diff options
| author | Thadeu Lima de Souza Cascardo <cascardo@igalia.com> | 2026-03-04 20:27:52 -0300 |
|---|---|---|
| committer | Tvrtko Ursulin <tursulin@ursulin.net> | 2026-03-05 08:12:36 +0000 |
| commit | 91d7e9df42598af28ca440b95b16a4e51a408771 (patch) | |
| tree | a7a6553802fb8b427240f8b093961515304fdfed /include/linux/i2c/git@git.tavy.me:linux.git | |
| parent | 8f3c6f08ababad2e3bdd239728cf66a9949446b4 (diff) | |
drm/ttm: Fix bo resource use-after-free
When allocating a lot of buffers and putting the TTM under memory pressure,
during swapout, it might crash the system with the stack trace below.
It turns out that ttm_bo_swapout_cb might replace bo->resource when it
moves it to system cached.
When commit c06da4b3573a ("drm/ttm: Tidy usage of local variables a little
bit") used a local variable for bo->resource, it used the freed resource
later in the function, leading to a UAF.
Move back to using bo->resource in all cases in that function instead of a
local variable.
[ 604.814275] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 604.814284] #PF: supervisor read access in kernel mode
[ 604.814288] #PF: error_code(0x0000) - not-present page
[ 604.814291] PGD 0 P4D 0
[ 604.814296] Oops: Oops: 0000 [#1] SMP NOPTI
[ 604.814303] CPU: 2 UID: 0 PID: 4408 Comm: vulkan Tainted: G W 7.0.0-rc2-00001-gc50a051e6aca #21 PREEMPT(full) aef6eb0c02036a7c8a5e62e0c84a30c2be90688d
[ 604.814309] Tainted: [W]=WARN
[ 604.814311] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0133 08/05/2024
[ 604.814314] RIP: 0010:ttm_resource_move_to_lru_tail+0x100/0x160 [ttm]
[ 604.814329] Code: 5b 5d e9 83 b4 1b cb 48 63 d2 48 c1 e0 04 48 8b 4e 40 48 8d 7e 40 48 8b ac d3 d8 00 00 00 48 89 c3 48 8d 54 05 68 48 8b 46 48 <48> 3b 38 0f 85 b3 3b 00 00 48 3b 79 08 0f 85 a9 3b 00 00 48 89 41
[ 604.814332] RSP: 0018:ffffcfe54e3d7578 EFLAGS: 00010256
[ 604.814336] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8cf09eced300
[ 604.814339] RDX: 0000000000000068 RSI: ffff8cf1d4c1fc00 RDI: ffff8cf1d4c1fc40
[ 604.814341] RBP: 0000000000000000 R08: ffff8cf09eced300 R09: 0000000000000000
[ 604.814344] R10: 0000000000000000 R11: 0000000000000016 R12: ffff8cf1d4c1fc00
[ 604.814346] R13: 0000000000000400 R14: ffff8cf096289c00 R15: ffff8cf084c8f688
[ 604.814349] FS: 00007f00531b7780(0000) GS:ffff8cf4217a0000(0000) knlGS:0000000000000000
[ 604.814352] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 604.814355] CR2: 0000000000000000 CR3: 000000018e3df000 CR4: 0000000000350ef0
[ 604.814358] Call Trace:
[ 604.814362] <TASK>
[ 604.814368] ttm_bo_swapout_cb+0x24c/0x280 [ttm a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
[ 604.814380] ttm_lru_walk_for_evict+0xac/0x1d0 [ttm a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
[ 604.814394] ttm_bo_swapout+0x5b/0x80 [ttm a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
[ 604.814405] ttm_global_swapout+0x63/0x100 [ttm a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
[ 604.814415] ttm_tt_populate+0x82/0x130 [ttm a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
[ 604.814424] ttm_bo_populate+0x37/0xa0 [ttm a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
[ 604.814433] ttm_bo_handle_move_mem+0x157/0x170 [ttm a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
[ 604.814443] ttm_bo_validate+0xd9/0x180 [ttm a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
[ 604.814453] ttm_bo_init_reserved+0xa0/0x1b0 [ttm a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
[ 604.814461] ? srso_return_thunk+0x5/0x5f
