linux/include/drm
Thomas Hellström 139a27854b
drm/tests: helpers: Avoid a driver uaf
when using __drm_kunit_helper_alloc_drm_device() the driver may be
dereferenced by device-managed resources up until the device is
freed, which is typically later than the kunit-managed resource code
frees it. Fix this by simply make the driver device-managed as well.

In short, the sequence leading to the UAF is as follows:

INIT:
Code allocates a struct device as a kunit-managed resource.
Code allocates a drm driver as a kunit-managed resource.
Code allocates a drm device as a device-managed resource.

EXIT:
Kunit resource cleanup frees the drm driver
Kunit resource cleanup puts the struct device, which starts a
      device-managed resource cleanup
device-managed cleanup calls drm_dev_put()
drm_dev_put() dereferences the (now freed) drm driver -> Boom.

Related KASAN message:
[55272.551542] ==================================================================
[55272.551551] BUG: KASAN: slab-use-after-free in drm_dev_put.part.0+0xd4/0xe0 [drm]
[55272.551603] Read of size 8 at addr ffff888127502828 by task kunit_try_catch/10353

[55272.551612] CPU: 4 PID: 10353 Comm: kunit_try_catch Tainted: G     U           N 6.5.0-rc7+ #155
[55272.551620] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 0403 01/26/2021
[55272.551626] Call Trace:
[55272.551629]  <TASK>
[55272.551633]  dump_stack_lvl+0x57/0x90
[55272.551639]  print_report+0xcf/0x630
[55272.551645]  ? _raw_spin_lock_irqsave+0x5f/0x70
[55272.551652]  ? drm_dev_put.part.0+0xd4/0xe0 [drm]
[55272.551694]  kasan_report+0xd7/0x110
[55272.551699]  ? drm_dev_put.part.0+0xd4/0xe0 [drm]
[55272.551742]  drm_dev_put.part.0+0xd4/0xe0 [drm]
[55272.551783]  devres_release_all+0x15d/0x1f0
[55272.551790]  ? __pfx_devres_release_all+0x10/0x10
[55272.551797]  device_unbind_cleanup+0x16/0x1a0
[55272.551802]  device_release_driver_internal+0x3e5/0x540
[55272.551808]  ? kobject_put+0x5d/0x4b0
[55272.551814]  bus_remove_device+0x1f1/0x3f0
[55272.551819]  device_del+0x342/0x910
[55272.551826]  ? __pfx_device_del+0x10/0x10
[55272.551830]  ? lock_release+0x339/0x5e0
[55272.551836]  ? kunit_remove_resource+0x128/0x290 [kunit]
[55272.551845]  ? __pfx_lock_release+0x10/0x10
[55272.551851]  platform_device_del.part.0+0x1f/0x1e0
[55272.551856]  ? _raw_spin_unlock_irqrestore+0x30/0x60
[55272.551863]  kunit_remove_resource+0x195/0x290 [kunit]
[55272.551871]  ? _raw_spin_unlock_irqrestore+0x30/0x60
[55272.551877]  kunit_cleanup+0x78/0x120 [kunit]
[55272.551885]  ? __kthread_parkme+0xc1/0x1f0
[55272.551891]  ? __pfx_kunit_try_run_case_cleanup+0x10/0x10 [kunit]
[55272.551900]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [kunit]
[55272.551909]  kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
[55272.551919]  kthread+0x2e7/0x3c0
[55272.551924]  ? __pfx_kthread+0x10/0x10
[55272.551929]  ret_from_fork+0x2d/0x70
[55272.551935]  ? __pfx_kthread+0x10/0x10
[55272.551940]  ret_from_fork_asm+0x1b/0x30
[55272.551948]  </TASK>

[55272.551953] Allocated by task 10351:
[55272.551956]  kasan_save_stack+0x1c/0x40
[55272.551962]  kasan_set_track+0x21/0x30
[55272.551966]  __kasan_kmalloc+0x8b/0x90
[55272.551970]  __kmalloc+0x5e/0x160
[55272.551976]  kunit_kmalloc_array+0x1c/0x50 [kunit]
[55272.551984]  drm_exec_test_init+0xfa/0x2c0 [drm_exec_test]
[55272.551991]  kunit_try_run_case+0xdd/0x250 [kunit]
[55272.551999]  kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
[55272.552008]  kthread+0x2e7/0x3c0
[55272.552012]  ret_from_fork+0x2d/0x70
[55272.552017]  ret_from_fork_asm+0x1b/0x30

