* [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails @ 2020-08-28 9:28 Frantisek Hrbata [not found] ` <20200828092846.GA11454-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org> 0 siblings, 1 reply; 7+ messages in thread From: Frantisek Hrbata @ 2020-08-28 9:28 UTC (permalink / raw) To: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW; +Cc: Ben Skeggs Unprivileged user can crash kernel by using DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC ioctl. This was reported by trinity[1] fuzzer. [ 71.073906] nouveau 0000:01:00.0: crashme[1329]: channel failed to initialise, -17 [ 71.081730] BUG: kernel NULL pointer dereference, address: 00000000000000a0 [ 71.088928] #PF: supervisor read access in kernel mode [ 71.094059] #PF: error_code(0x0000) - not-present page [ 71.099189] PGD 119590067 P4D 119590067 PUD 1054f5067 PMD 0 [ 71.104842] Oops: 0000 [#1] SMP NOPTI [ 71.108498] CPU: 2 PID: 1329 Comm: crashme Not tainted 5.8.0-rc6+ #2 [ 71.114993] Hardware name: AMD Pike/Pike, BIOS RPK1506A 09/03/2014 [ 71.121213] RIP: 0010:nouveau_abi16_ioctl_channel_alloc+0x108/0x380 [nouveau] [ 71.128339] Code: 48 89 9d f0 00 00 00 41 8b 4c 24 04 41 8b 14 24 45 31 c0 4c 8d 4b 10 48 89 ee 4c 89 f7 e8 10 11 00 00 85 c0 75 78 48 8b 43 10 <8b> 90 a0 00 00 00 41 89 54 24 08 80 7d 3d 05 0f 86 bb 01 00 00 41 [ 71.147074] RSP: 0018:ffffb4a1809cfd38 EFLAGS: 00010246 [ 71.152526] RAX: 0000000000000000 RBX: ffff98cedbaa1d20 RCX: 00000000000003bf [ 71.159651] RDX: 00000000000003be RSI: 0000000000000000 RDI: 0000000000030160 [ 71.166774] RBP: ffff98cee776de00 R08: ffffdc0144198a08 R09: ffff98ceeefd4000 [ 71.173901] R10: ffff98cee7e81780 R11: 0000000000000001 R12: ffffb4a1809cfe08 [ 71.181214] R13: ffff98cee776d000 R14: ffff98cec519e000 R15: ffff98cee776def0 [ 71.188339] FS: 00007fd926250500(0000) GS:ffff98ceeac80000(0000) knlGS:0000000000000000 [ 71.196418] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 71.202155] CR2: 00000000000000a0 CR3: 0000000106622000 CR4: 00000000000406e0 [ 71.209297] Call Trace: [ 71.211777] ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau] [ 71.218053] drm_ioctl_kernel+0xac/0xf0 [drm] [ 71.222421] drm_ioctl+0x211/0x3c0 [drm] [ 71.226379] ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau] [ 71.232500] nouveau_drm_ioctl+0x57/0xb0 [nouveau] [ 71.237285] ksys_ioctl+0x86/0xc0 [ 71.240595] __x64_sys_ioctl+0x16/0x20 [ 71.244340] do_syscall_64+0x4c/0x90 [ 71.248110] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 71.253162] RIP: 0033:0x7fd925d4b88b [ 71.256731] Code: Bad RIP value. [ 71.259955] RSP: 002b:00007ffc743592d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 [ 71.267514] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd925d4b88b [ 71.274637] RDX: 0000000000601080 RSI: 00000000c0586442 RDI: 0000000000000003 [ 71.281986] RBP: 00007ffc74359340 R08: 00007fd926016ce0 R09: 00007fd926016ce0 [ 71.289111] R10: 0000000000000003 R11: 0000000000000206 R12: 0000000000400620 [ 71.296235] R13: 00007ffc74359420 R14: 0000000000000000 R15: 0000000000000000 [ 71.303361] Modules linked in: rfkill sunrpc snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core edac_mce_amd snd_hwdep kvm_amd snd_seq ccp snd_seq_device snd_pcm kvm snd_timer snd irqbypass soundcore sp5100_tco pcspkr crct10dif_pclmul crc32_pclmul ghash_clmulni_intel wmi_bmof joydev i2c_piix4 fam15h_power k10temp acpi_cpufreq ip_tables xfs libcrc32c sd_mod t10_pi sg nouveau video mxm_wmi i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm broadcom bcm_phy_lib ata_generic ahci drm e1000 crc32c_intel libahci serio_raw tg3 libata firewire_ohci firewire_core wmi crc_itu_t dm_mirror dm_region_hash dm_log dm_mod [ 71.365269] CR2: 00000000000000a0 simplified reproducer ---------------------------------8<---------------------------------------- /* * gcc -o crashme crashme.c * ./crashme /dev/dri/renderD128 */ struct drm_nouveau_channel_alloc { uint32_t fb_ctxdma_handle; uint32_t tt_ctxdma_handle; int channel; uint32_t pushbuf_domains; /* Notifier memory */ uint32_t notifier_handle; /* DRM-enforced subchannel assignments */ struct { uint32_t handle; uint32_t grclass; } subchan[8]; uint32_t nr_subchan; }; static struct drm_nouveau_channel_alloc channel; int main(int argc, char *argv[]) { int fd; int rv; if (argc != 2) die("usage: %s <dev>", 0, argv[0]); if ((fd = open(argv[1], O_RDONLY)) == -1) die("open %s", errno, argv[1]); if (ioctl(fd, DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC, &channel) == -1 && errno == EACCES) die("ioctl %s", errno, argv[1]); close(fd); printf("PASS\n"); return 0; } ---------------------------------8<---------------------------------------- [1] https://github.com/kernelslacker/trinity Fixes: eeaf06ac1a55 ("drm/nouveau/svm: initial support for shared virtual memory") Signed-off-by: Frantisek Hrbata <frantisek-ktf8V493EB/QT0dZR+AlfA@public.gmane.org> --- drivers/gpu/drm/nouveau/nouveau_chan.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/nouveau/nouveau_chan.c b/drivers/gpu/drm/nouveau/nouveau_chan.c index b80e4ebf1..a7a47b325 100644 --- a/drivers/gpu/drm/nouveau/nouveau_chan.c +++ b/drivers/gpu/drm/nouveau/nouveau_chan.c @@ -533,6 +533,7 @@ nouveau_channel_new(struct nouveau_drm *drm, struct nvif_device *device, if (ret) { NV_PRINTK(err, cli, "channel failed to initialise, %d\n", ret); nouveau_channel_del(pchan); + goto done; } ret = nouveau_svmm_join((*pchan)->vmm->svmm, (*pchan)->inst); -- Frantisek Hrbata ^ permalink raw reply related [flat|nested] 7+ messages in thread
