_tracking@basic:
    - bat-pvc-2:          NOTRUN -> [SKIP][15] ([Intel XE#1024] / [Intel XE#783])
   [15]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-pvc-2/igt@kms_frontbuffer_tracking@basic.html
    - bat-adlp-7:         NOTRUN -> [FAIL][16] ([Intel XE#616])
   [16]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-adlp-7/igt@kms_frontbuffer_tracking@basic.html
    - bat-atsm-2:         NOTRUN -> [SKIP][17] ([Intel XE#1024] / [Intel XE#783])
   [17]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-atsm-2/igt@kms_frontbuffer_tracking@basic.html

  * igt@kms_pipe_crc_basic@compare-crc-sanitycheck-xr24:
    - bat-atsm-2:         NOTRUN -> [SKIP][18] ([i915#1836]) +6 other tests skip
   [18]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-atsm-2/igt@kms_pipe_crc_basic@compare-crc-sanitycheck-xr24.html

  * igt@kms_pipe_crc_basic@nonblocking-crc-frame-sequence:
    - bat-pvc-2:          NOTRUN -> [SKIP][19] ([Intel XE#829]) +6 other tests skip
   [19]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-pvc-2/igt@kms_pipe_crc_basic@nonblocking-crc-frame-sequence.html

  * igt@kms_prop_blob@basic:
    - bat-pvc-2:          NOTRUN -> [SKIP][20] ([Intel XE#780])
   [20]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-pvc-2/igt@kms_prop_blob@basic.html
    - bat-atsm-2:         NOTRUN -> [SKIP][21] ([Intel XE#780])
   [21]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-atsm-2/igt@kms_prop_blob@basic.html

  * igt@kms_psr@psr-cursor-plane-move:
    - bat-pvc-2:          NOTRUN -> [SKIP][22] ([Intel XE#1024]) +2 other tests skip
   [22]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-pvc-2/igt@kms_psr@psr-cursor-plane-move.html
    - bat-dg2-oem2:       NOTRUN -> [SKIP][23] ([Intel XE#929]) +2 other tests skip
   [23]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-dg2-oem2/igt@kms_psr@psr-cursor-plane-move.html

  * igt@kms_psr@psr-primary-page-flip:
    - bat-atsm-2:         NOTRUN -> [SKIP][24] ([Intel XE#1024]) +2 other tests skip
   [24]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-atsm-2/igt@kms_psr@psr-primary-page-flip.html

  * igt@xe_evict@evict-beng-small-external:
    - bat-pvc-2:          NOTRUN -> [FAIL][25] ([Intel XE#1000]) +3 other tests fail
   [25]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-pvc-2/igt@xe_evict@evict-beng-small-external.html
    - bat-adlp-7:         NOTRUN -> [SKIP][26] ([Intel XE#261] / [Intel XE#688]) +15 other tests skip
   [26]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-adlp-7/igt@xe_evict@evict-beng-small-external.html

  * igt@xe_evict@evict-small-cm:
    - bat-pvc-2:          NOTRUN -> [DMESG-FAIL][27] ([Intel XE#482]) +3 other tests dmesg-fail
   [27]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-pvc-2/igt@xe_evict@evict-small-cm.html

  * igt@xe_evict_ccs@evict-overcommit-simple:
    - bat-adlp-7:         NOTRUN -> [SKIP][28] ([Intel XE#688]) +1 other test skip
   [28]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-adlp-7/igt@xe_evict_ccs@evict-overcommit-simple.html

  * igt@xe_exec_fault_mode@many-basic:
    - bat-dg2-oem2:       NOTRUN -> [SKIP][29] ([Intel XE#288]) +22 other tests skip
   [29]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-dg2-oem2/igt@xe_exec_fault_mode@many-basic.html

  * igt@xe_exec_fault_mode@twice-userptr:
    - bat-adlp-7:         NOTRUN -> [SKIP][30] ([Intel XE#288]) +22 other tests skip
   [30]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-adlp-7/igt@xe_exec_fault_mode@twice-userptr.html

  * igt@xe_exec_fault_mode@twice-userptr-rebind-prefetch:
    - bat-atsm-2:         NOTRUN -> [SKIP][31] ([Intel XE#288]) +22 other tests skip
   [31]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-atsm-2/igt@xe_exec_fault_mode@twice-userptr-rebind-prefetch.html

  * igt@xe_gt_freq@freq_range_idle:
    - bat-pvc-2:          NOTRUN -> [SKIP][32] ([Intel XE#1021]) +1 other test skip
   [32]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-pvc-2/igt@xe_gt_freq@freq_range_idle.html

  * igt@xe_huc_copy@huc_copy:
    - bat-pvc-2:          NOTRUN -> [SKIP][33] ([Intel XE#255])
   [33]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-pvc-2/igt@xe_huc_copy@huc_copy.html
    - bat-dg2-oem2:       NOTRUN -> [SKIP][34] ([Intel XE#255])
   [34]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-dg2-oem2/igt@xe_huc_copy@huc_copy.html
    - bat-atsm-2:         NOTRUN -> [SKIP][35] ([Intel XE#255])
   [35]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-atsm-2/igt@xe_huc_copy@huc_copy.html

  * igt@xe_intel_bb@render:
    - bat-pvc-2:          NOTRUN -> [SKIP][36] ([Intel XE#532])
   [36]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-pvc-2/igt@xe_intel_bb@render.html

  * igt@xe_mmap@vram:
    - bat-adlp-7:         NOTRUN -> [SKIP][37] ([Intel XE#1008])
   [37]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-adlp-7/igt@xe_mmap@vram.html

  * igt@xe_pat@pat-index-xe2:
    - bat-pvc-2:          NOTRUN -> [SKIP][38] ([Intel XE#977]) +1 other test skip
   [38]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-pvc-2/igt@xe_pat@pat-index-xe2.html
    - bat-adlp-7:         NOTRUN -> [SKIP][39] ([Intel XE#977])
   [39]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-adlp-7/igt@xe_pat@pat-index-xe2.html
    - bat-atsm-2:         NOTRUN -> [SKIP][40] ([Intel XE#977])
   [40]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-atsm-2/igt@xe_pat@pat-index-xe2.html
    - bat-dg2-oem2:       NOTRUN -> [SKIP][41] ([Intel XE#977])
   [41]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-dg2-oem2/igt@xe_pat@pat-index-xe2.html

  * igt@xe_pat@pat-index-xehpc:
    - bat-dg2-oem2:       NOTRUN -> [SKIP][42] ([Intel XE#979]) +1 other test skip
   [42]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-dg2-oem2/igt@xe_pat@pat-index-xehpc.html
    - bat-adlp-7:         NOTRUN -> [SKIP][43] ([Intel XE#979]) +1 other test skip
   [43]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-adlp-7/igt@xe_pat@pat-index-xehpc.html

  * igt@xe_pat@pat-index-xehpc@render:
    - bat-pvc-2:          NOTRUN -> [SKIP][44] ([Intel XE#976])
   [44]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-pvc-2/igt@xe_pat@pat-index-xehpc@render.html

  * igt@xe_pat@pat-index-xelpg:
    - bat-atsm-2:         NOTRUN -> [SKIP][45] ([Intel XE#979]) +1 other test skip
   [45]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-atsm-2/igt@xe_pat@pat-index-xelpg.html
    - bat-pvc-2:          NOTRUN -> [SKIP][46] ([Intel XE#979])
   [46]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-pvc-2/igt@xe_pat@pat-index-xelpg.html

  * igt@xe_pm_residency@gt-c6-on-idle:
    - bat-pvc-2:          NOTRUN -> [SKIP][47] ([Intel XE#531])
   [47]: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/bat-pvc-2/igt@xe_pm_residency@gt-c6-on-idle.html

  
  [Intel XE#1000]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/1000
  [Intel XE#1008]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/1008
  [Intel XE#1021]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/1021
  [Intel XE#1024]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/1024
  [Intel XE#255]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/255
  [Intel XE#261]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/261
  [Intel XE#288]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/288
  [Intel XE#455]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/455
  [Intel XE#482]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/482
  [Intel XE#531]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/531
  [Intel XE#532]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/532
  [Intel XE#540]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/540
  [Intel XE#616]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/616
  [Intel XE#623]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/623
  [Intel XE#688]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/688
  [Intel XE#780]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/780
  [Intel XE#782]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/782
  [Intel XE#783]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/783
  [Intel XE#784]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/784
  [Intel XE#829]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/829
  [Intel XE#929]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/929
  [Intel XE#947]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/947
  [Intel XE#976]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/976
  [Intel XE#977]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/977
  [Intel XE#979]: https://gitlab.freedesktop.org/drm/xe/kernel/issues/979
  [i915#1836]: https://gitlab.freedesktop.org/drm/intel/issues/1836
  [i915#5274]: https://gitlab.freedesktop.org/drm/intel/issues/5274
  [i915#6077]: https://gitlab.freedesktop.org/drm/intel/issues/6077


Build changes
-------------

  * IGT: IGT_7768 -> IGTPW_10849
  * Linux: xe-946-b7ead5c90db25002638773b1a9289220e6a36b4d -> xe-951-bb2b694350f7d997c90c0edff2d3409d9adc482a

  IGTPW_10849: https://intel-gfx-ci.01.org/tree/drm-tip/IGTPW_10849/index.html
  IGT_7768: 7768
  xe-946-b7ead5c90db25002638773b1a9289220e6a36b4d: b7ead5c90db25002638773b1a9289220e6a36b4d
  xe-951-bb2b694350f7d997c90c0edff2d3409d9adc482a: bb2b694350f7d997c90c0edff2d3409d9adc482a

== Logs ==

For more details see: https://intel-gfx-ci.01.org/tree/intel-xe/IGTPW_10849/index.html

[-- Attachment #2: Type: text/html, Size: 16819 bytes --]

✗ Fi.CI.BAT: failure for tests/amdgpu: add fuzzing tests

[Patchwork]

[-- Attachment #1: Type: text/plain, Size: 3395 bytes --]

== Series Details ==

Series: tests/amdgpu: add fuzzing tests
URL   : https://patchwork.freedesktop.org/series/131209/
State : failure

== Summary ==

CI Bug Log - changes from CI_DRM_14442 -> IGTPW_10849
====================================================

Summary
-------

  **FAILURE**

  Serious unknown changes coming with IGTPW_10849 absolutely need to be
  verified manually.
  
  If you think the reported changes have nothing to do with the changes
  introduced in IGTPW_10849, please notify your bug team (I915-ci-infra@lists.freedesktop.org) to allow them
  to document this new failure mode, which will reduce false positives in CI.

  External URL: https://intel-gfx-ci.01.org/tree/drm-tip/IGTPW_10849/index.html

Participating hosts (37 -> 36)
------------------------------

  Missing    (1): fi-snb-2520m 

Possible new issues
-------------------

  Here are the unknown changes that may have been introduced in IGTPW_10849:

### IGT changes ###

#### Possible regressions ####

  * igt@kms_addfb_basic@too-high:
    - fi-kbl-8809g:       NOTRUN -> [FAIL][1] +2 other tests fail
   [1]: https://intel-gfx-ci.01.org/tree/drm-tip/IGTPW_10849/fi-kbl-8809g/igt@kms_addfb_basic@too-high.html

  * igt@kms_force_connector_basic@force-edid:
    - fi-kbl-8809g:       NOTRUN -> [DMESG-FAIL][2]
   [2]: https://intel-gfx-ci.01.org/tree/drm-tip/IGTPW_10849/fi-kbl-8809g/igt@kms_force_connector_basic@force-edid.html

  * igt@kms_force_connector_basic@prune-stale-modes:
    - fi-kbl-8809g:       NOTRUN -> [DMESG-WARN][3] +2 other tests dmesg-warn
   [3]: https://intel-gfx-ci.01.org/tree/drm-tip/IGTPW_10849/fi-kbl-8809g/igt@kms_force_connector_basic@prune-stale-modes.html

  
Known issues
------------

  Here are the changes found in IGTPW_10849 that come from known issues:

### IGT changes ###

#### Issues hit ####

  * igt@gem_lmem_swapping@basic:
    - fi-kbl-8809g:       NOTRUN -> [SKIP][4] ([i915#4613]) +3 other tests skip
   [4]: https://intel-gfx-ci.01.org/tree/drm-tip/IGTPW_10849/fi-kbl-8809g/igt@gem_lmem_swapping@basic.html

  * igt@kms_hdmi_inject@inject-audio:
    - fi-kbl-8809g:       NOTRUN -> [FAIL][5] ([IGT#3])
   [5]: https://intel-gfx-ci.01.org/tree/drm-tip/IGTPW_10849/fi-kbl-8809g/igt@kms_hdmi_inject@inject-audio.html

  * igt@kms_pipe_crc_basic@compare-crc-sanitycheck-nv12@pipe-a-hdmi-a-1:
    - fi-kbl-8809g:       NOTRUN -> [SKIP][6] +53 other tests skip
   [6]: https://intel-gfx-ci.01.org/tree/drm-tip/IGTPW_10849/fi-kbl-8809g/igt@kms_pipe_crc_basic@compare-crc-sanitycheck-nv12@pipe-a-hdmi-a-1.html

  
  {name}: This element is suppressed. This means it is ignored when computing
          the status of the difference (SUCCESS, WARNING, or FAILURE).

  [IGT#3]: https://gitlab.freedesktop.org/drm/igt-gpu-tools/issues/3
  [i915#10436]: https://gitlab.freedesktop.org/drm/intel/issues/10436
  [i915#4613]: https://gitlab.freedesktop.org/drm/intel/issues/4613


Build changes
-------------

  * CI: CI-20190529 -> None
  * IGT: IGT_7768 -> IGTPW_10849

  CI-20190529: 20190529
  CI_DRM_14442: bb2b694350f7d997c90c0edff2d3409d9adc482a @ git://anongit.freedesktop.org/gfx-ci/linux
  IGTPW_10849: https://intel-gfx-ci.01.org/tree/drm-tip/IGTPW_10849/index.html
  IGT_7768: 7768


Testlist changes
----------------

-igt@kms_cursor_crc@cursor-size-hints

== Logs ==

For more details see: https://intel-gfx-ci.01.org/tree/drm-tip/IGTPW_10849/index.html

[-- Attachment #2: Type: text/html, Size: 4100 bytes --]

Re: [PATCH] tests/amdgpu: add fuzzing tests

[Kamil Konieczny]

Hi Vitaly,

On 2024-03-15 at 22:36:31 -0400, vitaly.prosyak@amd.com wrote:
> From: Vitaly Prosyak <vitaly.prosyak@amd.com>
> 
> Joonkyo Jung was using customized Syzkaller with KAZAN
> enabled to find the bugs in amdgpu and the drm scheduler.
> Those new tests would help to keep the job state machine
> of the drm scheduler and amdgpu in the correct state to
> ensure that the wrong call sequence or invalid parameters
> do not cause a kernel crash.
> 
> The sub-test 'user ptr fuzzing' sends
> DRM_IOCTL_AMDGPU_GEM_USERPTR the invalid address and
> 2 GB allocation size.
> The sub-test 'cs fuzzing' sends DRM_IOCTL_AMDGPU_WAIT_CS
> for several IP types without previously submitted jobs.
> 
> Cc: Alex Deucher <alexander.deucher@amd.com>
> Cc: Christian Koenig <christian.koenig@amd.com>
> Cc: Joonkyo Jung <joonkyoj@yonsei.ac.kr>
> Cc: Jesse Zhang <Jesse.Zhang@amd.com>
> Signed-off-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
> ---
>  tests/amdgpu/amd_fuzzing.c | 99 ++++++++++++++++++++++++++++++++++++++
>  tests/amdgpu/meson.build   |  1 +
>  2 files changed, 100 insertions(+)
>  create mode 100644 tests/amdgpu/amd_fuzzing.c
> 
> diff --git a/tests/amdgpu/amd_fuzzing.c b/tests/amdgpu/amd_fuzzing.c
> new file mode 100644
> index 000000000..11a85f46c
> --- /dev/null
> +++ b/tests/amdgpu/amd_fuzzing.c
> @@ -0,0 +1,99 @@
> +// SPDX-License-Identifier: MIT
> +/*
> + * Copyright 2024 Advanced Micro Devices, Inc.
> + */
> +
> +#include "lib/amdgpu/amd_memory.h"
> +#include "lib/amdgpu/amd_gfx.h"
--------------------------- ^

Keep it sorted alphabetically.

> +
> +/*
> + * The bug was found using customized Syzkaller and with Kazan enabled.
> + * It can be triggered by sending a single amdgpu_gem_userptr_ioctl
> + * to the AMDGPU DRM driver on any ASICs with an invalid address and size.
> + * The bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>.
> + * The following test ensures that the found bug is no longer reproducible.
> + */
> +static
> +void amd_gem_userptr_fuzzing(int fd)
> +{
> +	/*
> +	 * use-after-free bug in the AMDGPU DRM driver
> +	 * fix in amdgpu commit 6dbd33a9c8747dbf1d149484509ad667cbdb3059
> +	 * The error dump is available in dmesg only when KAZAN is enabled
> +	 */
> +
> +	struct drm_amdgpu_gem_userptr user_ptr;
> +	int r;
> +
> +	user_ptr.addr = 0xffffffffffff0000;
> +	user_ptr.size = 0x80000000; /*2 Gb*/
> +	user_ptr.flags = 0x7;
> +	r = drmIoctl(fd, DRM_IOCTL_AMDGPU_GEM_USERPTR, &user_ptr);
> +	igt_info("%s DRM_IOCTL_AMDGPU_GEM_USERPTR ret %d", __func__, r);
> +	igt_assert_neq(r, 0);
> +}
> +
> +/*
> + *  The bug was found using customized Syzkaller and with Kazan enabled.
> + *  The bug can be triggered by sending an amdgpu_cs_wait_ioctl for ip types:
> + *  AMD_IP_VCE, AMD_IP_VCN_ENC, AMD_IP_VCN_JPEG, AMD_IP_VPE
> + *  to the AMDGPU DRM driver on any ASICs with valid context.
> + *  The bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>.
> + *
> + */
> +static
> +void amd_cs_wait_fuzzing(int fd, const enum amd_ip_block_type types[], int size)
> +{
> +	/*
> +	 * null-ptr-deref and the fix in the DRM scheduler
> +	 * The test helps keep the job state machine of the drm scheduler and
> +	 * amdgpu in the correct state to ensure that the wrong call sequence does
> +	 * not cause a crash.
> +	 */
> +
> +	union drm_amdgpu_ctx ctx;
> +	union drm_amdgpu_wait_cs cs_wait;
> +	int r, i;
> +
> +	memset(&ctx, 0, sizeof(union drm_amdgpu_ctx));
> +	ctx.in.op = AMDGPU_CTX_OP_ALLOC_CTX;
> +	r = drmIoctl(fd, DRM_IOCTL_AMDGPU_CTX, &ctx);
> +	igt_info("%s DRM_IOCTL_AMDGPU_CTX ret %d", __func__, r);
> +
> +	for (i = 0; i < size; i++) {
> +		memset(&cs_wait, 0, sizeof(union drm_amdgpu_wait_cs));
> +		cs_wait.in.handle = 0x0;
> +		cs_wait.in.timeout = 0x2000000000000;
> +		cs_wait.in.ip_type = types[i];
> +		cs_wait.in.ip_instance = 0x0;
> +		cs_wait.in.ring = 0x0;
> +		cs_wait.in.ctx_id = ctx.out.alloc.ctx_id;
> +		r = drmIoctl(fd, DRM_IOCTL_AMDGPU_WAIT_CS, &cs_wait);
> +		igt_info("$s AMDGPU_WAIT_CS ret %d", __func__, r);
> +		igt_assert_eq(r, 0);
> +	}
> +}
> +
> +igt_main
> +{
> +	int fd = -1;
> +	const enum amd_ip_block_type arr_types[] = {
> +			AMD_IP_VCE, AMD_IP_VCN_ENC, AMD_IP_VCN_JPEG, AMD_IP_VPE };
> +
> +	igt_fixture {
> +		fd = drm_open_driver(DRIVER_AMDGPU);
> +		igt_require(fd != -1);
> +	}
> +
> +	igt_describe("Check user ptr fuzzing with huge size and not valid address");
> +	igt_subtest("userptr-fuzzing")
> +		amd_gem_userptr_fuzzing(fd);
> +
> +	igt_describe("Check cs wait fuzzing");
> +	igt_subtest("cs-wait-fuzzing")
> +		amd_cs_wait_fuzzing(fd, arr_types, ARRAY_SIZE(arr_types));
> +
> +	igt_fixture {
> +		drm_close_driver(fd);
> +	}
> +}
> diff --git a/tests/amdgpu/meson.build b/tests/amdgpu/meson.build
> index a58d18ad3..ce3ba5520 100644
> --- a/tests/amdgpu/meson.build
> +++ b/tests/amdgpu/meson.build
> @@ -12,6 +12,7 @@ if libdrm_amdgpu.found()
>  			  'amd_cs_nop',
>  			  'amd_deadlock',
>  			  'amd_dp_dsc',
> +			  'amd_fuzzing',
-------------------^^

