nouveau.lists.freedesktop.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails
@ 2020-08-28  9:28 Frantisek Hrbata
       [not found] ` <20200828092846.GA11454-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
  0 siblings, 1 reply; 7+ messages in thread
From: Frantisek Hrbata @ 2020-08-28  9:28 UTC (permalink / raw)
  To: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW; +Cc: Ben Skeggs

Unprivileged user can crash kernel by using DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC
ioctl. This was reported by trinity[1] fuzzer.

[   71.073906] nouveau 0000:01:00.0: crashme[1329]: channel failed to initialise, -17
[   71.081730] BUG: kernel NULL pointer dereference, address: 00000000000000a0
[   71.088928] #PF: supervisor read access in kernel mode
[   71.094059] #PF: error_code(0x0000) - not-present page
[   71.099189] PGD 119590067 P4D 119590067 PUD 1054f5067 PMD 0
[   71.104842] Oops: 0000 [#1] SMP NOPTI
[   71.108498] CPU: 2 PID: 1329 Comm: crashme Not tainted 5.8.0-rc6+ #2
[   71.114993] Hardware name: AMD Pike/Pike, BIOS RPK1506A 09/03/2014
[   71.121213] RIP: 0010:nouveau_abi16_ioctl_channel_alloc+0x108/0x380 [nouveau]
[   71.128339] Code: 48 89 9d f0 00 00 00 41 8b 4c 24 04 41 8b 14 24 45 31 c0 4c 8d 4b 10 48 89 ee 4c 89 f7 e8 10 11 00 00 85 c0 75 78 48 8b 43 10 <8b> 90 a0 00 00 00 41 89 54 24 08 80 7d 3d 05 0f 86 bb 01 00 00 41
[   71.147074] RSP: 0018:ffffb4a1809cfd38 EFLAGS: 00010246
[   71.152526] RAX: 0000000000000000 RBX: ffff98cedbaa1d20 RCX: 00000000000003bf
[   71.159651] RDX: 00000000000003be RSI: 0000000000000000 RDI: 0000000000030160
[   71.166774] RBP: ffff98cee776de00 R08: ffffdc0144198a08 R09: ffff98ceeefd4000
[   71.173901] R10: ffff98cee7e81780 R11: 0000000000000001 R12: ffffb4a1809cfe08
[   71.181214] R13: ffff98cee776d000 R14: ffff98cec519e000 R15: ffff98cee776def0
[   71.188339] FS:  00007fd926250500(0000) GS:ffff98ceeac80000(0000) knlGS:0000000000000000
[   71.196418] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   71.202155] CR2: 00000000000000a0 CR3: 0000000106622000 CR4: 00000000000406e0
[   71.209297] Call Trace:
[   71.211777]  ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau]
[   71.218053]  drm_ioctl_kernel+0xac/0xf0 [drm]
[   71.222421]  drm_ioctl+0x211/0x3c0 [drm]
[   71.226379]  ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau]
[   71.232500]  nouveau_drm_ioctl+0x57/0xb0 [nouveau]
[   71.237285]  ksys_ioctl+0x86/0xc0
[   71.240595]  __x64_sys_ioctl+0x16/0x20
[   71.244340]  do_syscall_64+0x4c/0x90
[   71.248110]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   71.253162] RIP: 0033:0x7fd925d4b88b
[   71.256731] Code: Bad RIP value.
[   71.259955] RSP: 002b:00007ffc743592d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[   71.267514] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd925d4b88b
[   71.274637] RDX: 0000000000601080 RSI: 00000000c0586442 RDI: 0000000000000003
[   71.281986] RBP: 00007ffc74359340 R08: 00007fd926016ce0 R09: 00007fd926016ce0
[   71.289111] R10: 0000000000000003 R11: 0000000000000206 R12: 0000000000400620
[   71.296235] R13: 00007ffc74359420 R14: 0000000000000000 R15: 0000000000000000
[   71.303361] Modules linked in: rfkill sunrpc snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core edac_mce_amd snd_hwdep kvm_amd snd_seq ccp snd_seq_device snd_pcm kvm snd_timer snd irqbypass soundcore sp5100_tco pcspkr crct10dif_pclmul crc32_pclmul ghash_clmulni_intel wmi_bmof joydev i2c_piix4 fam15h_power k10temp acpi_cpufreq ip_tables xfs libcrc32c sd_mod t10_pi sg nouveau video mxm_wmi i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm broadcom bcm_phy_lib ata_generic ahci drm e1000 crc32c_intel libahci serio_raw tg3 libata firewire_ohci firewire_core wmi crc_itu_t dm_mirror dm_region_hash dm_log dm_mod
[   71.365269] CR2: 00000000000000a0

simplified reproducer
---------------------------------8<----------------------------------------
/*
 * gcc -o crashme crashme.c
 * ./crashme /dev/dri/renderD128
 */

struct drm_nouveau_channel_alloc {
	uint32_t     fb_ctxdma_handle;
	uint32_t     tt_ctxdma_handle;

	int          channel;
	uint32_t     pushbuf_domains;

	/* Notifier memory */
	uint32_t     notifier_handle;

	/* DRM-enforced subchannel assignments */
	struct {
		uint32_t handle;
		uint32_t grclass;
	} subchan[8];
	uint32_t nr_subchan;
};

static struct drm_nouveau_channel_alloc channel;

int main(int argc, char *argv[]) {
	int fd;
	int rv;

	if (argc != 2)
		die("usage: %s <dev>", 0, argv[0]);

	if ((fd = open(argv[1], O_RDONLY)) == -1)
		die("open %s", errno, argv[1]);

	if (ioctl(fd, DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC, &channel) == -1 &&
			errno == EACCES)
		die("ioctl %s", errno, argv[1]);

	close(fd);

	printf("PASS\n");

	return 0;
}
---------------------------------8<----------------------------------------

[1] https://github.com/kernelslacker/trinity

Fixes: eeaf06ac1a55 ("drm/nouveau/svm: initial support for shared virtual memory")
Signed-off-by: Frantisek Hrbata <frantisek-ktf8V493EB/QT0dZR+AlfA@public.gmane.org>
---
 drivers/gpu/drm/nouveau/nouveau_chan.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/gpu/drm/nouveau/nouveau_chan.c b/drivers/gpu/drm/nouveau/nouveau_chan.c
index b80e4ebf1..a7a47b325 100644
--- a/drivers/gpu/drm/nouveau/nouveau_chan.c
+++ b/drivers/gpu/drm/nouveau/nouveau_chan.c
@@ -533,6 +533,7 @@ nouveau_channel_new(struct nouveau_drm *drm, struct nvif_device *device,
 	if (ret) {
 		NV_PRINTK(err, cli, "channel failed to initialise, %d\n", ret);
 		nouveau_channel_del(pchan);
+		goto done;
 	}
 
 	ret = nouveau_svmm_join((*pchan)->vmm->svmm, (*pchan)->inst);
-- 
Frantisek Hrbata