[parent not found: <20200828092846.GA11454-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>]
* Re: [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails [not found] ` <20200828092846.GA11454-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org> @ 2020-08-28 17:36 ` Karol Herbst 2020-08-28 18:29 ` Frantisek Hrbata 2020-11-15 9:10 ` Salvatore Bonaccorso 2 siblings, 0 replies; 7+ messages in thread From: Karol Herbst @ 2020-08-28 17:36 UTC (permalink / raw) To: Frantisek Hrbata; +Cc: nouveau, Ben Skeggs On Fri, Aug 28, 2020 at 2:05 PM Frantisek Hrbata <frantisek-ktf8V493EB/QT0dZR+AlfA@public.gmane.org> wrote: > > Unprivileged user can crash kernel by using DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC > ioctl. This was reported by trinity[1] fuzzer. > > [ 71.073906] nouveau 0000:01:00.0: crashme[1329]: channel failed to initialise, -17 > [ 71.081730] BUG: kernel NULL pointer dereference, address: 00000000000000a0 > [ 71.088928] #PF: supervisor read access in kernel mode > [ 71.094059] #PF: error_code(0x0000) - not-present page > [ 71.099189] PGD 119590067 P4D 119590067 PUD 1054f5067 PMD 0 > [ 71.104842] Oops: 0000 [#1] SMP NOPTI > [ 71.108498] CPU: 2 PID: 1329 Comm: crashme Not tainted 5.8.0-rc6+ #2 > [ 71.114993] Hardware name: AMD Pike/Pike, BIOS RPK1506A 09/03/2014 > [ 71.121213] RIP: 0010:nouveau_abi16_ioctl_channel_alloc+0x108/0x380 [nouveau] > [ 71.128339] Code: 48 89 9d f0 00 00 00 41 8b 4c 24 04 41 8b 14 24 45 31 c0 4c 8d 4b 10 48 89 ee 4c 89 f7 e8 10 11 00 00 85 c0 75 78 48 8b 43 10 <8b> 90 a0 00 00 00 41 89 54 24 08 80 7d 3d 05 0f 86 bb 01 00 00 41 > [ 71.147074] RSP: 0018:ffffb4a1809cfd38 EFLAGS: 00010246 > [ 71.152526] RAX: 0000000000000000 RBX: ffff98cedbaa1d20 RCX: 00000000000003bf > [ 71.159651] RDX: 00000000000003be RSI: 0000000000000000 RDI: 0000000000030160 > [ 71.166774] RBP: ffff98cee776de00 R08: ffffdc0144198a08 R09: ffff98ceeefd4000 > [ 71.173901] R10: ffff98cee7e81780 R11: 0000000000000001 R12: ffffb4a1809cfe08 > [ 71.181214] R13: ffff98cee776d000 R14: ffff98cec519e000 R15: ffff98cee776def0 > [ 71.188339] FS: 00007fd926250500(0000) GS:ffff98ceeac80000(0000) knlGS:0000000000000000 > [ 71.196418] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 71.202155] CR2: 00000000000000a0 CR3: 0000000106622000 CR4: 00000000000406e0 > [ 71.209297] Call Trace: > [ 71.211777] ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau] > [ 71.218053] drm_ioctl_kernel+0xac/0xf0 [drm] > [ 71.222421] drm_ioctl+0x211/0x3c0 [drm] > [ 71.226379] ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau] > [ 71.232500] nouveau_drm_ioctl+0x57/0xb0 [nouveau] > [ 71.237285] ksys_ioctl+0x86/0xc0 > [ 71.240595] __x64_sys_ioctl+0x16/0x20 > [ 71.244340] do_syscall_64+0x4c/0x90 > [ 71.248110] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [ 71.253162] RIP: 0033:0x7fd925d4b88b > [ 71.256731] Code: Bad RIP value. > [ 71.259955] RSP: 002b:00007ffc743592d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 > [ 71.267514] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd925d4b88b > [ 71.274637] RDX: 0000000000601080 RSI: 00000000c0586442 RDI: 0000000000000003 > [ 71.281986] RBP: 00007ffc74359340 R08: 00007fd926016ce0 R09: 00007fd926016ce0 > [ 71.289111] R10: 0000000000000003 R11: 0000000000000206 R12: 0000000000400620 > [ 71.296235] R13: 00007ffc74359420 R14: 0000000000000000 R15: 0000000000000000 > [ 71.303361] Modules linked in: rfkill sunrpc snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core edac_mce_amd snd_hwdep kvm_amd snd_seq ccp snd_seq_device snd_pcm kvm snd_timer snd irqbypass soundcore sp5100_tco pcspkr crct10dif_pclmul crc32_pclmul ghash_clmulni_intel wmi_bmof joydev i2c_piix4 fam15h_power k10temp acpi_cpufreq ip_tables xfs libcrc32c sd_mod t10_pi sg nouveau video mxm_wmi i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm broadcom bcm_phy_lib ata_generic ahci drm e1000 crc32c_intel libahci serio_raw tg3 libata firewire_ohci firewire_core wmi crc_itu_t dm_mirror dm_region_hash dm_log dm_mod > [ 71.365269] CR2: 00000000000000a0 > > simplified reproducer > ---------------------------------8<---------------------------------------- > /* > * gcc -o crashme crashme.c > * ./crashme /dev/dri/renderD128 > */ > > struct drm_nouveau_channel_alloc { > uint32_t fb_ctxdma_handle; > uint32_t tt_ctxdma_handle; > > int channel; > uint32_t pushbuf_domains; > > /* Notifier memory */ > uint32_t notifier_handle; > > /* DRM-enforced subchannel assignments */ > struct { > uint32_t handle; > uint32_t grclass; > } subchan[8]; > uint32_t nr_subchan; > }; > > static struct drm_nouveau_channel_alloc channel; > > int main(int argc, char *argv[]) { > int fd; > int rv; > > if (argc != 2) > die("usage: %s <dev>", 0, argv[0]); > > if ((fd = open(argv[1], O_RDONLY)) == -1) > die("open %s", errno, argv[1]); > > if (ioctl(fd, DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC, &channel) == -1 && > errno == EACCES) > die("ioctl %s", errno, argv[1]); > > close(fd); > > printf("PASS\n"); > > return 0; > } > ---------------------------------8<---------------------------------------- > > [1] https://github.com/kernelslacker/trinity > > Fixes: eeaf06ac1a55 ("drm/nouveau/svm: initial support for shared virtual memory") > Signed-off-by: Frantisek Hrbata <frantisek-ktf8V493EB/QT0dZR+AlfA@public.gmane.org> > --- > drivers/gpu/drm/nouveau/nouveau_chan.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/gpu/drm/nouveau/nouveau_chan.c b/drivers/gpu/drm/nouveau/nouveau_chan.c > index b80e4ebf1..a7a47b325 100644 > --- a/drivers/gpu/drm/nouveau/nouveau_chan.c > +++ b/drivers/gpu/drm/nouveau/nouveau_chan.c > @@ -533,6 +533,7 @@ nouveau_channel_new(struct nouveau_drm *drm, struct nvif_device *device, > if (ret) { > NV_PRINTK(err, cli, "channel failed to initialise, %d\n", ret); > nouveau_channel_del(pchan); > + goto done; > } > > ret = nouveau_svmm_join((*pchan)->vmm->svmm, (*pchan)->inst); > -- > Frantisek Hrbata > > _______________________________________________ > Nouveau mailing list > Nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org > https://lists.freedesktop.org/mailman/listinfo/nouveau > Reviewed-by: Karol Herbst <kherbst-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails [not found] ` <20200828092846.GA11454-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org> 2020-08-28 17:36 ` Karol Herbst @ 2020-08-28 18:29 ` Frantisek Hrbata 2020-11-15 9:10 ` Salvatore Bonaccorso 2 siblings, 0 replies; 7+ messages in thread From: Frantisek Hrbata @ 2020-08-28 18:29 UTC (permalink / raw) To: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW; +Cc: Ben Skeggs Hi, I'm sorry for another email, but it seems that all lines in the reproducer starting with '#' got trimmed as they were comments. Probably something I did on my side :(. Would it be possible to fix this in the commit msg or do you prefer v2? Thank you simplified reproducer ---------------------------------8<---------------------------------------- /* * gcc -o crashme crashme.c * ./crashme /dev/dri/renderD128 */ #include <sys/types.h> #include <sys/stat.h> #include <stdlib.h> #include <stdio.h> #include <fcntl.h> #include <errno.h> #include <unistd.h> #include <sys/ioctl.h> #include <drm/drm.h> #include <drm/nouveau_drm.h> #include <inttypes.h> #include <string.h> #include <error.h> #define die(format, err, ...) error(1, err, format, ## __VA_ARGS__) #ifndef DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC struct drm_nouveau_channel_alloc { uint32_t fb_ctxdma_handle; uint32_t tt_ctxdma_handle; int channel; uint32_t pushbuf_domains; /* Notifier memory */ uint32_t notifier_handle; /* DRM-enforced subchannel assignments */ struct { uint32_t handle; uint32_t grclass; } subchan[8]; uint32_t nr_subchan; }; #define DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_CHANNEL_ALLOC, struct drm_nouveau_channel_alloc) #endif static struct drm_nouveau_channel_alloc channel; int main(int argc, char *argv[]) { int fd; int rv; if (argc != 2) die("usage: %s <dev>", 0, argv[0]); if ((fd = open(argv[1], O_RDONLY)) == -1) die("open %s", errno, argv[1]); if (ioctl(fd, DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC, &channel) == -1 && errno == EACCES) die("ioctl %s", errno, argv[1]); close(fd); printf("PASS\n"); return 0; } ---------------------------------8<---------------------------------------- -- Frantisek Hrbata ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails [not found] ` <20200828092846.GA11454-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org> 2020-08-28 17:36 ` Karol Herbst 2020-08-28 18:29 ` Frantisek Hrbata @ 2020-11-15 9:10 ` Salvatore Bonaccorso [not found] ` <20201115091010.GA132466-yvBWh1Eg28bhXIiyNabO3w@public.gmane.org> 2 siblings, 1 reply; 7+ messages in thread From: Salvatore Bonaccorso @ 2020-11-15 9:10 UTC (permalink / raw) To: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW; +Cc: Frantisek Hrbata Hi, On Fri, Aug 28, 2020 at 11:28:46AM +0200, Frantisek Hrbata wrote: > Unprivileged user can crash kernel by using DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC > ioctl. This was reported by trinity[1] fuzzer. > > [ 71.073906] nouveau 0000:01:00.0: crashme[1329]: channel failed to initialise, -17 > [ 71.081730] BUG: kernel NULL pointer dereference, address: 00000000000000a0 > [ 71.088928] #PF: supervisor read access in kernel mode > [ 71.094059] #PF: error_code(0x0000) - not-present page > [ 71.099189] PGD 119590067 P4D 119590067 PUD 1054f5067 PMD 0 > [ 71.104842] Oops: 0000 [#1] SMP NOPTI > [ 71.108498] CPU: 2 PID: 1329 Comm: crashme Not tainted 5.8.0-rc6+ #2 > [ 71.114993] Hardware name: AMD Pike/Pike, BIOS RPK1506A 09/03/2014 > [ 71.121213] RIP: 0010:nouveau_abi16_ioctl_channel_alloc+0x108/0x380 [nouveau] > [ 71.128339] Code: 48 89 9d f0 00 00 00 41 8b 4c 24 04 41 8b 14 24 45 31 c0 4c 8d 4b 10 48 89 ee 4c 89 f7 e8 10 11 00 00 85 c0 75 78 48 8b 43 10 <8b> 90 a0 00 00 00 41 89 54 24 08 80 7d 3d 05 0f 86 bb 01 00 00 41 > [ 71.147074] RSP: 0018:ffffb4a1809cfd38 EFLAGS: 00010246 > [ 71.152526] RAX: 0000000000000000 RBX: ffff98cedbaa1d20 RCX: 00000000000003bf > [ 71.159651] RDX: 00000000000003be RSI: 0000000000000000 RDI: 0000000000030160 > [ 71.166774] RBP: ffff98cee776de00 R08: ffffdc0144198a08 R09: ffff98ceeefd4000 > [ 71.173901] R10: ffff98cee7e81780 R11: 0000000000000001 R12: ffffb4a1809cfe08 > [ 71.181214] R13: ffff98cee776d000 R14: ffff98cec519e000 R15: ffff98cee776def0 > [ 71.188339] FS: 00007fd926250500(0000) GS:ffff98ceeac80000(0000) knlGS:0000000000000000 > [ 71.196418] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 71.202155] CR2: 00000000000000a0 CR3: 0000000106622000 CR4: 00000000000406e0 > [ 71.209297] Call Trace: > [ 71.211777] ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau] > [ 71.218053] drm_ioctl_kernel+0xac/0xf0 [drm] > [ 71.222421] drm_ioctl+0x211/0x3c0 [drm] > [ 71.226379] ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau] > [ 71.232500] nouveau_drm_ioctl+0x57/0xb0 [nouveau] > [ 71.237285] ksys_ioctl+0x86/0xc0 > [ 71.240595] __x64_sys_ioctl+0x16/0x20 > [ 71.244340] do_syscall_64+0x4c/0x90 > [ 71.248110] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [ 71.253162] RIP: 0033:0x7fd925d4b88b > [ 71.256731] Code: Bad RIP value. > [ 71.259955] RSP: 002b:00007ffc743592d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 > [ 71.267514] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd925d4b88b > [ 71.274637] RDX: 0000000000601080 RSI: 00000000c0586442 RDI: 0000000000000003 > [ 71.281986] RBP: 00007ffc74359340 R08: 00007fd926016ce0 R09: 00007fd926016ce0 > [ 71.289111] R10: 0000000000000003 R11: 0000000000000206 R12: 0000000000400620 > [ 71.296235] R13: 00007ffc74359420 R14: 0000000000000000 R15: 0000000000000000 > [ 71.303361] Modules linked in: rfkill sunrpc snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core edac_mce_amd snd_hwdep kvm_amd snd_seq ccp snd_seq_device snd_pcm kvm snd_timer snd irqbypass soundcore sp5100_tco pcspkr crct10dif_pclmul crc32_pclmul ghash_clmulni_intel wmi_bmof joydev i2c_piix4 fam15h_power k10temp acpi_cpufreq ip_tables xfs libcrc32c sd_mod t10_pi sg nouveau video mxm_wmi i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm broadcom bcm_phy_lib ata_generic ahci drm e1000 crc32c_intel libahci serio_raw tg3 libata firewire_ohci firewire_core wmi crc_itu_t dm_mirror dm_region_hash dm_log dm_mod > [ 71.365269] CR2: 00000000000000a0 > > simplified reproducer > ---------------------------------8<---------------------------------------- > /* > * gcc -o crashme crashme.c > * ./crashme /dev/dri/renderD128 > */ > > struct drm_nouveau_channel_alloc { > uint32_t fb_ctxdma_handle; > uint32_t tt_ctxdma_handle; > > int channel; > uint32_t pushbuf_domains; > > /* Notifier memory */ > uint32_t notifier_handle; > > /* DRM-enforced subchannel assignments */ > struct { > uint32_t handle; > uint32_t grclass; > } subchan[8]; > uint32_t nr_subchan; > }; > > static struct drm_nouveau_channel_alloc channel; > > int main(int argc, char *argv[]) { > int fd; > int rv; > > if (argc != 2) > die("usage: %s <dev>", 0, argv[0]); > > if ((fd = open(argv[1], O_RDONLY)) == -1) > die("open %s", errno, argv[1]); > > if (ioctl(fd, DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC, &channel) == -1 && > errno == EACCES) > die("ioctl %s", errno, argv[1]); > > close(fd); > > printf("PASS\n"); > > return 0; > } > ---------------------------------8<---------------------------------------- > > [1] https://github.com/kernelslacker/trinity > > Fixes: eeaf06ac1a55 ("drm/nouveau/svm: initial support for shared virtual memory") > Signed-off-by: Frantisek Hrbata <frantisek at hrbata.com> > --- > drivers/gpu/drm/nouveau/nouveau_chan.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/gpu/drm/nouveau/nouveau_chan.c b/drivers/gpu/drm/nouveau/nouveau_chan.c > index b80e4ebf1..a7a47b325 100644 > --- a/drivers/gpu/drm/nouveau/nouveau_chan.c > +++ b/drivers/gpu/drm/nouveau/nouveau_chan.c > @@ -533,6 +533,7 @@ nouveau_channel_new(struct nouveau_drm *drm, struct nvif_device *device, > if (ret) { > NV_PRINTK(err, cli, "channel failed to initialise, %d\n", ret); > nouveau_channel_del(pchan); > + goto done; > } > > ret = nouveau_svmm_join((*pchan)->vmm->svmm, (*pchan)->inst); > -- > Frantisek Hrbata Is this still planned to be applied? AFAICS this is the fix for CVE-2020-25639. Regards, Salvatore ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <20201115091010.GA132466-yvBWh1Eg28bhXIiyNabO3w@public.gmane.org>]
* Re: [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails [not found] ` <20201115091010.GA132466-yvBWh1Eg28bhXIiyNabO3w@public.gmane.org> @ 2020-11-15 19:18 ` Karol Herbst [not found] ` <CACO55tvwtYj0QGFy3Bk5-13bm7cjHGko3WegY1fFbtf0WckQyQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 0 siblings, 1 reply; 7+ messages in thread From: Karol Herbst @ 2020-11-15 19:18 UTC (permalink / raw) To: Salvatore Bonaccorso; +Cc: nouveau, dri-devel, Frantisek Hrbata, Daniel Vetter On Sun, Nov 15, 2020 at 6:43 PM Salvatore Bonaccorso <carnil-8fiUuRrzOP0dnm+yROfE0A@public.gmane.org> wrote: > > Hi, > > On Fri, Aug 28, 2020 at 11:28:46AM +0200, Frantisek Hrbata wrote: > > Unprivileged user can crash kernel by using DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC > > ioctl. This was reported by trinity[1] fuzzer. > > > > [ 71.073906] nouveau 0000:01:00.0: crashme[1329]: channel failed to initialise, -17 > > [ 71.081730] BUG: kernel NULL pointer dereference, address: 00000000000000a0 > > [ 71.088928] #PF: supervisor read access in kernel mode > > [ 71.094059] #PF: error_code(0x0000) - not-present page > > [ 71.099189] PGD 119590067 P4D 119590067 PUD 1054f5067 PMD 0 > > [ 71.104842] Oops: 0000 [#1] SMP NOPTI > > [ 71.108498] CPU: 2 PID: 1329 Comm: crashme Not tainted 5.8.0-rc6+ #2 > > [ 71.114993] Hardware name: AMD Pike/Pike, BIOS RPK1506A 09/03/2014 > > [ 71.121213] RIP: 0010:nouveau_abi16_ioctl_channel_alloc+0x108/0x380 [nouveau] > > [ 71.128339] Code: 48 89 9d f0 00 00 00 41 8b 4c 24 04 41 8b 14 24 45 31 c0 4c 8d 4b 10 48 89 ee 4c 89 f7 e8 10 11 00 00 85 c0 75 78 48 8b 43 10 <8b> 90 a0 00 00 00 41 89 54 24 08 80 7d 3d 05 0f 86 bb 01 00 00 41 > > [ 71.147074] RSP: 0018:ffffb4a1809cfd38 EFLAGS: 00010246 > > [ 71.152526] RAX: 0000000000000000 RBX: ffff98cedbaa1d20 RCX: 00000000000003bf > > [ 71.159651] RDX: 00000000000003be RSI: 0000000000000000 RDI: 0000000000030160 > > [ 71.166774] RBP: ffff98cee776de00 R08: ffffdc0144198a08 R09: ffff98ceeefd4000 > > [ 71.173901] R10: ffff98cee7e81780 R11: 0000000000000001 R12: ffffb4a1809cfe08 > > [ 71.181214] R13: ffff98cee776d000 R14: ffff98cec519e000 R15: ffff98cee776def0 > > [ 71.188339] FS: 00007fd926250500(0000) GS:ffff98ceeac80000(0000) knlGS:0000000000000000 > > [ 71.196418] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > [ 71.202155] CR2: 00000000000000a0 CR3: 0000000106622000 CR4: 00000000000406e0 > > [ 71.209297] Call Trace: > > [ 71.211777] ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau] > > [ 71.218053] drm_ioctl_kernel+0xac/0xf0 [drm] > > [ 71.222421] drm_ioctl+0x211/0x3c0 [drm] > > [ 71.226379] ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau] > > [ 71.232500] nouveau_drm_ioctl+0x57/0xb0 [nouveau] > > [ 71.237285] ksys_ioctl+0x86/0xc0 > > [ 71.240595] __x64_sys_ioctl+0x16/0x20 > > [ 71.244340] do_syscall_64+0x4c/0x90 > > [ 71.248110] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > [ 71.253162] RIP: 0033:0x7fd925d4b88b > > [ 71.256731] Code: Bad RIP value. > > [ 71.259955] RSP: 002b:00007ffc743592d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 > > [ 71.267514] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd925d4b88b > > [ 71.274637] RDX: 0000000000601080 RSI: 00000000c0586442 RDI: 0000000000000003 > > [ 71.281986] RBP: 00007ffc74359340 R08: 00007fd926016ce0 R09: 00007fd926016ce0 > > [ 71.289111] R10: 0000000000000003 R11: 0000000000000206 R12: 0000000000400620 > > [ 71.296235] R13: 00007ffc74359420 R14: 0000000000000000 R15: 0000000000000000 > > [ 71.303361] Modules linked in: rfkill sunrpc snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core edac_mce_amd snd_hwdep kvm_amd snd_seq ccp snd_seq_device snd_pcm kvm snd_timer snd irqbypass soundcore sp5100_tco pcspkr crct10dif_pclmul crc32_pclmul ghash_clmulni_intel wmi_bmof joydev i2c_piix4 fam15h_power k10temp acpi_cpufreq ip_tables xfs libcrc32c sd_mod t10_pi sg nouveau video mxm_wmi i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm broadcom bcm_phy_lib ata_generic ahci drm e1000 crc32c_intel libahci serio_raw tg3 libata firewire_ohci firewire_core wmi crc_itu_t dm_mirror dm_region_hash dm_log dm_mod > > [ 71.365269] CR2: 00000000000000a0 > > > > simplified reproducer > > ---------------------------------8<---------------------------------------- > > /* > > * gcc -o crashme crashme.c > > * ./crashme /dev/dri/renderD128 > > */ > > > > struct drm_nouveau_channel_alloc { > > uint32_t fb_ctxdma_handle; > > uint32_t tt_ctxdma_handle; > > > > int channel; > > uint32_t pushbuf_domains; > > > > /* Notifier memory */ > > uint32_t notifier_handle; > > > > /* DRM-enforced subchannel assignments */ > > struct { > > uint32_t handle; > > uint32_t grclass; > > } subchan[8]; > > uint32_t nr_subchan; > > }; > > > > static struct drm_nouveau_channel_alloc channel; > > > > int main(int argc, char *argv[]) { > > int fd; > > int rv; > > > > if (argc != 2) > > die("usage: %s <dev>", 0, argv[0]); > > > > if ((fd = open(argv[1], O_RDONLY)) == -1) > > die("open %s", errno, argv[1]); > > > > if (ioctl(fd, DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC, &channel) == -1 && > > errno == EACCES) > > die("ioctl %s", errno, argv[1]); > > > > close(fd); > > > > printf("PASS\n"); > > > > return 0; > > } > > ---------------------------------8<---------------------------------------- > > > > [1] https://github.com/kernelslacker/trinity > > > > Fixes: eeaf06ac1a55 ("drm/nouveau/svm: initial support for shared virtual memory") > > Signed-off-by: Frantisek Hrbata <frantisek at hrbata.com> > > --- > > drivers/gpu/drm/nouveau/nouveau_chan.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/drivers/gpu/drm/nouveau/nouveau_chan.c b/drivers/gpu/drm/nouveau/nouveau_chan.c > > index b80e4ebf1..a7a47b325 100644 > > --- a/drivers/gpu/drm/nouveau/nouveau_chan.c > > +++ b/drivers/gpu/drm/nouveau/nouveau_chan.c > > @@ -533,6 +533,7 @@ nouveau_channel_new(struct nouveau_drm *drm, struct nvif_device *device, > > if (ret) { > > NV_PRINTK(err, cli, "channel failed to initialise, %d\n", ret); > > nouveau_channel_del(pchan); > > + goto done; > > } > > > > ret = nouveau_svmm_join((*pchan)->vmm->svmm, (*pchan)->inst); > > -- > > Frantisek Hrbata > > Is this still planned to be applied? AFAICS this is the fix for > CVE-2020-25639. > If it's urgent to get it fixed, I suggest going through the Linux kernel or drm stable path. CCing dri-devel, Dave, Daniel and Ben. > Regards, > Salvatore > _______________________________________________ > Nouveau mailing list > Nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org > https://lists.freedesktop.org/mailman/listinfo/nouveau > ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <CACO55tvwtYj0QGFy3Bk5-13bm7cjHGko3WegY1fFbtf0WckQyQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]