Try to keep it sorted alphabetically.

Regards,
Kamil

>  			  'amd_freesync_video_mode',
>  			  'amd_hotplug',
>  			  'amd_gang_cs' ,
> -- 
> 2.25.1
> 

Re: ✗ Fi.CI.BAT: failure for tests/amdgpu: add fuzzing tests

[Kamil Konieczny]

Hi igt-dev,
On 2024-03-16 at 03:21:32 -0000, Patchwork wrote:
> == Series Details ==
> 
> Series: tests/amdgpu: add fuzzing tests
> URL   : https://patchwork.freedesktop.org/series/131209/
> State : failure
> 
> == Summary ==
> 
> CI Bug Log - changes from CI_DRM_14442 -> IGTPW_10849
> ====================================================
> 
> Summary
> -------
> 
>   **FAILURE**
> 
>   Serious unknown changes coming with IGTPW_10849 absolutely need to be
>   verified manually.
>   
>   If you think the reported changes have nothing to do with the changes
>   introduced in IGTPW_10849, please notify your bug team (I915-ci-infra@lists.freedesktop.org) to allow them
>   to document this new failure mode, which will reduce false positives in CI.
> 
>   External URL: https://intel-gfx-ci.01.org/tree/drm-tip/IGTPW_10849/index.html
> 
> Participating hosts (37 -> 36)
> ------------------------------
> 
>   Missing    (1): fi-snb-2520m 
> 
> Possible new issues
> -------------------
> 
>   Here are the unknown changes that may have been introduced in IGTPW_10849:
> 
> ### IGT changes ###
> 
> #### Possible regressions ####
> 
>   * igt@kms_addfb_basic@too-high:
>     - fi-kbl-8809g:       NOTRUN -> [FAIL][1] +2 other tests fail
>    [1]: https://intel-gfx-ci.01.org/tree/drm-tip/IGTPW_10849/fi-kbl-8809g/igt@kms_addfb_basic@too-high.html
> 
>   * igt@kms_force_connector_basic@force-edid:
>     - fi-kbl-8809g:       NOTRUN -> [DMESG-FAIL][2]
>    [2]: https://intel-gfx-ci.01.org/tree/drm-tip/IGTPW_10849/fi-kbl-8809g/igt@kms_force_connector_basic@force-edid.html
> 
>   * igt@kms_force_connector_basic@prune-stale-modes:
>     - fi-kbl-8809g:       NOTRUN -> [DMESG-WARN][3] +2 other tests dmesg-warn
>    [3]: https://intel-gfx-ci.01.org/tree/drm-tip/IGTPW_10849/fi-kbl-8809g/igt@kms_force_connector_basic@prune-stale-modes.html
> 
>   
> Known issues
> ------------
> 
>   Here are the changes found in IGTPW_10849 that come from known issues:
> 
> ### IGT changes ###
> 
> #### Issues hit ####
> 
>   * igt@gem_lmem_swapping@basic:
>     - fi-kbl-8809g:       NOTRUN -> [SKIP][4] ([i915#4613]) +3 other tests skip
>    [4]: https://intel-gfx-ci.01.org/tree/drm-tip/IGTPW_10849/fi-kbl-8809g/igt@gem_lmem_swapping@basic.html
> 
>   * igt@kms_hdmi_inject@inject-audio:
>     - fi-kbl-8809g:       NOTRUN -> [FAIL][5] ([IGT#3])
>    [5]: https://intel-gfx-ci.01.org/tree/drm-tip/IGTPW_10849/fi-kbl-8809g/igt@kms_hdmi_inject@inject-audio.html
> 
>   * igt@kms_pipe_crc_basic@compare-crc-sanitycheck-nv12@pipe-a-hdmi-a-1:
>     - fi-kbl-8809g:       NOTRUN -> [SKIP][6] +53 other tests skip
>    [6]: https://intel-gfx-ci.01.org/tree/drm-tip/IGTPW_10849/fi-kbl-8809g/igt@kms_pipe_crc_basic@compare-crc-sanitycheck-nv12@pipe-a-hdmi-a-1.html
> 
>   
>   {name}: This element is suppressed. This means it is ignored when computing
>           the status of the difference (SUCCESS, WARNING, or FAILURE).
> 
>   [IGT#3]: https://gitlab.freedesktop.org/drm/igt-gpu-tools/issues/3
>   [i915#10436]: https://gitlab.freedesktop.org/drm/intel/issues/10436
>   [i915#4613]: https://gitlab.freedesktop.org/drm/intel/issues/4613
> 

These are unrelated to amdgpu test.

