On 3/30/22 12:45, Daniel Vetter wrote:
On Tue, Mar 15, 2022 at 12:53:30AM +0300, Dmitry Osipenko wrote:
On 3/11/22 17:22, Maxime Ripard wrote:
Hi Dmitry,
On Thu, Mar 10, 2022 at 03:33:07AM +0300, Dmitry Osipenko wrote:
I was playing/testing SuperTuxKart using VirtIO-GPU driver and spotted a UAF bug in drm_atomic_helper_wait_for_vblanks().
SuperTuxKart can use DRM directly, i.e. you can run game in VT without Xorg or Wayland, this is where bugs happens. SuperTuxKart uses a non-blocking atomic page flips and UAF happens when a new atomic state is committed while there is a previous page flip still in-fly.
What happens is that the new and old atomic states refer to the same CRTC state somehow. Once the older atomic state is destroyed, the CRTC state is freed and the newer atomic state continues to use the freed CRTC state.
I'm not sure what you mean by "the new and old atomic states refer to the same CRTC state", are those the same pointers?
Yes, the pointers are the same. I'd assume that the newer atomic state should duplicate CRTC state, but apparently it doesn't happen.
The legacy cursor hack stuff does this, and it pretty fundamentally breaks everything. Might be good to retest with that disabled:
https://lore.kernel.org/dri-devel/20201023123925.2374863-1-daniel.vetter@ffw...
The problem is a bit that this might cause some regressions, for drivers which don't yet have the fancy new cursor fastpath for plane updates. -Daniel
Thank you, I tested yours patch and unfortunately it doesn't fix my problem. Should be a separate bug.
Those async update code paths aren't trivial, will take some time for me to debug it.