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails
       [not found] ` <20200828092846.GA11454-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
@ 2020-08-28 17:36   ` Karol Herbst
  2020-08-28 18:29   ` Frantisek Hrbata
  2020-11-15  9:10   ` Salvatore Bonaccorso
  2 siblings, 0 replies; 7+ messages in thread
From: Karol Herbst @ 2020-08-28 17:36 UTC (permalink / raw)
  To: Frantisek Hrbata; +Cc: nouveau, Ben Skeggs

On Fri, Aug 28, 2020 at 2:05 PM Frantisek Hrbata <frantisek-ktf8V493EB/QT0dZR+AlfA@public.gmane.org> wrote:
>
> Unprivileged user can crash kernel by using DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC
> ioctl. This was reported by trinity[1] fuzzer.
>
> [   71.073906] nouveau 0000:01:00.0: crashme[1329]: channel failed to initialise, -17
> [   71.081730] BUG: kernel NULL pointer dereference, address: 00000000000000a0
> [   71.088928] #PF: supervisor read access in kernel mode
> [   71.094059] #PF: error_code(0x0000) - not-present page
> [   71.099189] PGD 119590067 P4D 119590067 PUD 1054f5067 PMD 0
> [   71.104842] Oops: 0000 [#1] SMP NOPTI
> [   71.108498] CPU: 2 PID: 1329 Comm: crashme Not tainted 5.8.0-rc6+ #2
> [   71.114993] Hardware name: AMD Pike/Pike, BIOS RPK1506A 09/03/2014
> [   71.121213] RIP: 0010:nouveau_abi16_ioctl_channel_alloc+0x108/0x380 [nouveau]
> [   71.128339] Code: 48 89 9d f0 00 00 00 41 8b 4c 24 04 41 8b 14 24 45 31 c0 4c 8d 4b 10 48 89 ee 4c 89 f7 e8 10 11 00 00 85 c0 75 78 48 8b 43 10 <8b> 90 a0 00 00 00 41 89 54 24 08 80 7d 3d 05 0f 86 bb 01 00 00 41
> [   71.147074] RSP: 0018:ffffb4a1809cfd38 EFLAGS: 00010246
> [   71.152526] RAX: 0000000000000000 RBX: ffff98cedbaa1d20 RCX: 00000000000003bf
> [   71.159651] RDX: 00000000000003be RSI: 0000000000000000 RDI: 0000000000030160
> [   71.166774] RBP: ffff98cee776de00 R08: ffffdc0144198a08 R09: ffff98ceeefd4000
> [   71.173901] R10: ffff98cee7e81780 R11: 0000000000000001 R12: ffffb4a1809cfe08
> [   71.181214] R13: ffff98cee776d000 R14: ffff98cec519e000 R15: ffff98cee776def0
> [   71.188339] FS:  00007fd926250500(0000) GS:ffff98ceeac80000(0000) knlGS:0000000000000000
> [   71.196418] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   71.202155] CR2: 00000000000000a0 CR3: 0000000106622000 CR4: 00000000000406e0
> [   71.209297] Call Trace:
> [   71.211777]  ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau]
> [   71.218053]  drm_ioctl_kernel+0xac/0xf0 [drm]
> [   71.222421]  drm_ioctl+0x211/0x3c0 [drm]
> [   71.226379]  ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau]
> [   71.232500]  nouveau_drm_ioctl+0x57/0xb0 [nouveau]
> [   71.237285]  ksys_ioctl+0x86/0xc0
> [   71.240595]  __x64_sys_ioctl+0x16/0x20
> [   71.244340]  do_syscall_64+0x4c/0x90
> [   71.248110]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [   71.253162] RIP: 0033:0x7fd925d4b88b
> [   71.256731] Code: Bad RIP value.
> [   71.259955] RSP: 002b:00007ffc743592d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
> [   71.267514] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd925d4b88b
> [   71.274637] RDX: 0000000000601080 RSI: 00000000c0586442 RDI: 0000000000000003
> [   71.281986] RBP: 00007ffc74359340 R08: 00007fd926016ce0 R09: 00007fd926016ce0
> [   71.289111] R10: 0000000000000003 R11: 0000000000000206 R12: 0000000000400620
> [   71.296235] R13: 00007ffc74359420 R14: 0000000000000000 R15: 0000000000000000
> [   71.303361] Modules linked in: rfkill sunrpc snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core edac_mce_amd snd_hwdep kvm_amd snd_seq ccp snd_seq_device snd_pcm kvm snd_timer snd irqbypass soundcore sp5100_tco pcspkr crct10dif_pclmul crc32_pclmul ghash_clmulni_intel wmi_bmof joydev i2c_piix4 fam15h_power k10temp acpi_cpufreq ip_tables xfs libcrc32c sd_mod t10_pi sg nouveau video mxm_wmi i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm broadcom bcm_phy_lib ata_generic ahci drm e1000 crc32c_intel libahci serio_raw tg3 libata firewire_ohci firewire_core wmi crc_itu_t dm_mirror dm_region_hash dm_log dm_mod
> [   71.365269] CR2: 00000000000000a0
>
> simplified reproducer
> ---------------------------------8<----------------------------------------
> /*
>  * gcc -o crashme crashme.c
>  * ./crashme /dev/dri/renderD128
>  */
>
> struct drm_nouveau_channel_alloc {
>         uint32_t     fb_ctxdma_handle;
>         uint32_t     tt_ctxdma_handle;
>
>         int          channel;
>         uint32_t     pushbuf_domains;
>
>         /* Notifier memory */
>         uint32_t     notifier_handle;
>
>         /* DRM-enforced subchannel assignments */
>         struct {
>                 uint32_t handle;
>                 uint32_t grclass;
>         } subchan[8];
>         uint32_t nr_subchan;
> };
>
> static struct drm_nouveau_channel_alloc channel;
>
> int main(int argc, char *argv[]) {
>         int fd;
>         int rv;
>
>         if (argc != 2)
>                 die("usage: %s <dev>", 0, argv[0]);
>
>         if ((fd = open(argv[1], O_RDONLY)) == -1)
>                 die("open %s", errno, argv[1]);
>
>         if (ioctl(fd, DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC, &channel) == -1 &&
>                         errno == EACCES)
>                 die("ioctl %s", errno, argv[1]);
>
>         close(fd);
>
>         printf("PASS\n");
>
>         return 0;
> }
> ---------------------------------8<----------------------------------------
>
> [1] https://github.com/kernelslacker/trinity
>
> Fixes: eeaf06ac1a55 ("drm/nouveau/svm: initial support for shared virtual memory")
> Signed-off-by: Frantisek Hrbata <frantisek-ktf8V493EB/QT0dZR+AlfA@public.gmane.org>
> ---
>  drivers/gpu/drm/nouveau/nouveau_chan.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/drivers/gpu/drm/nouveau/nouveau_chan.c b/drivers/gpu/drm/nouveau/nouveau_chan.c
> index b80e4ebf1..a7a47b325 100644
> --- a/drivers/gpu/drm/nouveau/nouveau_chan.c
> +++ b/drivers/gpu/drm/nouveau/nouveau_chan.c
> @@ -533,6 +533,7 @@ nouveau_channel_new(struct nouveau_drm *drm, struct nvif_device *device,
>         if (ret) {
>                 NV_PRINTK(err, cli, "channel failed to initialise, %d\n", ret);
>                 nouveau_channel_del(pchan);
> +               goto done;
>         }
>
>         ret = nouveau_svmm_join((*pchan)->vmm->svmm, (*pchan)->inst);
> --
> Frantisek Hrbata
>
> _______________________________________________
> Nouveau mailing list
> Nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
> https://lists.freedesktop.org/mailman/listinfo/nouveau
>