Regards,
Kamil

> 
> Build changes
> -------------
> 
>   * CI: CI-20190529 -> None
>   * IGT: IGT_7768 -> IGTPW_10849
> 
>   CI-20190529: 20190529
>   CI_DRM_14442: bb2b694350f7d997c90c0edff2d3409d9adc482a @ git://anongit.freedesktop.org/gfx-ci/linux
>   IGTPW_10849: https://intel-gfx-ci.01.org/tree/drm-tip/IGTPW_10849/index.html
>   IGT_7768: 7768
> 
> 
> Testlist changes
> ----------------
> 
> -igt@kms_cursor_crc@cursor-size-hints
> 
> == Logs ==
> 
> For more details see: https://intel-gfx-ci.01.org/tree/drm-tip/IGTPW_10849/index.html

RE: [PATCH] tests/amdgpu: add fuzzing tests

[Zhang, Jesse(Jie)]

[AMD Official Use Only - General]

The change looks good to me.

Reviewed-by: Jesse Zhang <Jesse.Zhang@amd.com>

-----Original Message-----
From: vitaly.prosyak@amd.com <vitaly.prosyak@amd.com>
Sent: Tuesday, March 19, 2024 2:41 AM
To: igt-dev@lists.freedesktop.org
Cc: Prosyak, Vitaly <Vitaly.Prosyak@amd.com>; Deucher, Alexander <Alexander.Deucher@amd.com>; Koenig, Christian <Christian.Koenig@amd.com>; Kamil Konieczny <kamil.konieczny@linux.intel.com>; Joonkyo Jung <joonkyoj@yonsei.ac.kr>; Zhang, Jesse(Jie) <Jesse.Zhang@amd.com>
Subject: [PATCH] tests/amdgpu: add fuzzing tests

From: Vitaly Prosyak <vitaly.prosyak@amd.com>

Joonkyo Jung was using customized Syzkaller with KAZAN enabled to find the bugs in amdgpu and the drm scheduler.
Those new tests would help to keep the job state machine of the drm scheduler and amdgpu in the correct state to ensure that the wrong call sequence or invalid parameters do not cause a kernel crash.

The sub-test 'user ptr fuzzing' sends
DRM_IOCTL_AMDGPU_GEM_USERPTR the invalid address and
2 GB allocation size.
The sub-test 'cs fuzzing' sends DRM_IOCTL_AMDGPU_WAIT_CS for several IP types without previously submitted jobs.

v2 : File names in 'meson.build' are sorted alphabetically
     (Kamil)

Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: Christian Koenig <christian.koenig@amd.com>
Cc: Kamil Konieczny <kamil.konieczny@linux.intel.com>
Cc: Joonkyo Jung <joonkyoj@yonsei.ac.kr>
Cc: Jesse Zhang <Jesse.Zhang@amd.com>
Signed-off-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
---
 tests/amdgpu/amd_fuzzing.c | 120 +++++++++++++++++++++++++++++++++++++
 tests/amdgpu/meson.build   |   1 +
 2 files changed, 121 insertions(+)
 create mode 100644 tests/amdgpu/amd_fuzzing.c