[55272.552024] Freed by task 10353:
[55272.552027]  kasan_save_stack+0x1c/0x40
[55272.552032]  kasan_set_track+0x21/0x30
[55272.552036]  kasan_save_free_info+0x27/0x40
[55272.552041]  __kasan_slab_free+0x106/0x180
[55272.552046]  slab_free_freelist_hook+0xb3/0x160
[55272.552051]  __kmem_cache_free+0xb2/0x290
[55272.552056]  kunit_remove_resource+0x195/0x290 [kunit]
[55272.552064]  kunit_cleanup+0x78/0x120 [kunit]
[55272.552072]  kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
[55272.552080]  kthread+0x2e7/0x3c0
[55272.552085]  ret_from_fork+0x2d/0x70
[55272.552089]  ret_from_fork_asm+0x1b/0x30

[55272.552096] The buggy address belongs to the object at ffff888127502800
                which belongs to the cache kmalloc-512 of size 512
[55272.552105] The buggy address is located 40 bytes inside of
                freed 512-byte region [ffff888127502800, ffff888127502a00)

[55272.552115] The buggy address belongs to the physical page:
[55272.552119] page:00000000af6c70ff refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x127500
[55272.552127] head:00000000af6c70ff order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[55272.552133] anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[55272.552141] page_type: 0xffffffff()
[55272.552145] raw: 0017ffffc0010200 ffff888100042c80 0000000000000000 dead000000000001
[55272.552152] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[55272.552157] page dumped because: kasan: bad access detected

[55272.552163] Memory state around the buggy address:
[55272.552167]  ffff888127502700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[55272.552173]  ffff888127502780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[55272.552178] >ffff888127502800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[55272.552184]                                   ^
[55272.552187]  ffff888127502880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[55272.552193]  ffff888127502900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[55272.552198] ==================================================================
[55272.552203] Disabling lock debugging due to kernel taint

v2:
- Update commit message, add Fixes: tag and Cc stable.
v3:
- Further commit message updates (Maxime Ripard).

Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: David Airlie <airlied@gmail.com>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: dri-devel@lists.freedesktop.org
Cc: stable@vger.kernel.org # v6.3+
Fixes: d987803107 ("drm/tests: helpers: Allow to pass a custom drm_driver")
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Reviewed-by: Francois Dugast <francois.dugast@intel.com>
Acked-by: Maxime Ripard <mripard@kernel.org>
Link: https://lore.kernel.org/r/20230907135339.7971-2-thomas.hellstrom@linux.intel.com
Signed-off-by: Maxime Ripard <mripard@kernel.org>
2023-09-14 13:57:58 +02:00
..
bridge drm/bridge: dw-hdmi: change YUV420 selection logic at clock setup 2023-06-27 09:51:31 +02:00
display drm/display/dp: Fix the DP DSC Receiver cap size 2023-08-22 10:52:11 +03:00
i2c
ttm drm/ttm: Remove two unused function declarations 2023-08-10 09:12:08 +02:00
amd_asic_type.h
drm_accel.h accel: Add .mmap to DRM_ACCEL_FOPS 2023-01-26 11:52:13 +02:00
drm_aperture.h drm/aperture: Remove primary argument 2023-04-16 14:17:41 +02:00
drm_atomic_helper.h drm/atomic-helper: Add atomic_enable plane-helper callback 2023-02-20 15:19:23 +01:00
drm_atomic_state_helper.h drm/atomic-helper: Add an analog TV atomic_check implementation 2022-11-24 12:42:40 +01:00
drm_atomic_uapi.h
drm_atomic.h drm: add helper functions to retrieve old and new crtc 2023-03-13 04:43:49 +03:00
drm_audio_component.h drm/audio: make drm_audio_component.h self-contained 2022-11-29 14:14:51 +02:00
drm_auth.h
drm_blend.h
drm_bridge_connector.h drm/bridge_connector: drop drm_bridge_connector_en/disable_hpd() 2023-01-05 15:08:10 +01:00
drm_bridge.h drm/bridge: Add debugfs print for bridge chains 2023-08-02 10:05:01 +02:00
drm_buddy.h
drm_cache.h
drm_client.h drm next for 6.3-rc1 2023-02-22 18:28:03 -08:00
drm_color_mgmt.h
drm_connector.h Merge tag 'amd-drm-next-6.5-2023-06-09' of https://gitlab.freedesktop.org/agd5f/linux into drm-next 2023-06-15 14:11:22 +10:00
drm_crtc_helper.h drm/crtc-helper: Remove most include statements from drm_crtc_helper.h 2023-01-18 09:25:32 +01:00
drm_crtc.h drm: Remove references to removed transitional helpers 2023-07-29 21:25:16 +02:00
drm_damage_helper.h
drm_debugfs_crc.h
drm_debugfs.h drm: debugfs: provide infrastructure to dump a DRM GPU VA space 2023-07-20 05:16:21 +02:00
drm_device.h drm-misc-next for v6.3: 2023-01-16 15:33:28 +10:00
drm_displayid.h drm/displayid: provide access to DisplayID version and primary use case 2023-02-27 02:58:38 +03:00
drm_drv.h drm: manager to keep track of GPUs VA mappings 2023-07-20 05:15:53 +02:00
drm_edid.h Revert "drm/edid: Fix csync detailed mode parsing" 2023-08-17 14:39:12 +03:00
drm_encoder_slave.h
drm_encoder.h
drm_exec.h drm/drm_exec: Work around a WW mutex lockdep oddity 2023-09-07 10:30:12 +02:00
drm_fb_dma_helper.h
drm_fb_helper.h drm/fb-helper: Remove unused inline function drm_fb_helper_defio_init() 2023-07-25 20:38:37 +02:00
drm_fbdev_dma.h drm/fbdev-dma: Implement fbdev emulation for GEM DMA helpers 2023-03-14 17:07:47 +01:00
drm_fbdev_generic.h drm/fb-helper: Move generic fbdev emulation into separate source file 2022-11-05 17:12:04 +01:00
drm_file.h drm/file: use explicit values for enum drm_minor_type 2023-07-17 10:40:41 +02:00
drm_fixed.h drm: Add fixed-point helper to get rounded integer values 2023-05-15 10:58:10 -03:00
drm_flip_work.h
drm_format_helper.h drm/format-helper: Simplify drm_fb_build_fourcc_list() 2023-01-03 14:27:39 +01:00
drm_fourcc.h
drm_framebuffer.h
drm_gem_atomic_helper.h drm/simple-kms: Remove drm_gem_simple_display_pipe_prepare_fb() 2022-12-05 13:35:37 +01:00
drm_gem_dma_helper.h drm: Clear fd/handle callbacks in struct drm_driver 2023-06-26 11:08:41 +02:00
drm_gem_framebuffer_helper.h
drm_gem_shmem_helper.h drm: Clear fd/handle callbacks in struct drm_driver 2023-06-26 11:08:41 +02:00
drm_gem_ttm_helper.h drm/ttm: merge ttm_bo_api.h and ttm_bo_driver.h v2 2022-12-06 12:54:14 +01:00
drm_gem_vram_helper.h drm: Clear fd/handle callbacks in struct drm_driver 2023-06-26 11:08:41 +02:00
drm_gem.h drm/gem: fix lockdep check for dma-resv lock 2023-08-04 20:34:31 +02:00
drm_gpuva_mgr.h drm: manager to keep track of GPUs VA mappings 2023-07-20 05:15:53 +02:00
drm_ioctl.h
drm_kunit_helpers.h drm/tests: helpers: Avoid a driver uaf 2023-09-14 13:57:58 +02:00
drm_lease.h
drm_legacy.h
drm_managed.h drm: fix drmm_mutex_init() 2023-05-22 12:23:50 +02:00
drm_mipi_dbi.h drm/mipi-dbi: Support separate I/O regulator 2022-12-14 14:57:09 +01:00
drm_mipi_dsi.h Driver core changes for 6.3-rc1 2023-02-24 12:58:55 -08:00
drm_mm.h
drm_mode_config.h drm/fbdev-generic: Remove unused prefer_shadow_fbdev flag 2023-03-22 13:32:47 +01:00
drm_mode_object.h
drm_modes.h drm/modes: Add a function to generate analog display modes 2022-11-24 12:42:39 +01:00
drm_modeset_helper_vtables.h drm: Remove references to removed transitional helpers 2023-07-29 21:25:16 +02:00
drm_modeset_helper.h
drm_modeset_lock.h
drm_module.h
drm_of.h drm: of: Add drm_of_get_dsi_bus helper function 2023-01-27 09:39:21 +01:00
drm_panel.h drm/panel: Fix kernel-doc typo for follower_lock 2023-08-03 10:21:27 +02:00
drm_pciids.h drm: Remove some obsolete drm pciids(tdfx, mga, i810, savage, r128, sis, via) 2023-01-13 09:44:56 +01:00
drm_plane_helper.h drm/plane-helper: Add the missing declaration of drm_atomic_state 2022-12-16 10:23:11 +01:00
drm_plane.h drm/drm_plane.h: fix grammar of the comment 2023-08-03 11:06:03 +02:00
drm_prime.h drm/prime: Unexport helpers for fd/handle conversion 2023-06-26 11:08:46 +02:00
drm_print.h Merge tag 'amd-drm-next-6.3-2023-01-27' of https://gitlab.freedesktop.org/agd5f/linux into drm-next 2023-01-30 15:37:57 +10:00
drm_privacy_screen_consumer.h
drm_privacy_screen_driver.h
drm_privacy_screen_machine.h
drm_probe_helper.h drm: Add an HPD poll helper to reschedule the poll work 2023-08-23 17:14:37 -04:00
drm_property.h
drm_rect.h
drm_self_refresh_helper.h
drm_simple_kms_helper.h drm/simple-kms: Remove drm_gem_simple_display_pipe_prepare_fb() 2022-12-05 13:35:37 +01:00
drm_suballoc.h drm/suballoc: Extract amdgpu_sa.c as generic suballocation helper 2023-03-01 17:18:19 +01:00
drm_syncobj.h drm/syncobj: add IOCTL to register an eventfd 2023-07-20 12:01:03 +02:00
drm_sysfs.h drm/sysfs: rename drm_sysfs_connector_status_event() 2023-06-23 15:54:00 +02:00
drm_util.h
drm_utils.h
drm_vblank_work.h
drm_vblank.h drm/vblank: Add helper to get next vblank time 2023-03-28 14:52:59 -07:00
drm_vma_manager.h drm/drm_vma_manager: Add drm_vma_node_allow_once() 2023-01-19 14:16:55 +01:00
drm_writeback.h
gma_drm.h
gpu_scheduler.h Linux 6.5-rc1 2023-07-11 09:23:20 +02:00
gud.h
i915_component.h drm/i915/mtl: Define GSC Proxy component interface 2023-05-04 02:57:28 -07:00
i915_drm.h drm/i915_drm.h: fix a typo 2023-06-02 20:05:45 +03:00
i915_gsc_proxy_mei_interface.h drm/i915/mtl: Define GSC Proxy component interface 2023-05-04 02:57:28 -07:00
i915_hdcp_interface.h drm/i915/hdcp: Move away from master naming to arbiter 2023-05-31 10:22:13 +05:30
i915_pciids.h drm/i915: Add RPL-U sub platform 2023-02-16 12:29:51 +02:00
i915_pxp_tee_interface.h mei: pxp: add command streamer API to the PXP driver 2022-10-03 11:29:11 -07:00
intel_lpe_audio.h
intel-gtt.h
spsc_queue.h
task_barrier.h drm: Spelling s/randevouz/rendez-vous/ 2023-07-29 21:11:54 +02:00