cve/published/2023/CVE-2023-53087.mbox

From bippy-1.1.0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@kernel.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2023-53087: drm/i915/active: Fix misuse of non-idle barriers as fence trackers

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

drm/i915/active: Fix misuse of non-idle barriers as fence trackers

Users reported oopses on list corruptions when using i915 perf with a
number of concurrently running graphics applications.  Root cause analysis
pointed at an issue in barrier processing code -- a race among perf open /
close replacing active barriers with perf requests on kernel context and
concurrent barrier preallocate / acquire operations performed during user
context first pin / last unpin.

When adding a request to a composite tracker, we try to reuse an existing
fence tracker, already allocated and registered with that composite.  The
tracker we obtain may already track another fence, may be an idle barrier,
or an active barrier.

If the tracker we get occurs a non-idle barrier then we try to delete that
barrier from a list of barrier tasks it belongs to.  However, while doing
that we don't respect return value from a function that performs the
barrier deletion.  Should the deletion ever fail, we would end up reusing
the tracker still registered as a barrier task.  Since the same structure
field is reused with both fence callback lists and barrier tasks list,
list corruptions would likely occur.

Barriers are now deleted from a barrier tasks list by temporarily removing
the list content, traversing that content with skip over the node to be
deleted, then populating the list back with the modified content.  Should
that intentionally racy concurrent deletion attempts be not serialized,
one or more of those may fail because of the list being temporary empty.

Related code that ignores the results of barrier deletion was initially
introduced in v5.4 by commit d8af05ff38ae ("drm/i915: Allow sharing the
idle-barrier from other kernel requests").  However, all users of the
barrier deletion routine were apparently serialized at that time, then the
issue didn't exhibit itself.  Results of git bisect with help of a newly
developed igt@gem_barrier_race@remote-request IGT test indicate that list
corruptions might start to appear after commit 311770173fac ("drm/i915/gt:
Schedule request retirement when timeline idles"), introduced in v5.5.

Respect results of barrier deletion attempts -- mark the barrier as idle
only if successfully deleted from the list.  Then, before proceeding with
setting our fence as the one currently tracked, make sure that the tracker
we've got is not a non-idle barrier.  If that check fails then don't use
that tracker but go back and try to acquire a new, usable one.

v3: use unlikely() to document what outcome we expect (Andi),
  - fix bad grammar in commit description.
v2: no code changes,
  - blame commit 311770173fac ("drm/i915/gt: Schedule request retirement
    when timeline idles"), v5.5, not commit d8af05ff38ae ("drm/i915: Allow
    sharing the idle-barrier from other kernel requests"), v5.4,
  - reword commit description.

(cherry picked from commit 506006055769b10d1b2b4e22f636f3b45e0e9fc7)

The Linux kernel CVE team has assigned CVE-2023-53087 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.5 with commit 311770173fac27845a3a83e2c16100a54d308f72 and fixed in 5.10.176 with commit 5e784a7d07af42057c0576fb647b482f4cb0dc2c
	Issue introduced in 5.5 with commit 311770173fac27845a3a83e2c16100a54d308f72 and fixed in 5.15.104 with commit 6ab7d33617559cced63d467928f478ea5c459021
	Issue introduced in 5.5 with commit 311770173fac27845a3a83e2c16100a54d308f72 and fixed in 6.1.21 with commit 5c7591b8574c52c56b3994c2fbef1a3a311b5715
	Issue introduced in 5.5 with commit 311770173fac27845a3a83e2c16100a54d308f72 and fixed in 6.2.8 with commit 9159db27fb19bbf1c91b5c9d5285e66cc96cc5ff
	Issue introduced in 5.5 with commit 311770173fac27845a3a83e2c16100a54d308f72 and fixed in 6.3 with commit e0e6b416b25ee14716f3549e0cbec1011b193809

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-53087
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/gpu/drm/i915/i915_active.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/5e784a7d07af42057c0576fb647b482f4cb0dc2c
	https://git.kernel.org/stable/c/6ab7d33617559cced63d467928f478ea5c459021
	https://git.kernel.org/stable/c/5c7591b8574c52c56b3994c2fbef1a3a311b5715
	https://git.kernel.org/stable/c/9159db27fb19bbf1c91b5c9d5285e66cc96cc5ff
	https://git.kernel.org/stable/c/e0e6b416b25ee14716f3549e0cbec1011b193809