diff --git a/tests/amdgpu/amd_fuzzing.c b/tests/amdgpu/amd_fuzzing.c new file mode 100644 index 000000000..69c9e8dad
--- /dev/null
+++ b/tests/amdgpu/amd_fuzzing.c
@@ -0,0 +1,120 @@
+// SPDX-License-Identifier: MIT
+/*
+ * Copyright 2024 Advanced Micro Devices, Inc.
+ */
+
+#include "lib/amdgpu/amd_memory.h"
+#include "lib/amdgpu/amd_gfx.h"
+#include "lib/ioctl_wrappers.h"
+
+const struct amd_ip_type {
+       const char *name;
+       enum amd_ip_block_type type;
+} amd_ip_type_arr[] = {
+       {"AMD_IP_GFX",          AMD_IP_GFX},
+       {"AMD_IP_COMPUTE",      AMD_IP_COMPUTE},
+       {"AMD_IP_DMA",          AMD_IP_DMA},
+       {"AMD_IP_UVD",          AMD_IP_UVD},
+       {"AMD_IP_VCE",          AMD_IP_VCE},
+       {"AMD_IP_UVD_ENC",      AMD_IP_UVD_ENC},
+       {"AMD_IP_VCN_DEC",      AMD_IP_VCN_DEC},
+       {"AMD_IP_VCN_ENC",      AMD_IP_VCN_ENC},
+       {"AMD_IP_VCN_JPEG",     AMD_IP_VCN_JPEG},
+       {"AMD_IP_VPE",          AMD_IP_VPE},
+       {"AMD_IP_MAX",          AMD_IP_MAX},
+       {},
+};
+
+/*
+ * The bug was found using customized Syzkaller and with Kazan enabled.
+ * It can be triggered by sending a single amdgpu_gem_userptr_ioctl
+ * to the AMDGPU DRM driver on any ASICs with an invalid address and size.
+ * The bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>.
+ * The following test ensures that the found bug is no longer reproducible.
+ */
+static
+void amd_gem_userptr_fuzzing(int fd)
+{
+       /*
+        * use-after-free bug in the AMDGPU DRM driver
+        * fix in amdgpu commit 6dbd33a9c8747dbf1d149484509ad667cbdb3059
+        * The error dump is available in dmesg only when KAZAN is enabled
+        */
+
+       struct drm_amdgpu_gem_userptr user_ptr;
+       int r;
+
+       user_ptr.addr = 0xffffffffffff0000;
+       user_ptr.size = 0x80000000; /*2 Gb*/
+       user_ptr.flags = 0x7;
+       r = igt_ioctl(fd, DRM_IOCTL_AMDGPU_GEM_USERPTR, &user_ptr);
+       igt_info("%s DRM_IOCTL_AMDGPU_GEM_USERPTR r %d\n", __func__, r);
+       igt_assert_neq(r, 0);
+}
+
+/*
+ *  The bug was found using customized Syzkaller and with Kazan enabled.
+ *  The bug can be triggered by sending an amdgpu_cs_wait_ioctl for ip types:
+ *  AMD_IP_VCE, AMD_IP_VCN_ENC, AMD_IP_VCN_JPEG, AMD_IP_VPE
+ *  to the AMDGPU DRM driver on any ASICs with valid context.
+ *  The bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>.
+ *
+ */
+static
+void amd_cs_wait_fuzzing(int fd, const enum amd_ip_block_type types[],
+int size) {
+       /*
+        * null-ptr-deref and the fix in the DRM scheduler
+        * The test helps keep the job state machine of the drm scheduler and
+        * amdgpu in the correct state to ensure that the wrong call sequence does
+        * not cause a crash.
+        */
+
+       union drm_amdgpu_ctx ctx;
+       union drm_amdgpu_wait_cs cs_wait;
+       int r, i;
+
+       memset(&ctx, 0, sizeof(union drm_amdgpu_ctx));
+       ctx.in.op = AMDGPU_CTX_OP_ALLOC_CTX;
+       r = igt_ioctl(fd, DRM_IOCTL_AMDGPU_CTX, &ctx);
+       igt_info("%s DRM_IOCTL_AMDGPU_CTX r %d\n", __func__, r);
+       igt_assert_eq(r, 0);
+
+       for (i = 0; i < size; i++) {
+               memset(&cs_wait, 0, sizeof(union drm_amdgpu_wait_cs));
+               cs_wait.in.handle = 0x0;
+               cs_wait.in.timeout = 0x2000000000000;
+               cs_wait.in.ip_instance = 0x0;
+               cs_wait.in.ring = 0x0;
+               cs_wait.in.ctx_id = ctx.out.alloc.ctx_id;
+               cs_wait.in.ip_type = types[i];
+               r = igt_ioctl(fd, DRM_IOCTL_AMDGPU_WAIT_CS, &cs_wait);
+               igt_info("%s AMDGPU_WAIT_CS %s r %d\n", __func__,
+                               amd_ip_type_arr[types[i]].name, r);
+               igt_assert_eq(r, 0);
+       }
+}
+
+igt_main
+{
+       int fd = -1;
+       const enum amd_ip_block_type arr_types[] = {
+                       AMD_IP_VCE, AMD_IP_VCN_ENC, AMD_IP_VCN_JPEG, AMD_IP_VPE };
+
+       igt_fixture {
+               fd = drm_open_driver(DRIVER_AMDGPU);
+               igt_require(fd != -1);
+       }
+
+       igt_describe("Check user ptr fuzzing with huge size and not valid address");
+       igt_subtest("userptr-fuzzing")
+               amd_gem_userptr_fuzzing(fd);
+
+       igt_describe("Check cs wait fuzzing");
+       igt_subtest("cs-wait-fuzzing")
+               amd_cs_wait_fuzzing(fd, arr_types, ARRAY_SIZE(arr_types));
+
+       igt_fixture {
+               drm_close_driver(fd);
+       }
+}
diff --git a/tests/amdgpu/meson.build b/tests/amdgpu/meson.build index a58d18ad3..d7152a356 100644
--- a/tests/amdgpu/meson.build
+++ b/tests/amdgpu/meson.build
@@ -13,6 +13,7 @@ if libdrm_amdgpu.found()
                          'amd_deadlock',
                          'amd_dp_dsc',
                          'amd_freesync_video_mode',
+                         'amd_fuzzing',
                          'amd_hotplug',
                          'amd_gang_cs' ,
                          'amd_ilr',
--
2.25.1

[PATCH] tests/amdgpu: add fuzzing tests

[vitaly.prosyak]

From: Vitaly Prosyak <vitaly.prosyak@amd.com>

Joonkyo Jung was using customized Syzkaller with KAZAN
enabled to find the bugs in amdgpu and the drm scheduler.
Those new tests would help to keep the job state machine
of the drm scheduler and amdgpu in the correct state to
ensure that the wrong call sequence or invalid parameters
do not cause a kernel crash.

The sub-test 'user ptr fuzzing' sends
DRM_IOCTL_AMDGPU_GEM_USERPTR the invalid address and
2 GB allocation size.
The sub-test 'cs fuzzing' sends DRM_IOCTL_AMDGPU_WAIT_CS
for several IP types without previously submitted jobs.

v2 : File names in 'meson.build' are sorted alphabetically
     (Kamil)

Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: Christian Koenig <christian.koenig@amd.com>
Cc: Kamil Konieczny <kamil.konieczny@linux.intel.com>
Cc: Joonkyo Jung <joonkyoj@yonsei.ac.kr>
Cc: Jesse Zhang <Jesse.Zhang@amd.com>
Signed-off-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
---
 tests/amdgpu/amd_fuzzing.c | 120 +++++++++++++++++++++++++++++++++++++
 tests/amdgpu/meson.build   |   1 +
 2 files changed, 121 insertions(+)
 create mode 100644 tests/amdgpu/amd_fuzzing.c

diff --git a/tests/amdgpu/amd_fuzzing.c b/tests/amdgpu/amd_fuzzing.c
new file mode 100644
index 000000000..69c9e8dad
--- /dev/null
+++ b/tests/amdgpu/amd_fuzzing.c
@@ -0,0 +1,120 @@
+// SPDX-License-Identifier: MIT
+/*
+ * Copyright 2024 Advanced Micro Devices, Inc.
+ */
+
+#include "lib/amdgpu/amd_memory.h"
+#include "lib/amdgpu/amd_gfx.h"
+#include "lib/ioctl_wrappers.h"
+
+const struct amd_ip_type {
+	const char *name;
+	enum amd_ip_block_type type;
+} amd_ip_type_arr[] = {
+	{"AMD_IP_GFX",		AMD_IP_GFX},
+	{"AMD_IP_COMPUTE",	AMD_IP_COMPUTE},
+	{"AMD_IP_DMA",		AMD_IP_DMA},
+	{"AMD_IP_UVD",		AMD_IP_UVD},
+	{"AMD_IP_VCE",		AMD_IP_VCE},
+	{"AMD_IP_UVD_ENC",	AMD_IP_UVD_ENC},
+	{"AMD_IP_VCN_DEC",	AMD_IP_VCN_DEC},
+	{"AMD_IP_VCN_ENC",	AMD_IP_VCN_ENC},
+	{"AMD_IP_VCN_JPEG",	AMD_IP_VCN_JPEG},
+	{"AMD_IP_VPE",		AMD_IP_VPE},
+	{"AMD_IP_MAX",		AMD_IP_MAX},
+	{},
+};
+
+/*
+ * The bug was found using customized Syzkaller and with Kazan enabled.
+ * It can be triggered by sending a single amdgpu_gem_userptr_ioctl
+ * to the AMDGPU DRM driver on any ASICs with an invalid address and size.
+ * The bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>.
+ * The following test ensures that the found bug is no longer reproducible.
+ */
+static
+void amd_gem_userptr_fuzzing(int fd)
+{
+	/*
+	 * use-after-free bug in the AMDGPU DRM driver
+	 * fix in amdgpu commit 6dbd33a9c8747dbf1d149484509ad667cbdb3059
+	 * The error dump is available in dmesg only when KAZAN is enabled
+	 */
+
+	struct drm_amdgpu_gem_userptr user_ptr;
+	int r;
+
+	user_ptr.addr = 0xffffffffffff0000;
+	user_ptr.size = 0x80000000; /*2 Gb*/
+	user_ptr.flags = 0x7;
+	r = igt_ioctl(fd, DRM_IOCTL_AMDGPU_GEM_USERPTR, &user_ptr);
+	igt_info("%s DRM_IOCTL_AMDGPU_GEM_USERPTR r %d\n", __func__, r);
+	igt_assert_neq(r, 0);
+}
+
+/*
+ *  The bug was found using customized Syzkaller and with Kazan enabled.
+ *  The bug can be triggered by sending an amdgpu_cs_wait_ioctl for ip types:
+ *  AMD_IP_VCE, AMD_IP_VCN_ENC, AMD_IP_VCN_JPEG, AMD_IP_VPE
+ *  to the AMDGPU DRM driver on any ASICs with valid context.
+ *  The bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>.
+ *
+ */
+static
+void amd_cs_wait_fuzzing(int fd, const enum amd_ip_block_type types[], int size)
+{
+	/*
+	 * null-ptr-deref and the fix in the DRM scheduler
+	 * The test helps keep the job state machine of the drm scheduler and
+	 * amdgpu in the correct state to ensure that the wrong call sequence does
+	 * not cause a crash.
+	 */
+
+	union drm_amdgpu_ctx ctx;
+	union drm_amdgpu_wait_cs cs_wait;
+	int r, i;
+
+	memset(&ctx, 0, sizeof(union drm_amdgpu_ctx));
+	ctx.in.op = AMDGPU_CTX_OP_ALLOC_CTX;
+	r = igt_ioctl(fd, DRM_IOCTL_AMDGPU_CTX, &ctx);
+	igt_info("%s DRM_IOCTL_AMDGPU_CTX r %d\n", __func__, r);
+	igt_assert_eq(r, 0);
+
+	for (i = 0; i < size; i++) {
+		memset(&cs_wait, 0, sizeof(union drm_amdgpu_wait_cs));
+		cs_wait.in.handle = 0x0;
+		cs_wait.in.timeout = 0x2000000000000;
+		cs_wait.in.ip_instance = 0x0;
+		cs_wait.in.ring = 0x0;
+		cs_wait.in.ctx_id = ctx.out.alloc.ctx_id;
+		cs_wait.in.ip_type = types[i];
+		r = igt_ioctl(fd, DRM_IOCTL_AMDGPU_WAIT_CS, &cs_wait);
+		igt_info("%s AMDGPU_WAIT_CS %s r %d\n", __func__,
+				amd_ip_type_arr[types[i]].name, r);
+		igt_assert_eq(r, 0);
+	}
+}
+
+igt_main
+{
+	int fd = -1;
+	const enum amd_ip_block_type arr_types[] = {
+			AMD_IP_VCE, AMD_IP_VCN_ENC, AMD_IP_VCN_JPEG, AMD_IP_VPE };
+
+	igt_fixture {
+		fd = drm_open_driver(DRIVER_AMDGPU);
+		igt_require(fd != -1);
+	}
+
+	igt_describe("Check user ptr fuzzing with huge size and not valid address");
+	igt_subtest("userptr-fuzzing")
+		amd_gem_userptr_fuzzing(fd);
+
+	igt_describe("Check cs wait fuzzing");
+	igt_subtest("cs-wait-fuzzing")
+		amd_cs_wait_fuzzing(fd, arr_types, ARRAY_SIZE(arr_types));
+
+	igt_fixture {
+		drm_close_driver(fd);
+	}
+}
diff --git a/tests/amdgpu/meson.build b/tests/amdgpu/meson.build
index a58d18ad3..d7152a356 100644
--- a/tests/amdgpu/meson.build
+++ b/tests/amdgpu/meson.build
@@ -13,6 +13,7 @@ if libdrm_amdgpu.found()
 			  'amd_deadlock',
 			  'amd_dp_dsc',
 			  'amd_freesync_video_mode',
+			  'amd_fuzzing',
 			  'amd_hotplug',
 			  'amd_gang_cs' ,
 			  'amd_ilr',
-- 
2.25.1

[PATCH] tests/amdgpu: add fuzzing tests

[vitaly.prosyak]

From: Vitaly Prosyak <vitaly.prosyak@amd.com>

Joonkyo Jung was using customized Syzkaller with KAZAN
enabled to find the bugs in amdgpu and the drm scheduler.
Those new tests would help to keep the job state machine
of the drm scheduler and amdgpu in the correct state to
ensure that the wrong call sequence or invalid parameters
do not cause a kernel crash.

The sub-test 'user ptr fuzzing' sends
DRM_IOCTL_AMDGPU_GEM_USERPTR the invalid address and
2 GB allocation size.
The sub-test 'cs fuzzing' sends DRM_IOCTL_AMDGPU_WAIT_CS
for several IP types without previously submitted jobs.

Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: Christian Koenig <christian.koenig@amd.com>
Cc: Joonkyo Jung <joonkyoj@yonsei.ac.kr>
Cc: Jesse Zhang <Jesse.Zhang@amd.com>
Signed-off-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
---
 tests/amdgpu/amd_fuzzing.c | 119 +++++++++++++++++++++++++++++++++++++
 tests/amdgpu/meson.build   |   1 +
 2 files changed, 120 insertions(+)
 create mode 100644 tests/amdgpu/amd_fuzzing.c

diff --git a/tests/amdgpu/amd_fuzzing.c b/tests/amdgpu/amd_fuzzing.c
new file mode 100644
index 000000000..d9bd8a072
--- /dev/null
+++ b/tests/amdgpu/amd_fuzzing.c
@@ -0,0 +1,119 @@
+// SPDX-License-Identifier: MIT
+/*
+ * Copyright 2024 Advanced Micro Devices, Inc.
+ */
+
+#include "lib/amdgpu/amd_memory.h"
+#include "lib/amdgpu/amd_gfx.h"
+
+const struct amd_ip_type {
+	const char *name;
+	enum amd_ip_block_type type;
+} amd_ip_type_arr[] = {
+	{"AMD_IP_GFX",		AMD_IP_GFX},
+	{"AMD_IP_COMPUTE",	AMD_IP_COMPUTE},
+	{"AMD_IP_DMA",		AMD_IP_DMA},
+	{"AMD_IP_UVD",		AMD_IP_UVD},
+	{"AMD_IP_VCE",		AMD_IP_VCE},
+	{"AMD_IP_UVD_ENC",	AMD_IP_UVD_ENC},
+	{"AMD_IP_VCN_DEC",	AMD_IP_VCN_DEC},
+	{"AMD_IP_VCN_ENC",	AMD_IP_VCN_ENC},
+	{"AMD_IP_VCN_JPEG",	AMD_IP_VCN_JPEG},
+	{"AMD_IP_VPE",		AMD_IP_VPE},
+	{"AMD_IP_MAX",		AMD_IP_MAX},
+	{},
+};
+
+/*
+ * The bug was found using customized Syzkaller and with Kazan enabled.
+ * It can be triggered by sending a single amdgpu_gem_userptr_ioctl
+ * to the AMDGPU DRM driver on any ASICs with an invalid address and size.
+ * The bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>.
+ * The following test ensures that the found bug is no longer reproducible.
+ */
+static
+void amd_gem_userptr_fuzzing(int fd)
+{
+	/*
+	 * use-after-free bug in the AMDGPU DRM driver
+	 * fix in amdgpu commit 6dbd33a9c8747dbf1d149484509ad667cbdb3059
+	 * The error dump is available in dmesg only when KAZAN is enabled
+	 */
+
+	struct drm_amdgpu_gem_userptr user_ptr;
+	int r;
+
+	user_ptr.addr = 0xffffffffffff0000;
+	user_ptr.size = 0x80000000; /*2 Gb*/
+	user_ptr.flags = 0x7;
+	r = drmIoctl(fd, DRM_IOCTL_AMDGPU_GEM_USERPTR, &user_ptr);
+	igt_info("%s DRM_IOCTL_AMDGPU_GEM_USERPTR r %d\n", __func__, r);
+	igt_assert_neq(r, 0);
+}
+
+/*
+ *  The bug was found using customized Syzkaller and with Kazan enabled.
+ *  The bug can be triggered by sending an amdgpu_cs_wait_ioctl for ip types:
+ *  AMD_IP_VCE, AMD_IP_VCN_ENC, AMD_IP_VCN_JPEG, AMD_IP_VPE
+ *  to the AMDGPU DRM driver on any ASICs with valid context.
+ *  The bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>.
+ *
+ */
+static
+void amd_cs_wait_fuzzing(int fd, const enum amd_ip_block_type types[], int size)
+{
+	/*
+	 * null-ptr-deref and the fix in the DRM scheduler
+	 * The test helps keep the job state machine of the drm scheduler and
+	 * amdgpu in the correct state to ensure that the wrong call sequence does
+	 * not cause a crash.
+	 */
+
+	union drm_amdgpu_ctx ctx;
+	union drm_amdgpu_wait_cs cs_wait;
+	int r, i;
+
+	memset(&ctx, 0, sizeof(union drm_amdgpu_ctx));
+	ctx.in.op = AMDGPU_CTX_OP_ALLOC_CTX;
+	r = drmIoctl(fd, DRM_IOCTL_AMDGPU_CTX, &ctx);
+	igt_info("%s DRM_IOCTL_AMDGPU_CTX r %d\n", __func__, r);
+	igt_assert_eq(r, 0);
+
+	for (i = 0; i < size; i++) {
+		memset(&cs_wait, 0, sizeof(union drm_amdgpu_wait_cs));
+		cs_wait.in.handle = 0x0;
+		cs_wait.in.timeout = 0x2000000000000;
+		cs_wait.in.ip_instance = 0x0;
+		cs_wait.in.ring = 0x0;
+		cs_wait.in.ctx_id = ctx.out.alloc.ctx_id;
+		cs_wait.in.ip_type = types[i];
+		r = drmIoctl(fd, DRM_IOCTL_AMDGPU_WAIT_CS, &cs_wait);
+		igt_info("%s AMDGPU_WAIT_CS %s r %d\n", __func__,
+				amd_ip_type_arr[types[i]].name, r);
+		igt_assert_eq(r, 0);
+	}
+}
+
+igt_main
+{
+	int fd = -1;
+	const enum amd_ip_block_type arr_types[] = {
+			AMD_IP_VCE, AMD_IP_VCN_ENC, AMD_IP_VCN_JPEG, AMD_IP_VPE };
+
+	igt_fixture {
+		fd = drm_open_driver(DRIVER_AMDGPU);
+		igt_require(fd != -1);
+	}
+
+	igt_describe("Check user ptr fuzzing with huge size and not valid address");
+	igt_subtest("userptr-fuzzing")
+		amd_gem_userptr_fuzzing(fd);
+
+	igt_describe("Check cs wait fuzzing");
+	igt_subtest("cs-wait-fuzzing")
+		amd_cs_wait_fuzzing(fd, arr_types, ARRAY_SIZE(arr_types));
+
+	igt_fixture {
+		drm_close_driver(fd);
+	}
+}
diff --git a/tests/amdgpu/meson.build b/tests/amdgpu/meson.build
index a58d18ad3..ce3ba5520 100644
--- a/tests/amdgpu/meson.build
+++ b/tests/amdgpu/meson.build
@@ -12,6 +12,7 @@ if libdrm_amdgpu.found()
 			  'amd_cs_nop',
 			  'amd_deadlock',
 			  'amd_dp_dsc',
+			  'amd_fuzzing',
 			  'amd_freesync_video_mode',
 			  'amd_hotplug',
 			  'amd_gang_cs' ,
-- 
2.25.1