Reviewed-by: Karol Herbst <kherbst-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails
       [not found] ` <20200828092846.GA11454-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
  2020-08-28 17:36   ` Karol Herbst
@ 2020-08-28 18:29   ` Frantisek Hrbata
  2020-11-15  9:10   ` Salvatore Bonaccorso
  2 siblings, 0 replies; 7+ messages in thread
From: Frantisek Hrbata @ 2020-08-28 18:29 UTC (permalink / raw)
  To: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW; +Cc: Ben Skeggs

Hi,

I'm sorry for another email, but it seems that all lines in the
reproducer starting with '#' got trimmed as they were comments.
Probably something I did on my side :(. Would it be possible to
fix this in the commit msg or do you prefer v2?

Thank you

simplified reproducer
---------------------------------8<----------------------------------------
/*
 * gcc -o crashme crashme.c
 * ./crashme /dev/dri/renderD128
 */

#include <sys/types.h>
#include <sys/stat.h>
#include <stdlib.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <drm/drm.h>
#include <drm/nouveau_drm.h>
#include <inttypes.h>
#include <string.h>
#include <error.h>

#define die(format, err, ...)  error(1, err, format, ## __VA_ARGS__)

#ifndef DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC
struct drm_nouveau_channel_alloc {
	uint32_t     fb_ctxdma_handle;
	uint32_t     tt_ctxdma_handle;

	int          channel;
	uint32_t     pushbuf_domains;

	/* Notifier memory */
	uint32_t     notifier_handle;

	/* DRM-enforced subchannel assignments */
	struct {
		uint32_t handle;
		uint32_t grclass;
	} subchan[8];
	uint32_t nr_subchan;
};
#define DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC      DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_CHANNEL_ALLOC, struct drm_nouveau_channel_alloc)
#endif

static struct drm_nouveau_channel_alloc channel;

int main(int argc, char *argv[]) {
	int fd;
	int rv;

	if (argc != 2)
		die("usage: %s <dev>", 0, argv[0]);

	if ((fd = open(argv[1], O_RDONLY)) == -1)
		die("open %s", errno, argv[1]);

	if (ioctl(fd, DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC, &channel) == -1 &&
			errno == EACCES)
		die("ioctl %s", errno, argv[1]);

	close(fd);

	printf("PASS\n");

	return 0;
}
---------------------------------8<----------------------------------------

-- 
Frantisek Hrbata

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails
       [not found] ` <20200828092846.GA11454-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
  2020-08-28 17:36   ` Karol Herbst
  2020-08-28 18:29   ` Frantisek Hrbata
@ 2020-11-15  9:10   ` Salvatore Bonaccorso
       [not found]     ` <20201115091010.GA132466-yvBWh1Eg28bhXIiyNabO3w@public.gmane.org>
  2 siblings, 1 reply; 7+ messages in thread
From: Salvatore Bonaccorso @ 2020-11-15  9:10 UTC (permalink / raw)
  To: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW; +Cc: Frantisek Hrbata

Hi,

On Fri, Aug 28, 2020 at 11:28:46AM +0200, Frantisek Hrbata wrote:
> Unprivileged user can crash kernel by using DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC
> ioctl. This was reported by trinity[1] fuzzer.
> 
> [   71.073906] nouveau 0000:01:00.0: crashme[1329]: channel failed to initialise, -17
> [   71.081730] BUG: kernel NULL pointer dereference, address: 00000000000000a0
> [   71.088928] #PF: supervisor read access in kernel mode
> [   71.094059] #PF: error_code(0x0000) - not-present page
> [   71.099189] PGD 119590067 P4D 119590067 PUD 1054f5067 PMD 0
> [   71.104842] Oops: 0000 [#1] SMP NOPTI
> [   71.108498] CPU: 2 PID: 1329 Comm: crashme Not tainted 5.8.0-rc6+ #2
> [   71.114993] Hardware name: AMD Pike/Pike, BIOS RPK1506A 09/03/2014
> [   71.121213] RIP: 0010:nouveau_abi16_ioctl_channel_alloc+0x108/0x380 [nouveau]
> [   71.128339] Code: 48 89 9d f0 00 00 00 41 8b 4c 24 04 41 8b 14 24 45 31 c0 4c 8d 4b 10 48 89 ee 4c 89 f7 e8 10 11 00 00 85 c0 75 78 48 8b 43 10 <8b> 90 a0 00 00 00 41 89 54 24 08 80 7d 3d 05 0f 86 bb 01 00 00 41
> [   71.147074] RSP: 0018:ffffb4a1809cfd38 EFLAGS: 00010246
> [   71.152526] RAX: 0000000000000000 RBX: ffff98cedbaa1d20 RCX: 00000000000003bf
> [   71.159651] RDX: 00000000000003be RSI: 0000000000000000 RDI: 0000000000030160
> [   71.166774] RBP: ffff98cee776de00 R08: ffffdc0144198a08 R09: ffff98ceeefd4000
> [   71.173901] R10: ffff98cee7e81780 R11: 0000000000000001 R12: ffffb4a1809cfe08
> [   71.181214] R13: ffff98cee776d000 R14: ffff98cec519e000 R15: ffff98cee776def0
> [   71.188339] FS:  00007fd926250500(0000) GS:ffff98ceeac80000(0000) knlGS:0000000000000000
> [   71.196418] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   71.202155] CR2: 00000000000000a0 CR3: 0000000106622000 CR4: 00000000000406e0
> [   71.209297] Call Trace:
> [   71.211777]  ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau]
> [   71.218053]  drm_ioctl_kernel+0xac/0xf0 [drm]
> [   71.222421]  drm_ioctl+0x211/0x3c0 [drm]
> [   71.226379]  ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau]
> [   71.232500]  nouveau_drm_ioctl+0x57/0xb0 [nouveau]
> [   71.237285]  ksys_ioctl+0x86/0xc0
> [   71.240595]  __x64_sys_ioctl+0x16/0x20
> [   71.244340]  do_syscall_64+0x4c/0x90
> [   71.248110]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [   71.253162] RIP: 0033:0x7fd925d4b88b
> [   71.256731] Code: Bad RIP value.
> [   71.259955] RSP: 002b:00007ffc743592d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
> [   71.267514] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd925d4b88b
> [   71.274637] RDX: 0000000000601080 RSI: 00000000c0586442 RDI: 0000000000000003
> [   71.281986] RBP: 00007ffc74359340 R08: 00007fd926016ce0 R09: 00007fd926016ce0
> [   71.289111] R10: 0000000000000003 R11: 0000000000000206 R12: 0000000000400620
> [   71.296235] R13: 00007ffc74359420 R14: 0000000000000000 R15: 0000000000000000
> [   71.303361] Modules linked in: rfkill sunrpc snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core edac_mce_amd snd_hwdep kvm_amd snd_seq ccp snd_seq_device snd_pcm kvm snd_timer snd irqbypass soundcore sp5100_tco pcspkr crct10dif_pclmul crc32_pclmul ghash_clmulni_intel wmi_bmof joydev i2c_piix4 fam15h_power k10temp acpi_cpufreq ip_tables xfs libcrc32c sd_mod t10_pi sg nouveau video mxm_wmi i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm broadcom bcm_phy_lib ata_generic ahci drm e1000 crc32c_intel libahci serio_raw tg3 libata firewire_ohci firewire_core wmi crc_itu_t dm_mirror dm_region_hash dm_log dm_mod
> [   71.365269] CR2: 00000000000000a0
> 
> simplified reproducer
> ---------------------------------8<----------------------------------------
> /*
>  * gcc -o crashme crashme.c
>  * ./crashme /dev/dri/renderD128
>  */
> 
> struct drm_nouveau_channel_alloc {
> 	uint32_t     fb_ctxdma_handle;
> 	uint32_t     tt_ctxdma_handle;
> 
> 	int          channel;
> 	uint32_t     pushbuf_domains;
> 
> 	/* Notifier memory */
> 	uint32_t     notifier_handle;
> 
> 	/* DRM-enforced subchannel assignments */
> 	struct {
> 		uint32_t handle;
> 		uint32_t grclass;
> 	} subchan[8];
> 	uint32_t nr_subchan;
> };
> 
> static struct drm_nouveau_channel_alloc channel;
> 
> int main(int argc, char *argv[]) {
> 	int fd;
> 	int rv;
> 
> 	if (argc != 2)
> 		die("usage: %s <dev>", 0, argv[0]);
> 
> 	if ((fd = open(argv[1], O_RDONLY)) == -1)
> 		die("open %s", errno, argv[1]);
> 
> 	if (ioctl(fd, DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC, &channel) == -1 &&
> 			errno == EACCES)
> 		die("ioctl %s", errno, argv[1]);
> 
> 	close(fd);
> 
> 	printf("PASS\n");
> 
> 	return 0;
> }
> ---------------------------------8<----------------------------------------
> 
> [1] https://github.com/kernelslacker/trinity
> 
> Fixes: eeaf06ac1a55 ("drm/nouveau/svm: initial support for shared virtual memory")
> Signed-off-by: Frantisek Hrbata <frantisek at hrbata.com>
> ---
>  drivers/gpu/drm/nouveau/nouveau_chan.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/gpu/drm/nouveau/nouveau_chan.c b/drivers/gpu/drm/nouveau/nouveau_chan.c
> index b80e4ebf1..a7a47b325 100644
> --- a/drivers/gpu/drm/nouveau/nouveau_chan.c
> +++ b/drivers/gpu/drm/nouveau/nouveau_chan.c
> @@ -533,6 +533,7 @@ nouveau_channel_new(struct nouveau_drm *drm, struct nvif_device *device,
>  	if (ret) {
>  		NV_PRINTK(err, cli, "channel failed to initialise, %d\n", ret);
>  		nouveau_channel_del(pchan);
> +		goto done;
>  	}
>  
>  	ret = nouveau_svmm_join((*pchan)->vmm->svmm, (*pchan)->inst);
> -- 
> Frantisek Hrbata

Is this still planned to be applied? AFAICS this is the fix for
CVE-2020-25639.

Regards,
Salvatore

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails
       [not found]     ` <20201115091010.GA132466-yvBWh1Eg28bhXIiyNabO3w@public.gmane.org>
@ 2020-11-15 19:18       ` Karol Herbst
       [not found]         ` <CACO55tvwtYj0QGFy3Bk5-13bm7cjHGko3WegY1fFbtf0WckQyQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
  0 siblings, 1 reply; 7+ messages in thread
From: Karol Herbst @ 2020-11-15 19:18 UTC (permalink / raw)
  To: Salvatore Bonaccorso; +Cc: nouveau, dri-devel, Frantisek Hrbata, Daniel Vetter

On Sun, Nov 15, 2020 at 6:43 PM Salvatore Bonaccorso <carnil-8fiUuRrzOP0dnm+yROfE0A@public.gmane.org> wrote:
>
> Hi,
>
> On Fri, Aug 28, 2020 at 11:28:46AM +0200, Frantisek Hrbata wrote:
> > Unprivileged user can crash kernel by using DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC
> > ioctl. This was reported by trinity[1] fuzzer.
> >
> > [   71.073906] nouveau 0000:01:00.0: crashme[1329]: channel failed to initialise, -17
> > [   71.081730] BUG: kernel NULL pointer dereference, address: 00000000000000a0
> > [   71.088928] #PF: supervisor read access in kernel mode
> > [   71.094059] #PF: error_code(0x0000) - not-present page
> > [   71.099189] PGD 119590067 P4D 119590067 PUD 1054f5067 PMD 0
> > [   71.104842] Oops: 0000 [#1] SMP NOPTI
> > [   71.108498] CPU: 2 PID: 1329 Comm: crashme Not tainted 5.8.0-rc6+ #2
> > [   71.114993] Hardware name: AMD Pike/Pike, BIOS RPK1506A 09/03/2014
> > [   71.121213] RIP: 0010:nouveau_abi16_ioctl_channel_alloc+0x108/0x380 [nouveau]
> > [   71.128339] Code: 48 89 9d f0 00 00 00 41 8b 4c 24 04 41 8b 14 24 45 31 c0 4c 8d 4b 10 48 89 ee 4c 89 f7 e8 10 11 00 00 85 c0 75 78 48 8b 43 10 <8b> 90 a0 00 00 00 41 89 54 24 08 80 7d 3d 05 0f 86 bb 01 00 00 41
> > [   71.147074] RSP: 0018:ffffb4a1809cfd38 EFLAGS: 00010246
> > [   71.152526] RAX: 0000000000000000 RBX: ffff98cedbaa1d20 RCX: 00000000000003bf
> > [   71.159651] RDX: 00000000000003be RSI: 0000000000000000 RDI: 0000000000030160
> > [   71.166774] RBP: ffff98cee776de00 R08: ffffdc0144198a08 R09: ffff98ceeefd4000
> > [   71.173901] R10: ffff98cee7e81780 R11: 0000000000000001 R12: ffffb4a1809cfe08
> > [   71.181214] R13: ffff98cee776d000 R14: ffff98cec519e000 R15: ffff98cee776def0
> > [   71.188339] FS:  00007fd926250500(0000) GS:ffff98ceeac80000(0000) knlGS:0000000000000000
> > [   71.196418] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [   71.202155] CR2: 00000000000000a0 CR3: 0000000106622000 CR4: 00000000000406e0
> > [   71.209297] Call Trace:
> > [   71.211777]  ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau]
> > [   71.218053]  drm_ioctl_kernel+0xac/0xf0 [drm]
> > [   71.222421]  drm_ioctl+0x211/0x3c0 [drm]
> > [   71.226379]  ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau]
> > [   71.232500]  nouveau_drm_ioctl+0x57/0xb0 [nouveau]
> > [   71.237285]  ksys_ioctl+0x86/0xc0
> > [   71.240595]  __x64_sys_ioctl+0x16/0x20
> > [   71.244340]  do_syscall_64+0x4c/0x90
> > [   71.248110]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > [   71.253162] RIP: 0033:0x7fd925d4b88b
> > [   71.256731] Code: Bad RIP value.
> > [   71.259955] RSP: 002b:00007ffc743592d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
> > [   71.267514] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd925d4b88b
> > [   71.274637] RDX: 0000000000601080 RSI: 00000000c0586442 RDI: 0000000000000003
> > [   71.281986] RBP: 00007ffc74359340 R08: 00007fd926016ce0 R09: 00007fd926016ce0
> > [   71.289111] R10: 0000000000000003 R11: 0000000000000206 R12: 0000000000400620
> > [   71.296235] R13: 00007ffc74359420 R14: 0000000000000000 R15: 0000000000000000
> > [   71.303361] Modules linked in: rfkill sunrpc snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core edac_mce_amd snd_hwdep kvm_amd snd_seq ccp snd_seq_device snd_pcm kvm snd_timer snd irqbypass soundcore sp5100_tco pcspkr crct10dif_pclmul crc32_pclmul ghash_clmulni_intel wmi_bmof joydev i2c_piix4 fam15h_power k10temp acpi_cpufreq ip_tables xfs libcrc32c sd_mod t10_pi sg nouveau video mxm_wmi i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm broadcom bcm_phy_lib ata_generic ahci drm e1000 crc32c_intel libahci serio_raw tg3 libata firewire_ohci firewire_core wmi crc_itu_t dm_mirror dm_region_hash dm_log dm_mod
> > [   71.365269] CR2: 00000000000000a0
> >
> > simplified reproducer
> > ---------------------------------8<----------------------------------------
> > /*
> >  * gcc -o crashme crashme.c
> >  * ./crashme /dev/dri/renderD128
> >  */
> >
> > struct drm_nouveau_channel_alloc {
> >       uint32_t     fb_ctxdma_handle;
> >       uint32_t     tt_ctxdma_handle;
> >
> >       int          channel;
> >       uint32_t     pushbuf_domains;
> >
> >       /* Notifier memory */
> >       uint32_t     notifier_handle;
> >
> >       /* DRM-enforced subchannel assignments */
> >       struct {
> >               uint32_t handle;
> >               uint32_t grclass;
> >       } subchan[8];
> >       uint32_t nr_subchan;
> > };
> >
> > static struct drm_nouveau_channel_alloc channel;
> >
> > int main(int argc, char *argv[]) {
> >       int fd;
> >       int rv;
> >
> >       if (argc != 2)
> >               die("usage: %s <dev>", 0, argv[0]);
> >
> >       if ((fd = open(argv[1], O_RDONLY)) == -1)
> >               die("open %s", errno, argv[1]);
> >
> >       if (ioctl(fd, DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC, &channel) == -1 &&
> >                       errno == EACCES)
> >               die("ioctl %s", errno, argv[1]);
> >
> >       close(fd);
> >
> >       printf("PASS\n");
> >
> >       return 0;
> > }
> > ---------------------------------8<----------------------------------------
> >
> > [1] https://github.com/kernelslacker/trinity
> >
> > Fixes: eeaf06ac1a55 ("drm/nouveau/svm: initial support for shared virtual memory")
> > Signed-off-by: Frantisek Hrbata <frantisek at hrbata.com>
> > ---
> >  drivers/gpu/drm/nouveau/nouveau_chan.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/gpu/drm/nouveau/nouveau_chan.c b/drivers/gpu/drm/nouveau/nouveau_chan.c
> > index b80e4ebf1..a7a47b325 100644
> > --- a/drivers/gpu/drm/nouveau/nouveau_chan.c
> > +++ b/drivers/gpu/drm/nouveau/nouveau_chan.c
> > @@ -533,6 +533,7 @@ nouveau_channel_new(struct nouveau_drm *drm, struct nvif_device *device,
> >       if (ret) {
> >               NV_PRINTK(err, cli, "channel failed to initialise, %d\n", ret);
> >               nouveau_channel_del(pchan);
> > +             goto done;
> >       }
> >
> >       ret = nouveau_svmm_join((*pchan)->vmm->svmm, (*pchan)->inst);
> > --
> > Frantisek Hrbata
>
> Is this still planned to be applied? AFAICS this is the fix for
> CVE-2020-25639.
>

If it's urgent to get it fixed, I suggest going through the Linux
kernel or drm stable path. CCing dri-devel, Dave, Daniel and Ben.

> Regards,
> Salvatore
> _______________________________________________
> Nouveau mailing list
> Nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
> https://lists.freedesktop.org/mailman/listinfo/nouveau
>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails
       [not found]         ` <CACO55tvwtYj0QGFy3Bk5-13bm7cjHGko3WegY1fFbtf0WckQyQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2020-11-15 23:04           ` Ben Skeggs
  2021-02-07 13:35             ` [Nouveau] " Salvatore Bonaccorso
  0 siblings, 1 reply; 7+ messages in thread
From: Ben Skeggs @ 2020-11-15 23:04 UTC (permalink / raw)
  To: Karol Herbst
  Cc: nouveau, dri-devel, Frantisek Hrbata, Daniel Vetter,
	Salvatore Bonaccorso

On Mon, 16 Nov 2020 at 05:19, Karol Herbst <kherbst-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
>
> On Sun, Nov 15, 2020 at 6:43 PM Salvatore Bonaccorso <carnil-8fiUuRrzOP0dnm+yROfE0A@public.gmane.org> wrote:
> >
> > Hi,
> >
> > On Fri, Aug 28, 2020 at 11:28:46AM +0200, Frantisek Hrbata wrote:
> > > Unprivileged user can crash kernel by using DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC
> > > ioctl. This was reported by trinity[1] fuzzer.
> > >
> > > [   71.073906] nouveau 0000:01:00.0: crashme[1329]: channel failed to initialise, -17
> > > [   71.081730] BUG: kernel NULL pointer dereference, address: 00000000000000a0
> > > [   71.088928] #PF: supervisor read access in kernel mode
> > > [   71.094059] #PF: error_code(0x0000) - not-present page
> > > [   71.099189] PGD 119590067 P4D 119590067 PUD 1054f5067 PMD 0
> > > [   71.104842] Oops: 0000 [#1] SMP NOPTI
> > > [   71.108498] CPU: 2 PID: 1329 Comm: crashme Not tainted 5.8.0-rc6+ #2
> > > [   71.114993] Hardware name: AMD Pike/Pike, BIOS RPK1506A 09/03/2014
> > > [   71.121213] RIP: 0010:nouveau_abi16_ioctl_channel_alloc+0x108/0x380 [nouveau]
> > > [   71.128339] Code: 48 89 9d f0 00 00 00 41 8b 4c 24 04 41 8b 14 24 45 31 c0 4c 8d 4b 10 48 89 ee 4c 89 f7 e8 10 11 00 00 85 c0 75 78 48 8b 43 10 <8b> 90 a0 00 00 00 41 89 54 24 08 80 7d 3d 05 0f 86 bb 01 00 00 41
> > > [   71.147074] RSP: 0018:ffffb4a1809cfd38 EFLAGS: 00010246
> > > [   71.152526] RAX: 0000000000000000 RBX: ffff98cedbaa1d20 RCX: 00000000000003bf
> > > [   71.159651] RDX: 00000000000003be RSI: 0000000000000000 RDI: 0000000000030160
> > > [   71.166774] RBP: ffff98cee776de00 R08: ffffdc0144198a08 R09: ffff98ceeefd4000
> > > [   71.173901] R10: ffff98cee7e81780 R11: 0000000000000001 R12: ffffb4a1809cfe08
> > > [   71.181214] R13: ffff98cee776d000 R14: ffff98cec519e000 R15: ffff98cee776def0
> > > [   71.188339] FS:  00007fd926250500(0000) GS:ffff98ceeac80000(0000) knlGS:0000000000000000
> > > [   71.196418] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > [   71.202155] CR2: 00000000000000a0 CR3: 0000000106622000 CR4: 00000000000406e0
> > > [   71.209297] Call Trace:
> > > [   71.211777]  ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau]
> > > [   71.218053]  drm_ioctl_kernel+0xac/0xf0 [drm]
> > > [   71.222421]  drm_ioctl+0x211/0x3c0 [drm]
> > > [   71.226379]  ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau]
> > > [   71.232500]  nouveau_drm_ioctl+0x57/0xb0 [nouveau]
> > > [   71.237285]  ksys_ioctl+0x86/0xc0
> > > [   71.240595]  __x64_sys_ioctl+0x16/0x20
> > > [   71.244340]  do_syscall_64+0x4c/0x90
> > > [   71.248110]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > > [   71.253162] RIP: 0033:0x7fd925d4b88b
> > > [   71.256731] Code: Bad RIP value.
> > > [   71.259955] RSP: 002b:00007ffc743592d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
> > > [   71.267514] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd925d4b88b
> > > [   71.274637] RDX: 0000000000601080 RSI: 00000000c0586442 RDI: 0000000000000003
> > > [   71.281986] RBP: 00007ffc74359340 R08: 00007fd926016ce0 R09: 00007fd926016ce0
> > > [   71.289111] R10: 0000000000000003 R11: 0000000000000206 R12: 0000000000400620
> > > [   71.296235] R13: 00007ffc74359420 R14: 0000000000000000 R15: 0000000000000000
> > > [   71.303361] Modules linked in: rfkill sunrpc snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core edac_mce_amd snd_hwdep kvm_amd snd_seq ccp snd_seq_device snd_pcm kvm snd_timer snd irqbypass soundcore sp5100_tco pcspkr crct10dif_pclmul crc32_pclmul ghash_clmulni_intel wmi_bmof joydev i2c_piix4 fam15h_power k10temp acpi_cpufreq ip_tables xfs libcrc32c sd_mod t10_pi sg nouveau video mxm_wmi i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm broadcom bcm_phy_lib ata_generic ahci drm e1000 crc32c_intel libahci serio_raw tg3 libata firewire_ohci firewire_core wmi crc_itu_t dm_mirror dm_region_hash dm_log dm_mod
> > > [   71.365269] CR2: 00000000000000a0
> > >
> > > simplified reproducer
> > > ---------------------------------8<----------------------------------------
> > > /*
> > >  * gcc -o crashme crashme.c
> > >  * ./crashme /dev/dri/renderD128
> > >  */
> > >
> > > struct drm_nouveau_channel_alloc {
> > >       uint32_t     fb_ctxdma_handle;
> > >       uint32_t     tt_ctxdma_handle;
> > >
> > >       int          channel;
> > >       uint32_t     pushbuf_domains;
> > >
> > >       /* Notifier memory */
> > >       uint32_t     notifier_handle;
> > >
> > >       /* DRM-enforced subchannel assignments */
> > >       struct {
> > >               uint32_t handle;
> > >               uint32_t grclass;
> > >       } subchan[8];
> > >       uint32_t nr_subchan;
> > > };
> > >
> > > static struct drm_nouveau_channel_alloc channel;
> > >
> > > int main(int argc, char *argv[]) {
> > >       int fd;
> > >       int rv;
> > >
> > >       if (argc != 2)
> > >               die("usage: %s <dev>", 0, argv[0]);
> > >
> > >       if ((fd = open(argv[1], O_RDONLY)) == -1)
> > >               die("open %s", errno, argv[1]);
> > >
> > >       if (ioctl(fd, DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC, &channel) == -1 &&
> > >                       errno == EACCES)
> > >               die("ioctl %s", errno, argv[1]);
> > >
> > >       close(fd);
> > >
> > >       printf("PASS\n");
> > >
> > >       return 0;
> > > }
> > > ---------------------------------8<----------------------------------------
> > >
> > > [1] https://github.com/kernelslacker/trinity
> > >
> > > Fixes: eeaf06ac1a55 ("drm/nouveau/svm: initial support for shared virtual memory")
> > > Signed-off-by: Frantisek Hrbata <frantisek at hrbata.com>
> > > ---
> > >  drivers/gpu/drm/nouveau/nouveau_chan.c | 1 +
> > >  1 file changed, 1 insertion(+)
> > >
> > > diff --git a/drivers/gpu/drm/nouveau/nouveau_chan.c b/drivers/gpu/drm/nouveau/nouveau_chan.c
> > > index b80e4ebf1..a7a47b325 100644
> > > --- a/drivers/gpu/drm/nouveau/nouveau_chan.c
> > > +++ b/drivers/gpu/drm/nouveau/nouveau_chan.c
> > > @@ -533,6 +533,7 @@ nouveau_channel_new(struct nouveau_drm *drm, struct nvif_device *device,
> > >       if (ret) {
> > >               NV_PRINTK(err, cli, "channel failed to initialise, %d\n", ret);
> > >               nouveau_channel_del(pchan);
> > > +             goto done;
> > >       }
> > >
> > >       ret = nouveau_svmm_join((*pchan)->vmm->svmm, (*pchan)->inst);
> > > --
> > > Frantisek Hrbata
> >
> > Is this still planned to be applied? AFAICS this is the fix for
> > CVE-2020-25639.
> >
>
> If it's urgent to get it fixed, I suggest going through the Linux
> kernel or drm stable path. CCing dri-devel, Dave, Daniel and Ben.
Missed this.  I'll grab it today and send it with the next -fixes.

Ben.
>
> > Regards,
> > Salvatore
> > _______________________________________________
> > Nouveau mailing list
> > Nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
> > https://lists.freedesktop.org/mailman/listinfo/nouveau
> >
>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [Nouveau] [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails
  2020-11-15 23:04           ` Ben Skeggs
@ 2021-02-07 13:35             ` Salvatore Bonaccorso
  0 siblings, 0 replies; 7+ messages in thread
From: Salvatore Bonaccorso @ 2021-02-07 13:35 UTC (permalink / raw)
  To: Ben Skeggs; +Cc: nouveau, dri-devel, Frantisek Hrbata, Daniel Vetter

Hi Ben,

On Mon, Nov 16, 2020 at 09:04:32AM +1000, Ben Skeggs wrote:
> On Mon, 16 Nov 2020 at 05:19, Karol Herbst <kherbst@redhat.com> wrote:
> >
> > On Sun, Nov 15, 2020 at 6:43 PM Salvatore Bonaccorso <carnil@debian.org> wrote:
> > >
> > > Hi,
> > >
> > > On Fri, Aug 28, 2020 at 11:28:46AM +0200, Frantisek Hrbata wrote:
> > > > Unprivileged user can crash kernel by using DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC
> > > > ioctl. This was reported by trinity[1] fuzzer.
> > > >
> > > > [   71.073906] nouveau 0000:01:00.0: crashme[1329]: channel failed to initialise, -17
> > > > [   71.081730] BUG: kernel NULL pointer dereference, address: 00000000000000a0
> > > > [   71.088928] #PF: supervisor read access in kernel mode
> > > > [   71.094059] #PF: error_code(0x0000) - not-present page
> > > > [   71.099189] PGD 119590067 P4D 119590067 PUD 1054f5067 PMD 0
> > > > [   71.104842] Oops: 0000 [#1] SMP NOPTI
> > > > [   71.108498] CPU: 2 PID: 1329 Comm: crashme Not tainted 5.8.0-rc6+ #2
> > > > [   71.114993] Hardware name: AMD Pike/Pike, BIOS RPK1506A 09/03/2014
> > > > [   71.121213] RIP: 0010:nouveau_abi16_ioctl_channel_alloc+0x108/0x380 [nouveau]
> > > > [   71.128339] Code: 48 89 9d f0 00 00 00 41 8b 4c 24 04 41 8b 14 24 45 31 c0 4c 8d 4b 10 48 89 ee 4c 89 f7 e8 10 11 00 00 85 c0 75 78 48 8b 43 10 <8b> 90 a0 00 00 00 41 89 54 24 08 80 7d 3d 05 0f 86 bb 01 00 00 41
> > > > [   71.147074] RSP: 0018:ffffb4a1809cfd38 EFLAGS: 00010246
> > > > [   71.152526] RAX: 0000000000000000 RBX: ffff98cedbaa1d20 RCX: 00000000000003bf
> > > > [   71.159651] RDX: 00000000000003be RSI: 0000000000000000 RDI: 0000000000030160
> > > > [   71.166774] RBP: ffff98cee776de00 R08: ffffdc0144198a08 R09: ffff98ceeefd4000
> > > > [   71.173901] R10: ffff98cee7e81780 R11: 0000000000000001 R12: ffffb4a1809cfe08
> > > > [   71.181214] R13: ffff98cee776d000 R14: ffff98cec519e000 R15: ffff98cee776def0
> > > > [   71.188339] FS:  00007fd926250500(0000) GS:ffff98ceeac80000(0000) knlGS:0000000000000000
> > > > [   71.196418] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > > [   71.202155] CR2: 00000000000000a0 CR3: 0000000106622000 CR4: 00000000000406e0
> > > > [   71.209297] Call Trace:
> > > > [   71.211777]  ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau]
> > > > [   71.218053]  drm_ioctl_kernel+0xac/0xf0 [drm]
> > > > [   71.222421]  drm_ioctl+0x211/0x3c0 [drm]
> > > > [   71.226379]  ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau]
> > > > [   71.232500]  nouveau_drm_ioctl+0x57/0xb0 [nouveau]
> > > > [   71.237285]  ksys_ioctl+0x86/0xc0
> > > > [   71.240595]  __x64_sys_ioctl+0x16/0x20
> > > > [   71.244340]  do_syscall_64+0x4c/0x90
> > > > [   71.248110]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > > > [   71.253162] RIP: 0033:0x7fd925d4b88b
> > > > [   71.256731] Code: Bad RIP value.
> > > > [   71.259955] RSP: 002b:00007ffc743592d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
> > > > [   71.267514] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd925d4b88b
> > > > [   71.274637] RDX: 0000000000601080 RSI: 00000000c0586442 RDI: 0000000000000003
> > > > [   71.281986] RBP: 00007ffc74359340 R08: 00007fd926016ce0 R09: 00007fd926016ce0
> > > > [   71.289111] R10: 0000000000000003 R11: 0000000000000206 R12: 0000000000400620
> > > > [   71.296235] R13: 00007ffc74359420 R14: 0000000000000000 R15: 0000000000000000
> > > > [   71.303361] Modules linked in: rfkill sunrpc snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core edac_mce_amd snd_hwdep kvm_amd snd_seq ccp snd_seq_device snd_pcm kvm snd_timer snd irqbypass soundcore sp5100_tco pcspkr crct10dif_pclmul crc32_pclmul ghash_clmulni_intel wmi_bmof joydev i2c_piix4 fam15h_power k10temp acpi_cpufreq ip_tables xfs libcrc32c sd_mod t10_pi sg nouveau video mxm_wmi i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm broadcom bcm_phy_lib ata_generic ahci drm e1000 crc32c_intel libahci serio_raw tg3 libata firewire_ohci firewire_core wmi crc_itu_t dm_mirror dm_region_hash dm_log dm_mod
> > > > [   71.365269] CR2: 00000000000000a0
> > > >
> > > > simplified reproducer
> > > > ---------------------------------8<----------------------------------------
> > > > /*
> > > >  * gcc -o crashme crashme.c
> > > >  * ./crashme /dev/dri/renderD128
> > > >  */
> > > >
> > > > struct drm_nouveau_channel_alloc {
> > > >       uint32_t     fb_ctxdma_handle;
> > > >       uint32_t     tt_ctxdma_handle;
> > > >
> > > >       int          channel;
> > > >       uint32_t     pushbuf_domains;
> > > >
> > > >       /* Notifier memory */
> > > >       uint32_t     notifier_handle;
> > > >
> > > >       /* DRM-enforced subchannel assignments */
> > > >       struct {
> > > >               uint32_t handle;
> > > >               uint32_t grclass;
> > > >       } subchan[8];
> > > >       uint32_t nr_subchan;
> > > > };
> > > >
> > > > static struct drm_nouveau_channel_alloc channel;
> > > >
> > > > int main(int argc, char *argv[]) {
> > > >       int fd;
> > > >       int rv;
> > > >
> > > >       if (argc != 2)
> > > >               die("usage: %s <dev>", 0, argv[0]);
> > > >
> > > >       if ((fd = open(argv[1], O_RDONLY)) == -1)
> > > >               die("open %s", errno, argv[1]);
> > > >
> > > >       if (ioctl(fd, DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC, &channel) == -1 &&
> > > >                       errno == EACCES)
> > > >               die("ioctl %s", errno, argv[1]);
> > > >
> > > >       close(fd);
> > > >
> > > >       printf("PASS\n");
> > > >
> > > >       return 0;
> > > > }
> > > > ---------------------------------8<----------------------------------------
> > > >
> > > > [1] https://github.com/kernelslacker/trinity
> > > >
> > > > Fixes: eeaf06ac1a55 ("drm/nouveau/svm: initial support for shared virtual memory")
> > > > Signed-off-by: Frantisek Hrbata <frantisek at hrbata.com>
> > > > ---
> > > >  drivers/gpu/drm/nouveau/nouveau_chan.c | 1 +
> > > >  1 file changed, 1 insertion(+)
> > > >
> > > > diff --git a/drivers/gpu/drm/nouveau/nouveau_chan.c b/drivers/gpu/drm/nouveau/nouveau_chan.c
> > > > index b80e4ebf1..a7a47b325 100644
> > > > --- a/drivers/gpu/drm/nouveau/nouveau_chan.c
> > > > +++ b/drivers/gpu/drm/nouveau/nouveau_chan.c
> > > > @@ -533,6 +533,7 @@ nouveau_channel_new(struct nouveau_drm *drm, struct nvif_device *device,
> > > >       if (ret) {
> > > >               NV_PRINTK(err, cli, "channel failed to initialise, %d\n", ret);
> > > >               nouveau_channel_del(pchan);
> > > > +             goto done;
> > > >       }
> > > >
> > > >       ret = nouveau_svmm_join((*pchan)->vmm->svmm, (*pchan)->inst);
> > > > --
> > > > Frantisek Hrbata
> > >
> > > Is this still planned to be applied? AFAICS this is the fix for
> > > CVE-2020-25639.
> > >
> >
> > If it's urgent to get it fixed, I suggest going through the Linux
> > kernel or drm stable path. CCing dri-devel, Dave, Daniel and Ben.
> Missed this.  I'll grab it today and send it with the next -fixes.

Do you know, were there some problems with the patch? TTBOMK it did
not yet appear on Linus tree.

Regards,
Salvatore
_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2021-02-07 16:12 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-28  9:28 [PATCH] drm/nouveau: bail out of nouveau_channel_new if channel init fails Frantisek Hrbata
     [not found] ` <20200828092846.GA11454-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2020-08-28 17:36   ` Karol Herbst
2020-08-28 18:29   ` Frantisek Hrbata
2020-11-15  9:10   ` Salvatore Bonaccorso
     [not found]     ` <20201115091010.GA132466-yvBWh1Eg28bhXIiyNabO3w@public.gmane.org>
2020-11-15 19:18       ` Karol Herbst
     [not found]         ` <CACO55tvwtYj0QGFy3Bk5-13bm7cjHGko3WegY1fFbtf0WckQyQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2020-11-15 23:04           ` Ben Skeggs
2021-02-07 13:35             ` [Nouveau] " Salvatore Bonaccorso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).