* Re: [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails [not found] ` <CACO55tvwtYj0QGFy3Bk5-13bm7cjHGko3WegY1fFbtf0WckQyQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> @ 2020-11-15 23:04 ` Ben Skeggs 2021-02-07 13:35 ` [Nouveau] " Salvatore Bonaccorso 0 siblings, 1 reply; 7+ messages in thread From: Ben Skeggs @ 2020-11-15 23:04 UTC (permalink / raw) To: Karol Herbst Cc: nouveau, dri-devel, Frantisek Hrbata, Daniel Vetter, Salvatore Bonaccorso On Mon, 16 Nov 2020 at 05:19, Karol Herbst <kherbst-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote: > > On Sun, Nov 15, 2020 at 6:43 PM Salvatore Bonaccorso <carnil-8fiUuRrzOP0dnm+yROfE0A@public.gmane.org> wrote: > > > > Hi, > > > > On Fri, Aug 28, 2020 at 11:28:46AM +0200, Frantisek Hrbata wrote: > > > Unprivileged user can crash kernel by using DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC > > > ioctl. This was reported by trinity[1] fuzzer. > > > > > > [ 71.073906] nouveau 0000:01:00.0: crashme[1329]: channel failed to initialise, -17 > > > [ 71.081730] BUG: kernel NULL pointer dereference, address: 00000000000000a0 > > > [ 71.088928] #PF: supervisor read access in kernel mode > > > [ 71.094059] #PF: error_code(0x0000) - not-present page > > > [ 71.099189] PGD 119590067 P4D 119590067 PUD 1054f5067 PMD 0 > > > [ 71.104842] Oops: 0000 [#1] SMP NOPTI > > > [ 71.108498] CPU: 2 PID: 1329 Comm: crashme Not tainted 5.8.0-rc6+ #2 > > > [ 71.114993] Hardware name: AMD Pike/Pike, BIOS RPK1506A 09/03/2014 > > > [ 71.121213] RIP: 0010:nouveau_abi16_ioctl_channel_alloc+0x108/0x380 [nouveau] > > > [ 71.128339] Code: 48 89 9d f0 00 00 00 41 8b 4c 24 04 41 8b 14 24 45 31 c0 4c 8d 4b 10 48 89 ee 4c 89 f7 e8 10 11 00 00 85 c0 75 78 48 8b 43 10 <8b> 90 a0 00 00 00 41 89 54 24 08 80 7d 3d 05 0f 86 bb 01 00 00 41 > > > [ 71.147074] RSP: 0018:ffffb4a1809cfd38 EFLAGS: 00010246 > > > [ 71.152526] RAX: 0000000000000000 RBX: ffff98cedbaa1d20 RCX: 00000000000003bf > > > [ 71.159651] RDX: 00000000000003be RSI: 0000000000000000 RDI: 0000000000030160 > > > [ 71.166774] RBP: ffff98cee776de00 R08: ffffdc0144198a08 R09: ffff98ceeefd4000 > > > [ 71.173901] R10: ffff98cee7e81780 R11: 0000000000000001 R12: ffffb4a1809cfe08 > > > [ 71.181214] R13: ffff98cee776d000 R14: ffff98cec519e000 R15: ffff98cee776def0 > > > [ 71.188339] FS: 00007fd926250500(0000) GS:ffff98ceeac80000(0000) knlGS:0000000000000000 > > > [ 71.196418] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > > [ 71.202155] CR2: 00000000000000a0 CR3: 0000000106622000 CR4: 00000000000406e0 > > > [ 71.209297] Call Trace: > > > [ 71.211777] ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau] > > > [ 71.218053] drm_ioctl_kernel+0xac/0xf0 [drm] > > > [ 71.222421] drm_ioctl+0x211/0x3c0 [drm] > > > [ 71.226379] ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau] > > > [ 71.232500] nouveau_drm_ioctl+0x57/0xb0 [nouveau] > > > [ 71.237285] ksys_ioctl+0x86/0xc0 > > > [ 71.240595] __x64_sys_ioctl+0x16/0x20 > > > [ 71.244340] do_syscall_64+0x4c/0x90 > > > [ 71.248110] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > > [ 71.253162] RIP: 0033:0x7fd925d4b88b > > > [ 71.256731] Code: Bad RIP value. > > > [ 71.259955] RSP: 002b:00007ffc743592d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 > > > [ 71.267514] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd925d4b88b > > > [ 71.274637] RDX: 0000000000601080 RSI: 00000000c0586442 RDI: 0000000000000003 > > > [ 71.281986] RBP: 00007ffc74359340 R08: 00007fd926016ce0 R09: 00007fd926016ce0 > > > [ 71.289111] R10: 0000000000000003 R11: 0000000000000206 R12: 0000000000400620 > > > [ 71.296235] R13: 00007ffc74359420 R14: 0000000000000000 R15: 0000000000000000 > > > [ 71.303361] Modules linked in: rfkill sunrpc snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core edac_mce_amd snd_hwdep kvm_amd snd_seq ccp snd_seq_device snd_pcm kvm snd_timer snd irqbypass soundcore sp5100_tco pcspkr crct10dif_pclmul crc32_pclmul ghash_clmulni_intel wmi_bmof joydev i2c_piix4 fam15h_power k10temp acpi_cpufreq ip_tables xfs libcrc32c sd_mod t10_pi sg nouveau video mxm_wmi i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm broadcom bcm_phy_lib ata_generic ahci drm e1000 crc32c_intel libahci serio_raw tg3 libata firewire_ohci firewire_core wmi crc_itu_t dm_mirror dm_region_hash dm_log dm_mod > > > [ 71.365269] CR2: 00000000000000a0 > > > > > > simplified reproducer > > > ---------------------------------8<---------------------------------------- > > > /* > > > * gcc -o crashme crashme.c > > > * ./crashme /dev/dri/renderD128 > > > */ > > > > > > struct drm_nouveau_channel_alloc { > > > uint32_t fb_ctxdma_handle; > > > uint32_t tt_ctxdma_handle; > > > > > > int channel; > > > uint32_t pushbuf_domains; > > > > > > /* Notifier memory */ > > > uint32_t notifier_handle; > > > > > > /* DRM-enforced subchannel assignments */ > > > struct { > > > uint32_t handle; > > > uint32_t grclass; > > > } subchan[8]; > > > uint32_t nr_subchan; > > > }; > > > > > > static struct drm_nouveau_channel_alloc channel; > > > > > > int main(int argc, char *argv[]) { > > > int fd; > > > int rv; > > > > > > if (argc != 2) > > > die("usage: %s <dev>", 0, argv[0]); > > > > > > if ((fd = open(argv[1], O_RDONLY)) == -1) > > > die("open %s", errno, argv[1]); > > > > > > if (ioctl(fd, DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC, &channel) == -1 && > > > errno == EACCES) > > > die("ioctl %s", errno, argv[1]); > > > > > > close(fd); > > > > > > printf("PASS\n"); > > > > > > return 0; > > > } > > > ---------------------------------8<---------------------------------------- > > > > > > [1] https://github.com/kernelslacker/trinity > > > > > > Fixes: eeaf06ac1a55 ("drm/nouveau/svm: initial support for shared virtual memory") > > > Signed-off-by: Frantisek Hrbata <frantisek at hrbata.com> > > > --- > > > drivers/gpu/drm/nouveau/nouveau_chan.c | 1 + > > > 1 file changed, 1 insertion(+) > > > > > > diff --git a/drivers/gpu/drm/nouveau/nouveau_chan.c b/drivers/gpu/drm/nouveau/nouveau_chan.c > > > index b80e4ebf1..a7a47b325 100644 > > > --- a/drivers/gpu/drm/nouveau/nouveau_chan.c > > > +++ b/drivers/gpu/drm/nouveau/nouveau_chan.c > > > @@ -533,6 +533,7 @@ nouveau_channel_new(struct nouveau_drm *drm, struct nvif_device *device, > > > if (ret) { > > > NV_PRINTK(err, cli, "channel failed to initialise, %d\n", ret); > > > nouveau_channel_del(pchan); > > > + goto done; > > > } > > > > > > ret = nouveau_svmm_join((*pchan)->vmm->svmm, (*pchan)->inst); > > > -- > > > Frantisek Hrbata > > > > Is this still planned to be applied? AFAICS this is the fix for > > CVE-2020-25639. > > > > If it's urgent to get it fixed, I suggest going through the Linux > kernel or drm stable path. CCing dri-devel, Dave, Daniel and Ben. Missed this. I'll grab it today and send it with the next -fixes. Ben. > > > Regards, > > Salvatore > > _______________________________________________ > > Nouveau mailing list > > Nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org > > https://lists.freedesktop.org/mailman/listinfo/nouveau > > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Nouveau] [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails 2020-11-15 23:04 ` Ben Skeggs @ 2021-02-07 13:35 ` Salvatore Bonaccorso 0 siblings, 0 replies; 7+ messages in thread From: Salvatore Bonaccorso @ 2021-02-07 13:35 UTC (permalink / raw) To: Ben Skeggs; +Cc: nouveau, dri-devel, Frantisek Hrbata, Daniel Vetter Hi Ben, On Mon, Nov 16, 2020 at 09:04:32AM +1000, Ben Skeggs wrote: > On Mon, 16 Nov 2020 at 05:19, Karol Herbst <kherbst@redhat.com> wrote: > > > > On Sun, Nov 15, 2020 at 6:43 PM Salvatore Bonaccorso <carnil@debian.org> wrote: > > > > > > Hi, > > > > > > On Fri, Aug 28, 2020 at 11:28:46AM +0200, Frantisek Hrbata wrote: > > > > Unprivileged user can crash kernel by using DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC > > > > ioctl. This was reported by trinity[1] fuzzer. > > > > > > > > [ 71.073906] nouveau 0000:01:00.0: crashme[1329]: channel failed to initialise, -17 > > > > [ 71.081730] BUG: kernel NULL pointer dereference, address: 00000000000000a0 > > > > [ 71.088928] #PF: supervisor read access in kernel mode > > > > [ 71.094059] #PF: error_code(0x0000) - not-present page > > > > [ 71.099189] PGD 119590067 P4D 119590067 PUD 1054f5067 PMD 0 > > > > [ 71.104842] Oops: 0000 [#1] SMP NOPTI > > > > [ 71.108498] CPU: 2 PID: 1329 Comm: crashme Not tainted 5.8.0-rc6+ #2 > > > > [ 71.114993] Hardware name: AMD Pike/Pike, BIOS RPK1506A 09/03/2014 > > > > [ 71.121213] RIP: 0010:nouveau_abi16_ioctl_channel_alloc+0x108/0x380 [nouveau] > > > > [ 71.128339] Code: 48 89 9d f0 00 00 00 41 8b 4c 24 04 41 8b 14 24 45 31 c0 4c 8d 4b 10 48 89 ee 4c 89 f7 e8 10 11 00 00 85 c0 75 78 48 8b 43 10 <8b> 90 a0 00 00 00 41 89 54 24 08 80 7d 3d 05 0f 86 bb 01 00 00 41 > > > > [ 71.147074] RSP: 0018:ffffb4a1809cfd38 EFLAGS: 00010246 > > > > [ 71.152526] RAX: 0000000000000000 RBX: ffff98cedbaa1d20 RCX: 00000000000003bf > > > > [ 71.159651] RDX: 00000000000003be RSI: 0000000000000000 RDI: 0000000000030160 > > > > [ 71.166774] RBP: ffff98cee776de00 R08: ffffdc0144198a08 R09: ffff98ceeefd4000 > > > > [ 71.173901] R10: ffff98cee7e81780 R11: 0000000000000001 R12: ffffb4a1809cfe08 > > > > [ 71.181214] R13: ffff98cee776d000 R14: ffff98cec519e000 R15: ffff98cee776def0 > > > > [ 71.188339] FS: 00007fd926250500(0000) GS:ffff98ceeac80000(0000) knlGS:0000000000000000 > > > > [ 71.196418] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > > > [ 71.202155] CR2: 00000000000000a0 CR3: 0000000106622000 CR4: 00000000000406e0 > > > > [ 71.209297] Call Trace: > > > > [ 71.211777] ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau] > > > > [ 71.218053] drm_ioctl_kernel+0xac/0xf0 [drm] > > > > [ 71.222421] drm_ioctl+0x211/0x3c0 [drm] > > > > [ 71.226379] ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau] > > > > [ 71.232500] nouveau_drm_ioctl+0x57/0xb0 [nouveau] > > > > [ 71.237285] ksys_ioctl+0x86/0xc0 > > > > [ 71.240595] __x64_sys_ioctl+0x16/0x20 > > > > [ 71.244340] do_syscall_64+0x4c/0x90 > > > > [ 71.248110] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > > > [ 71.253162] RIP: 0033:0x7fd925d4b88b > > > > [ 71.256731] Code: Bad RIP value. > > > > [ 71.259955] RSP: 002b:00007ffc743592d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 > > > > [ 71.267514] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd925d4b88b > > > > [ 71.274637] RDX: 0000000000601080 RSI: 00000000c0586442 RDI: 0000000000000003 > > > > [ 71.281986] RBP: 00007ffc74359340 R08: 00007fd926016ce0 R09: 00007fd926016ce0 > > > > [ 71.289111] R10: 0000000000000003 R11: 0000000000000206 R12: 0000000000400620 > > > > [ 71.296235] R13: 00007ffc74359420 R14: 0000000000000000 R15: 0000000000000000 > > > > [ 71.303361] Modules linked in: rfkill sunrpc snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core edac_mce_amd snd_hwdep kvm_amd snd_seq ccp snd_seq_device snd_pcm kvm snd_timer snd irqbypass soundcore sp5100_tco pcspkr crct10dif_pclmul crc32_pclmul ghash_clmulni_intel wmi_bmof joydev i2c_piix4 fam15h_power k10temp acpi_cpufreq ip_tables xfs libcrc32c sd_mod t10_pi sg nouveau video mxm_wmi i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm broadcom bcm_phy_lib ata_generic ahci drm e1000 crc32c_intel libahci serio_raw tg3 libata firewire_ohci firewire_core wmi crc_itu_t dm_mirror dm_region_hash dm_log dm_mod > > > > [ 71.365269] CR2: 00000000000000a0 > > > > > > > > simplified reproducer > > > > ---------------------------------8<---------------------------------------- > > > > /* > > > > * gcc -o crashme crashme.c > > > > * ./crashme /dev/dri/renderD128 > > > > */ > > > > > > > > struct drm_nouveau_channel_alloc { > > > > uint32_t fb_ctxdma_handle; > > > > uint32_t tt_ctxdma_handle; > > > > > > > > int channel; > > > > uint32_t pushbuf_domains; > > > > > > > > /* Notifier memory */ > > > > uint32_t notifier_handle; > > > > > > > > /* DRM-enforced subchannel assignments */ > > > > struct { > > > > uint32_t handle; > > > > uint32_t grclass; > > > > } subchan[8]; > > > > uint32_t nr_subchan; > > > > }; > > > > > > > > static struct drm_nouveau_channel_alloc channel; > > > > > > > > int main(int argc, char *argv[]) { > > > > int fd; > > > > int rv; > > > > > > > > if (argc != 2) > > > > die("usage: %s <dev>", 0, argv[0]); > > > > > > > > if ((fd = open(argv[1], O_RDONLY)) == -1) > > > > die("open %s", errno, argv[1]); > > > > > > > > if (ioctl(fd, DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC, &channel) == -1 && > > > > errno == EACCES) > > > > die("ioctl %s", errno, argv[1]); > > > > > > > > close(fd); > > > > > > > > printf("PASS\n"); > > > > > > > > return 0; > > > > } > > > > ---------------------------------8<---------------------------------------- > > > > > > > > [1] https://github.com/kernelslacker/trinity > > > > > > > > Fixes: eeaf06ac1a55 ("drm/nouveau/svm: initial support for shared virtual memory") > > > > Signed-off-by: Frantisek Hrbata <frantisek at hrbata.com> > > > > --- > > > > drivers/gpu/drm/nouveau/nouveau_chan.c | 1 + > > > > 1 file changed, 1 insertion(+) > > > > > > > > diff --git a/drivers/gpu/drm/nouveau/nouveau_chan.c b/drivers/gpu/drm/nouveau/nouveau_chan.c > > > > index b80e4ebf1..a7a47b325 100644 > > > > --- a/drivers/gpu/drm/nouveau/nouveau_chan.c > > > > +++ b/drivers/gpu/drm/nouveau/nouveau_chan.c > > > > @@ -533,6 +533,7 @@ nouveau_channel_new(struct nouveau_drm *drm, struct nvif_device *device, > > > > if (ret) { > > > > NV_PRINTK(err, cli, "channel failed to initialise, %d\n", ret); > > > > nouveau_channel_del(pchan); > > > > + goto done; > > > > } > > > > > > > > ret = nouveau_svmm_join((*pchan)->vmm->svmm, (*pchan)->inst); > > > > -- > > > > Frantisek Hrbata > > > > > > Is this still planned to be applied? AFAICS this is the fix for > > > CVE-2020-25639. > > > > > > > If it's urgent to get it fixed, I suggest going through the Linux > > kernel or drm stable path. CCing dri-devel, Dave, Daniel and Ben. > Missed this. I'll grab it today and send it with the next -fixes. Do you know, were there some problems with the patch? TTBOMK it did not yet appear on Linus tree. Regards, Salvatore _______________________________________________ Nouveau mailing list Nouveau@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/nouveau ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-02-07 16:12 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-08-28 9:28 [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails Frantisek Hrbata [not found] ` <20200828092846.GA11454-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org> 2020-08-28 17:36 ` Karol Herbst 2020-08-28 18:29 ` Frantisek Hrbata 2020-11-15 9:10 ` Salvatore Bonaccorso [not found] ` <20201115091010.GA132466-yvBWh1Eg28bhXIiyNabO3w@public.gmane.org> 2020-11-15 19:18 ` Karol Herbst [not found] ` <CACO55tvwtYj0QGFy3Bk5-13bm7cjHGko3WegY1fFbtf0WckQyQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2020-11-15 23:04 ` Ben Skeggs 2021-02-07 13:35 ` [Nouveau] " Salvatore Bonaccorso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).