[ 604.814469] amdgpu_bo_create+0x1f5/0x500 [amdgpu 361516226706227f4403914dbfdd3f90996136ca]
[ 604.814855] ? __pfx_amdgpu_bo_user_destroy+0x10/0x10 [amdgpu 361516226706227f4403914dbfdd3f90996136ca]
[ 604.815182] amdgpu_bo_create_user+0x3d/0x70 [amdgpu 361516226706227f4403914dbfdd3f90996136ca]
[ 604.815504] amdgpu_gem_create_ioctl+0x16c/0x3b0 [amdgpu 361516226706227f4403914dbfdd3f90996136ca]
[ 604.815830] ? __pfx_amdgpu_bo_user_destroy+0x10/0x10 [amdgpu 361516226706227f4403914dbfdd3f90996136ca]
[ 604.816155] ? __pfx_amdgpu_gem_create_ioctl+0x10/0x10 [amdgpu 361516226706227f4403914dbfdd3f90996136ca]
[ 604.816478] drm_ioctl_kernel+0xae/0x100
[ 604.816486] drm_ioctl+0x283/0x510
[ 604.816491] ? __pfx_amdgpu_gem_create_ioctl+0x10/0x10 [amdgpu 361516226706227f4403914dbfdd3f90996136ca]
[ 604.816819] amdgpu_drm_ioctl+0x4a/0x80 [amdgpu 361516226706227f4403914dbfdd3f90996136ca]
[ 604.817135] __x64_sys_ioctl+0x96/0xe0
[ 604.817142] do_syscall_64+0x11b/0x7e0
[ 604.817148] ? srso_return_thunk+0x5/0x5f
[ 604.817152] ? srso_return_thunk+0x5/0x5f
[ 604.817156] ? walk_system_ram_range+0xb0/0x110
[ 604.817161] ? srso_return_thunk+0x5/0x5f
[ 604.817165] ? __pte_offset_map+0x1b/0xb0
[ 604.817170] ? srso_return_thunk+0x5/0x5f
[ 604.817174] ? pte_offset_map_lock+0x87/0xf0
[ 604.817179] ? srso_return_thunk+0x5/0x5f
[ 604.817183] ? insert_pfn+0x9f/0x1f0
[ 604.817188] ? srso_return_thunk+0x5/0x5f
[ 604.817192] ? vmf_insert_pfn_prot+0x97/0x190
[ 604.817197] ? srso_return_thunk+0x5/0x5f
[ 604.817201] ? ttm_bo_vm_fault_reserved+0x1a6/0x3f0 [ttm a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
[ 604.817213] ? srso_return_thunk+0x5/0x5f
[ 604.817217] ? amdgpu_gem_fault+0xe2/0x100 [amdgpu 361516226706227f4403914dbfdd3f90996136ca]
[ 604.817542] ? srso_return_thunk+0x5/0x5f
[ 604.817546] ? __do_fault+0x33/0x180
[ 604.817550] ? srso_return_thunk+0x5/0x5f
[ 604.817554] ? do_fault+0x178/0x610
[ 604.817559] ? srso_return_thunk+0x5/0x5f
[ 604.817562] ? __handle_mm_fault+0x9be/0x1120
[ 604.817567] ? srso_return_thunk+0x5/0x5f
[ 604.817574] ? srso_return_thunk+0x5/0x5f
[ 604.817578] ? count_memcg_events+0xc4/0x160
[ 604.817583] ? srso_return_thunk+0x5/0x5f
[ 604.817587] ? handle_mm_fault+0x1d7/0x2e0
[ 604.817593] ? srso_return_thunk+0x5/0x5f
[ 604.817596] ? do_user_addr_fault+0x173/0x660
[ 604.817602] ? srso_return_thunk+0x5/0x5f
[ 604.817607] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 604.817612] RIP: 0033:0x7f00532cef4d
[ 604.817617] Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1a 48 8b 45 c8 64 48 2b 04 25 28 00 00 00
[ 604.817620] RSP: 002b:00007ffd69ab0650 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 604.817624] RAX: ffffffffffffffda RBX: 00007ffd69ab07d0 RCX: 00007f00532cef4d
[ 604.817627] RDX: 00007ffd69ab0700 RSI: 00000000c0206440 RDI: 0000000000000005
[ 604.817629] RBP: 00007ffd69ab06a0 R08: 00007f00533a0ac0 R09: 0000000000000000
[ 604.817632] R10: 00007ffd69ab07c0 R11: 0000000000000246 R12: 00007ffd69ab0700
[ 604.817634] R13: 00000000c0206440 R14: 0000000000000005 R15: 0000000000000243
[ 604.817642] </TASK>
Cc: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Cc: Christian König <christian.koenig@amd.com>
Fixes: c06da4b3573a ("drm/ttm: Tidy usage of local variables a little bit")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Link: https://lore.kernel.org/r/20260304-ttm_bo_res_uaf-v1-1-43f20125b67f@igalia.com
Diffstat (limited to 'include/linux/i2c/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions