Re: [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Borislav Petkov]

On Thu, Aug 17, 2023 at 12:24:45PM +0200, Karol Herbst wrote:
> simply throw a
> 
> printk(KERN_WARNING "nvkm_uconn_uevent %u\n", outp->info.location);
> 
> inside drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c:104 after that
> mentioned comment.

diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c 
b/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c
index 46b057fe1412..661fd0cf3b3b 100644
--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c
@@ -101,6 +101,7 @@ nvkm_uconn_uevent(struct nvkm_object *object, void *argv, 
u32 argc, struct nvkm_
if (args->v0.types & NVIF_CONN_EVENT_V0_UNPLUG) bits |= NVKM_GPIO_LO;
if (args->v0.types & NVIF_CONN_EVENT_V0_IRQ) {
/* TODO: support DP IRQ on ANX9805 and remove this hack. */
+   printk(KERN_WARNING "nvkm_uconn_uevent %u\n", 
outp->info.location);
if (!outp->info.location)
return -EINVAL;
}

result:

[   10.566759] ACPI: bus type drm_connector registered
[   10.591171] Console: switching to colour dummy device 80x25
[   10.598472] nouveau :03:00.0: vgaarb: deactivate vga console
[   10.607121] nouveau :03:00.0: NVIDIA GT218 (0a8c00b1)
[   10.728361] nouveau :03:00.0: bios: version 70.18.83.00.08
[   10.742137] nouveau :03:00.0: fb: 512 MiB DDR3
[   11.059848] nouveau :03:00.0: DRM: VRAM: 512 MiB
[   11.064911] nouveau :03:00.0: DRM: GART: 1048576 MiB
[   11.070302] nouveau :03:00.0: DRM: TMDS table version 2.0
[   11.076126] nouveau :03:00.0: DRM: DCB version 4.0
[   11.081335] nouveau :03:00.0: DRM: DCB outp 00: 02000360 
[   11.087865] nouveau :03:00.0: DRM: DCB outp 01: 02000362 00020010
[   11.094395] nouveau :03:00.0: DRM: DCB outp 02: 028003a6 0f220010
[   11.100912] nouveau :03:00.0: DRM: DCB outp 03: 01011380 
[   11.107422] nouveau :03:00.0: DRM: DCB outp 04: 08011382 00020010
[   11.113940] nouveau :03:00.0: DRM: DCB outp 05: 088113c6 0f220010
[   11.120457] nouveau :03:00.0: DRM: DCB conn 00: 00101064
[   11.126182] nouveau :03:00.0: DRM: DCB conn 01: 00202165
[   11.138865] nouveau :03:00.0: DRM: MM: using COPY for buffer copies
[   11.151291] nvkm_uconn_uevent 0
[   11.154643] nvkm_uconn_uevent 0
[   11.157975] nvkm_uconn_uevent 0
[   11.161298] nvkm_uconn_uevent 0
[   11.164616] nvkm_uconn_uevent 0
[   11.167943] nvkm_uconn_uevent 0
[   11.176010] [drm] Initialized nouveau 1.3.1 20120801 for :03:00.0 on 
minor 0
[   11.184186] nouveau :03:00.0: [drm] Cannot find any crtc or sizes
[   11.260527] megasas: 07.725.01.00-rc1
[   11.264555] st: Version 20160209, fixed bufsize 32768, s/g segs 256

-- 
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Karol Herbst]

On Thu, Aug 17, 2023 at 12:11 PM Borislav Petkov  wrote:
>
> On Thu, Aug 17, 2023 at 12:00:47PM +0200, Karol Herbst wrote:
> > btw, what would help is to know where `nvkm_uconn_uevent` actually
> > fails, or rather, are you running into this "/* TODO: support DP IRQ
> > on ANX9805 and remove this hack. */" condition?
>
> Send me a diff, I'll run it here and catch output over serial.
>

simply throw a

printk(KERN_WARNING "nvkm_uconn_uevent %u\n", outp->info.location);

inside drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c:104 after that
mentioned comment.

> Thx.
>
> --
> Regards/Gruss,
> Boris.
>
> https://people.kernel.org/tglx/notes-about-netiquette
>

Re: [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Borislav Petkov]

On Thu, Aug 17, 2023 at 12:00:47PM +0200, Karol Herbst wrote:
> btw, what would help is to know where `nvkm_uconn_uevent` actually
> fails, or rather, are you running into this "/* TODO: support DP IRQ
> on ANX9805 and remove this hack. */" condition?

Send me a diff, I'll run it here and catch output over serial.

Thx.

-- 
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Karol Herbst]

On Thu, Aug 17, 2023 at 11:58 AM Karol Herbst  wrote:
>
> On Thu, Aug 17, 2023 at 10:10 AM Borislav Petkov  wrote:
> >
> > On Thu, Aug 17, 2023 at 01:18:12AM +0200, Karol Herbst wrote:
> > > do you have one of these? https://en.wikipedia.org/wiki/DMS-59
> >
> > Ah, DMS == Dual Monitor Solution :-)
> >
> > Yap, that's exactly what the GPU has. And the Y-cable is 2xDVI. It is
> > a Dell workstation and it came this way, meaning I haven't done any
> > changes there.
> >
> > Thx.
>
> right.. seems like on my GPU with such a connector I'm not seeing any
> issues... let me dig further into the vbios and see if I can figure
> something out there.
>

btw, what would help is to know where `nvkm_uconn_uevent` actually
fails, or rather, are you running into this "/* TODO: support DP IRQ
on ANX9805 and remove this hack. */" condition?

> >
> > --
> > Regards/Gruss,
> > Boris.
> >
> > https://people.kernel.org/tglx/notes-about-netiquette
> >

Re: [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Karol Herbst]

On Thu, Aug 17, 2023 at 10:10 AM Borislav Petkov  wrote:
>
> On Thu, Aug 17, 2023 at 01:18:12AM +0200, Karol Herbst wrote:
> > do you have one of these? https://en.wikipedia.org/wiki/DMS-59
>
> Ah, DMS == Dual Monitor Solution :-)
>
> Yap, that's exactly what the GPU has. And the Y-cable is 2xDVI. It is
> a Dell workstation and it came this way, meaning I haven't done any
> changes there.
>
> Thx.

right.. seems like on my GPU with such a connector I'm not seeing any
issues... let me dig further into the vbios and see if I can figure
something out there.

>
> --
> Regards/Gruss,
> Boris.
>
> https://people.kernel.org/tglx/notes-about-netiquette
>

Re: [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Borislav Petkov]

On Thu, Aug 17, 2023 at 01:18:12AM +0200, Karol Herbst wrote:
> do you have one of these? https://en.wikipedia.org/wiki/DMS-59

Ah, DMS == Dual Monitor Solution :-)

Yap, that's exactly what the GPU has. And the Y-cable is 2xDVI. It is
a Dell workstation and it came this way, meaning I haven't done any
changes there.

Thx.

-- 
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Karol Herbst]

On Thu, Aug 17, 2023 at 12:14 AM Borislav Petkov  wrote:
>
> On Wed, Aug 16, 2023 at 11:27:05PM +0200, Karol Herbst wrote:
> > that GPU has only a `DMS-59` connector, is that right?
>
> No clue. How do I figure that out?
>

do you have one of these? https://en.wikipedia.org/wiki/DMS-59

> --
> Regards/Gruss,
> Boris.
>
> https://people.kernel.org/tglx/notes-about-netiquette
>

Re: [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Borislav Petkov]

On Wed, Aug 16, 2023 at 11:27:05PM +0200, Karol Herbst wrote:
> that GPU has only a `DMS-59` connector, is that right?

No clue. How do I figure that out?

-- 
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Karol Herbst]

On Wed, Aug 16, 2023 at 5:13 PM Borislav Petkov  wrote:
>
> On Wed, Aug 16, 2023 at 04:57:28PM +0200, Karol Herbst wrote:
> > Do you have any connectors listed in "/sys/class/drm"?
>
> tree /sys/class/drm/
> /sys/class/drm/
> ├── card0 -> ../../devices/pci:00/:00:02.0/:03:00.0/drm/card0
> ├── renderD128 -> 
> ../../devices/pci:00/:00:02.0/:03:00.0/drm/renderD128
> └── version
>
> > Also, mind sharing your vbios.rom file from
> > "/sys/kernel/debug/dri/0/vbios.rom"?
>
> Attached.

that GPU has only a `DMS-59` connector, is that right? I have such a
GPU myself, so maybe I can trigger that bug there, let's see..

>
> --
> Regards/Gruss,
> Boris.
>
> https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Lyude Paul]

Reviewed-by: Lyude Paul 

On Mon, 2023-08-14 at 16:49 +0200, Karol Herbst wrote:
> We can't simply free the connector after calling drm_connector_init on it.
> We need to clean up the drm side first.
> 
> It might not fix all regressions from 2b5d1c29f6c4 ("drm/nouveau/disp:
> PIOR DP uses GPIO for HPD, not PMGR AUX interrupts"), but at least it
> fixes a memory corruption in error handling related to that commit.
> 
> Link: 
> https://lore.kernel.org/lkml/20230806213107.GFZNARG6moWpFuSJ9W@fat_crate.local/
> Fixes: 95983aea8003 ("drm/nouveau/disp: add connector class")
> Signed-off-by: Karol Herbst 
> ---
>  drivers/gpu/drm/nouveau/nouveau_connector.c | 11 +++
>  1 file changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c 
> b/drivers/gpu/drm/nouveau/nouveau_connector.c
> index a2e0033e8a260..622f6eb9a8bfd 100644
> --- a/drivers/gpu/drm/nouveau/nouveau_connector.c
> +++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
> @@ -1408,8 +1408,7 @@ nouveau_connector_create(struct drm_device *dev,
>   ret = nvif_conn_ctor(>disp, nv_connector->base.name, 
> nv_connector->index,
>_connector->conn);
>   if (ret) {
> - kfree(nv_connector);
> - return ERR_PTR(ret);
> + goto drm_conn_err;
>   }
>  
>   ret = nvif_conn_event_ctor(_connector->conn, "kmsHotplug",
> @@ -1426,8 +1425,7 @@ nouveau_connector_create(struct drm_device *dev,
>   if (ret) {
>   nvif_event_dtor(_connector->hpd);
>   nvif_conn_dtor(_connector->conn);
> - kfree(nv_connector);
> - return ERR_PTR(ret);
> + goto drm_conn_err;
>   }
>   }
>   }
> @@ -1475,4 +1473,9 @@ nouveau_connector_create(struct drm_device *dev,
>  
>   drm_connector_register(connector);
>   return connector;
> +
> +drm_conn_err:
> + drm_connector_cleanup(connector);
> + kfree(nv_connector);
> + return ERR_PTR(ret);
>  }

-- 
Cheers,
 Lyude Paul (she/her)
 Software Engineer at Red Hat

Re: [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Borislav Petkov]

On Wed, Aug 16, 2023 at 04:57:28PM +0200, Karol Herbst wrote:
> Do you have any connectors listed in "/sys/class/drm"?

tree /sys/class/drm/
/sys/class/drm/
├── card0 -> ../../devices/pci:00/:00:02.0/:03:00.0/drm/card0
├── renderD128 -> 
../../devices/pci:00/:00:02.0/:03:00.0/drm/renderD128
└── version

> Also, mind sharing your vbios.rom file from
> "/sys/kernel/debug/dri/0/vbios.rom"?

Attached.

-- 
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette


vbios.rom.gz
Description: application/gzip

Re: [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Karol Herbst]

On Wed, Aug 16, 2023 at 4:54 PM Borislav Petkov  wrote:
>
> On Wed, Aug 16, 2023 at 11:51:50AM +0200, Karol Herbst wrote:
> > Mind sharing your kernel logs with that patch applied? I suspect your
> > system boots up but you might just not have the connector available or
> > something? It could be that you have one of those GPUs affected by the
> > original change and then we'd have to figure out what to do with that.
>
> Close. With your patch applied, the machine is up and I can log in and
> use it. However, the output on the connected monitor stops after...
>
> [6.815167] ACPI: \_PR_.CP05: Found 4 idle states
> [6.825438] ACPI: \_PR_.CP06: Found 4 idle states
> [6.835661] ACPI: \_PR_.CP07: Found 4 idle states
> [7.280093] Freeing initrd memory: 8328K
> [7.601986] tsc: Refined TSC clocksource calibration: 3591.346 MHz
> [7.608360] clocksource: tsc: mask: 0x max_cycles: 
> 0x33c46403b59, max_idle_ns: 440795293818 ns
> [7.620254] clocksource: Switched to clocksource tsc
> [8.337724] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
> [8.350553] 00:05: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 
> 16550A
> [8.375311] serial :00:16.3: enabling device ( -> 0003)
> [8.403681] :00:16.3: ttyS1 at I/O 0xf0a0 (irq = 17, base_baud = 
> 115200) is a 16550A
> [8.424951] Linux agpgart interface v0.103
> [8.432456] ACPI: bus type drm_connector registered
>
> ... this line here above. It is the last one output. What you see here
> below what I'm catching from serial.
>
> [8.456734] Console: switching to colour dummy device 80x25
> [8.464414] nouveau :03:00.0: vgaarb: deactivate vga console
> [8.473063] nouveau :03:00.0: NVIDIA GT218 (0a8c00b1)
> [8.594096] nouveau :03:00.0: bios: version 70.18.83.00.08
> [8.607906] nouveau :03:00.0: fb: 512 MiB DDR3
> [8.926721] nouveau :03:00.0: DRM: VRAM: 512 MiB
> [8.931763] nouveau :03:00.0: DRM: GART: 1048576 MiB
> [8.937156] nouveau :03:00.0: DRM: TMDS table version 2.0
> [8.942969] nouveau :03:00.0: DRM: DCB version 4.0
> [8.948173] nouveau :03:00.0: DRM: DCB outp 00: 02000360 
> [8.954696] nouveau :03:00.0: DRM: DCB outp 01: 02000362 00020010
> [8.961211] nouveau :03:00.0: DRM: DCB outp 02: 028003a6 0f220010
> [8.967739] nouveau :03:00.0: DRM: DCB outp 03: 01011380 
> [8.974261] nouveau :03:00.0: DRM: DCB outp 04: 08011382 00020010
> [8.980769] nouveau :03:00.0: DRM: DCB outp 05: 088113c6 0f220010
> [8.987293] nouveau :03:00.0: DRM: DCB conn 00: 00101064
> [8.993015] nouveau :03:00.0: DRM: DCB conn 01: 00202165
> [9.005724] nouveau :03:00.0: DRM: MM: using COPY for buffer copies
> [9.023889] [drm] Initialized nouveau 1.3.1 20120801 for :03:00.0 on 
> minor 0
> [9.032044] nouveau :03:00.0: [drm] Cannot find any crtc or sizes
> [9.162909] megasas: 07.725.01.00-rc1
> [9.167537] st: Version 20160209, fixed bufsize 32768, s/g segs 256
> [9.176058] ahci :00:1f.2: version 3.0
> [9.194078] ahci :00:1f.2: AHCI 0001.0300 32 slots 6 ports 6 Gbps 0x3 
> impl SATA mode
> [9.202487] ahci :00:1f.2: flags: 64bit ncq sntf pm led clo pio slum 
> part ems apst
> [9.243154] scsi host0: ahci
> [9.252090] scsi host1: ahci
> [9.260389] scsi host2: ahci
> [9.268061] scsi host3: ahci
> [9.273542] scsi host4: ahci
> [9.279071] scsi host5: ahci
> ...
>
> and so on until full boot.
>

okay, so the patch at least fixes the memory corruption, which is
good, so I'd go ahead and push it out as it might also fix other
unrelated crashes.

Do you have any connectors listed in "/sys/class/drm"? Also, mind
sharing your vbios.rom file from "/sys/kernel/debug/dri/0/vbios.rom"?

Thanks

> --
> Regards/Gruss,
> Boris.
>
> https://people.kernel.org/tglx/notes-about-netiquette
>

Re: [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Borislav Petkov]

On Wed, Aug 16, 2023 at 11:51:50AM +0200, Karol Herbst wrote:
> Mind sharing your kernel logs with that patch applied? I suspect your
> system boots up but you might just not have the connector available or
> something? It could be that you have one of those GPUs affected by the
> original change and then we'd have to figure out what to do with that.

Close. With your patch applied, the machine is up and I can log in and
use it. However, the output on the connected monitor stops after...

[6.815167] ACPI: \_PR_.CP05: Found 4 idle states
[6.825438] ACPI: \_PR_.CP06: Found 4 idle states
[6.835661] ACPI: \_PR_.CP07: Found 4 idle states
[7.280093] Freeing initrd memory: 8328K
[7.601986] tsc: Refined TSC clocksource calibration: 3591.346 MHz
[7.608360] clocksource: tsc: mask: 0x max_cycles: 
0x33c46403b59, max_idle_ns: 440795293818 ns
[7.620254] clocksource: Switched to clocksource tsc
[8.337724] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[8.350553] 00:05: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 
16550A
[8.375311] serial :00:16.3: enabling device ( -> 0003)
[8.403681] :00:16.3: ttyS1 at I/O 0xf0a0 (irq = 17, base_baud = 115200) 
is a 16550A
[8.424951] Linux agpgart interface v0.103
[8.432456] ACPI: bus type drm_connector registered

... this line here above. It is the last one output. What you see here
below what I'm catching from serial.

[8.456734] Console: switching to colour dummy device 80x25
[8.464414] nouveau :03:00.0: vgaarb: deactivate vga console
[8.473063] nouveau :03:00.0: NVIDIA GT218 (0a8c00b1)
[8.594096] nouveau :03:00.0: bios: version 70.18.83.00.08
[8.607906] nouveau :03:00.0: fb: 512 MiB DDR3
[8.926721] nouveau :03:00.0: DRM: VRAM: 512 MiB
[8.931763] nouveau :03:00.0: DRM: GART: 1048576 MiB
[8.937156] nouveau :03:00.0: DRM: TMDS table version 2.0
[8.942969] nouveau :03:00.0: DRM: DCB version 4.0
[8.948173] nouveau :03:00.0: DRM: DCB outp 00: 02000360 
[8.954696] nouveau :03:00.0: DRM: DCB outp 01: 02000362 00020010
[8.961211] nouveau :03:00.0: DRM: DCB outp 02: 028003a6 0f220010
[8.967739] nouveau :03:00.0: DRM: DCB outp 03: 01011380 
[8.974261] nouveau :03:00.0: DRM: DCB outp 04: 08011382 00020010
[8.980769] nouveau :03:00.0: DRM: DCB outp 05: 088113c6 0f220010
[8.987293] nouveau :03:00.0: DRM: DCB conn 00: 00101064
[8.993015] nouveau :03:00.0: DRM: DCB conn 01: 00202165
[9.005724] nouveau :03:00.0: DRM: MM: using COPY for buffer copies
[9.023889] [drm] Initialized nouveau 1.3.1 20120801 for :03:00.0 on 
minor 0
[9.032044] nouveau :03:00.0: [drm] Cannot find any crtc or sizes
[9.162909] megasas: 07.725.01.00-rc1
[9.167537] st: Version 20160209, fixed bufsize 32768, s/g segs 256
[9.176058] ahci :00:1f.2: version 3.0
[9.194078] ahci :00:1f.2: AHCI 0001.0300 32 slots 6 ports 6 Gbps 0x3 
impl SATA mode
[9.202487] ahci :00:1f.2: flags: 64bit ncq sntf pm led clo pio slum 
part ems apst 
[9.243154] scsi host0: ahci
[9.252090] scsi host1: ahci
[9.260389] scsi host2: ahci
[9.268061] scsi host3: ahci
[9.273542] scsi host4: ahci
[9.279071] scsi host5: ahci
...

and so on until full boot.

-- 
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Takashi Iwai]

On Wed, 16 Aug 2023 12:14:24 +0200,
Borislav Petkov wrote:
> 
> On Wed, Aug 16, 2023 at 12:11:57PM +0200, Borislav Petkov wrote:
> > Does that help?
> 
> Btw, note that this is *plain* -rc5, without your patch.

The UAF looks very same as I had and that's the bug Karol's patch
should address.  So more interesting would be the result with the
patch :)


Takashi

Re: [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Borislav Petkov]

On Wed, Aug 16, 2023 at 12:11:57PM +0200, Borislav Petkov wrote:
> Does that help?

Btw, note that this is *plain* -rc5, without your patch.

-- 
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Borislav Petkov]

On Wed, Aug 16, 2023 at 12:03:44PM +0200, Borislav Petkov wrote:
> On Wed, Aug 16, 2023 at 11:51:50AM +0200, Karol Herbst wrote:
> > Mind sharing your kernel logs with that patch applied? I suspect your
> > system boots up but you might just not have the connector available or
> > something? It could be that you have one of those GPUs affected by the
> > original change and then we'd have to figure out what to do with that.
> 
> Lemme do the KASAN run you requested first. It is an old and slooow box,
> the grandma. :-)

Does that help?

[0.00] microcode: updated early: 0x710 -> 0x718, date = 2019-05-21
[0.00] Linux version 6.5.0-rc5 (root@gondor) (gcc (Debian 10.2.1-6) 
10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1) #3 SMP 
PREEMPT_DYNAMIC Wed Aug 16 11:39:30 CEST 2023
[0.00] Command line: BOOT_IMAGE=/boot/vmlinuz-6.5.0-rc5 root=/dev/sda7 
ro earlyprintk=ttyS0,115200 console=ttyS0,115200 console=tty0 ras=cec_disable 
root=/dev/sda7 log_buf_len=10M resume=/dev/sda5 no_console_suspend 
ignore_loglevel
[0.00] KERNEL supported cpus:
[0.00]   Intel GenuineIntel
[0.00]   AMD AuthenticAMD
[0.00]   Centaur CentaurHauls
[0.00] BIOS-provided physical RAM map:
[0.00] BIOS-e820: [mem 0x-0x0009] usable
[0.00] BIOS-e820: [mem 0x0010-0x18ebafff] usable
[0.00] BIOS-e820: [mem 0x18ebb000-0x18fe7fff] ACPI NVS
[0.00] BIOS-e820: [mem 0x18fe8000-0x18fe8fff] usable
[0.00] BIOS-e820: [mem 0x18fe9000-0x18ff] ACPI NVS
[0.00] BIOS-e820: [mem 0x1900-0x1dffcfff] usable
[0.00] BIOS-e820: [mem 0x1dffd000-0x1dff] ACPI data
[0.00] BIOS-e820: [mem 0x1e00-0xac77cfff] usable
[0.00] BIOS-e820: [mem 0xac77d000-0xac77] type 20
[0.00] BIOS-e820: [mem 0xac78-0xac780fff] reserved
[0.00] BIOS-e820: [mem 0xac781000-0xac782fff] type 20
[0.00] BIOS-e820: [mem 0xac783000-0xac7d9fff] reserved
[0.00] BIOS-e820: [mem 0xac7da000-0xac7dafff] type 20
[0.00] BIOS-e820: [mem 0xac7db000-0xac7dcfff] reserved
[0.00] BIOS-e820: [mem 0xac7dd000-0xac7e7fff] type 20
[0.00] BIOS-e820: [mem 0xac7e8000-0xac7f1fff] reserved
[0.00] BIOS-e820: [mem 0xac7f2000-0xac7f5fff] type 20
[0.00] BIOS-e820: [mem 0xac7f6000-0xac7f9fff] reserved
[0.00] BIOS-e820: [mem 0xac7fa000-0xac7fafff] type 20
[0.00] BIOS-e820: [mem 0xac7fb000-0xac803fff] reserved
[0.00] BIOS-e820: [mem 0xac804000-0xac810fff] type 20
[0.00] BIOS-e820: [mem 0xac811000-0xac813fff] reserved
[0.00] BIOS-e820: [mem 0xac814000-0xad7f] usable
[0.00] BIOS-e820: [mem 0xb000-0xb3ff] reserved
[0.00] BIOS-e820: [mem 0xfed2-0xfed3] reserved
[0.00] BIOS-e820: [mem 0xfed5-0xfed8] reserved
[0.00] BIOS-e820: [mem 0xffa0-0xffa3] reserved
[0.00] BIOS-e820: [mem 0x0001-0x00044fff] usable
[0.00] printk: bootconsole [earlyser0] enabled
[0.00] printk: debug: ignoring loglevel setting.
[0.00] NX (Execute Disable) protection: active
[0.00] efi: EFI v2.0 by American Megatrends
[0.00] efi: ACPI 2.0=0x1d98 SMBIOS=0xac811018 
[0.00] efi: Remove mem57: MMIO range=[0xb000-0xb3ff] (64MB) 
from e820 map
[0.00] e820: remove [mem 0xb000-0xb3ff] reserved
[0.00] efi: Not removing mem58: MMIO range=[0xfed2-0xfed3] 
(128KB) from e820 map
[0.00] efi: Remove mem59: MMIO range=[0xfed5-0xfed8] (0MB) from 
e820 map
[0.00] e820: remove [mem 0xfed5-0xfed8] reserved
[0.00] efi: Remove mem60: MMIO range=[0xffa0-0xffa3] (0MB) from 
e820 map
[0.00] e820: remove [mem 0xffa0-0xffa3] reserved
[0.00] SMBIOS 2.6 present.
[0.00] DMI: Dell Inc. Precision T3600/0PTTT9, BIOS A13 05/11/2014
[0.00] tsc: Fast TSC calibration using PIT
[0.00] tsc: Detected 3591.677 MHz processor
[0.001418] e820: update [mem 0x-0x0fff] usable ==> reserved
[0.007973] e820: remove [mem 0x000a-0x000f] usable
[0.013555] last_pfn = 0x45 max_arch_pfn = 0x4
[0.019024] total RAM covered: 16352M
[0.023219] Found optimal setting for mtrr clean up
[0.027935]  gran_size: 64K  chunk_size: 64M num_reg: 8  lose 
cover RAM: 0G
[0.035067] MTRR map: 6 entries (3 fixed + 3 variable; max 23), built from 
10 variable MTRRs
[0.043496] x86/PAT: 

Re: [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Borislav Petkov]

On Wed, Aug 16, 2023 at 11:51:50AM +0200, Karol Herbst wrote:
> Mind sharing your kernel logs with that patch applied? I suspect your
> system boots up but you might just not have the connector available or
> something? It could be that you have one of those GPUs affected by the
> original change and then we'd have to figure out what to do with that.

Lemme do the KASAN run you requested first. It is an old and slooow box,
the grandma. :-)

-- 
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Karol Herbst]

On Wed, Aug 16, 2023 at 11:30 AM Borislav Petkov  wrote:
>
> On Mon, Aug 14, 2023 at 04:49:32PM +0200, Karol Herbst wrote:
> > We can't simply free the connector after calling drm_connector_init on it.
> > We need to clean up the drm side first.
> >
> > It might not fix all regressions from 2b5d1c29f6c4 ("drm/nouveau/disp:
> > PIOR DP uses GPIO for HPD, not PMGR AUX interrupts"), but at least it
> > fixes a memory corruption in error handling related to that commit.
> >
> > Link: 
> > https://lore.kernel.org/lkml/20230806213107.GFZNARG6moWpFuSJ9W@fat_crate.local/
> > Fixes: 95983aea8003 ("drm/nouveau/disp: add connector class")
> > Signed-off-by: Karol Herbst 
> > ---
> >  drivers/gpu/drm/nouveau/nouveau_connector.c | 11 +++
> >  1 file changed, 7 insertions(+), 4 deletions(-)
>
> This one ontop of -rc5 doesn't help, unfortunately.
>

Mind sharing your kernel logs with that patch applied? I suspect your
system boots up but you might just not have the connector available or
something? It could be that you have one of those GPUs affected by the
original change and then we'd have to figure out what to do with that.

> Thx.
>
> --
> Regards/Gruss,
> Boris.
>
> https://people.kernel.org/tglx/notes-about-netiquette
>

Re: [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Borislav Petkov]

On Mon, Aug 14, 2023 at 04:49:32PM +0200, Karol Herbst wrote:
> We can't simply free the connector after calling drm_connector_init on it.
> We need to clean up the drm side first.
> 
> It might not fix all regressions from 2b5d1c29f6c4 ("drm/nouveau/disp:
> PIOR DP uses GPIO for HPD, not PMGR AUX interrupts"), but at least it
> fixes a memory corruption in error handling related to that commit.
> 
> Link: 
> https://lore.kernel.org/lkml/20230806213107.GFZNARG6moWpFuSJ9W@fat_crate.local/
> Fixes: 95983aea8003 ("drm/nouveau/disp: add connector class")
> Signed-off-by: Karol Herbst 
> ---
>  drivers/gpu/drm/nouveau/nouveau_connector.c | 11 +++
>  1 file changed, 7 insertions(+), 4 deletions(-)

This one ontop of -rc5 doesn't help, unfortunately.

Thx.

-- 
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

[PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Karol Herbst]

We can't simply free the connector after calling drm_connector_init on it.
We need to clean up the drm side first.

It might not fix all regressions from 2b5d1c29f6c4 ("drm/nouveau/disp:
PIOR DP uses GPIO for HPD, not PMGR AUX interrupts"), but at least it
fixes a memory corruption in error handling related to that commit.

Link: 
https://lore.kernel.org/lkml/20230806213107.GFZNARG6moWpFuSJ9W@fat_crate.local/
Fixes: 95983aea8003 ("drm/nouveau/disp: add connector class")
Signed-off-by: Karol Herbst 
---
 drivers/gpu/drm/nouveau/nouveau_connector.c | 11 +++
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c 
b/drivers/gpu/drm/nouveau/nouveau_connector.c
index a2e0033e8a260..622f6eb9a8bfd 100644
--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
+++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
@@ -1408,8 +1408,7 @@ nouveau_connector_create(struct drm_device *dev,
ret = nvif_conn_ctor(>disp, nv_connector->base.name, 
nv_connector->index,
 _connector->conn);
if (ret) {
-   kfree(nv_connector);
-   return ERR_PTR(ret);
+   goto drm_conn_err;
}
 
ret = nvif_conn_event_ctor(_connector->conn, "kmsHotplug",
@@ -1426,8 +1425,7 @@ nouveau_connector_create(struct drm_device *dev,
if (ret) {
nvif_event_dtor(_connector->hpd);
nvif_conn_dtor(_connector->conn);
-   kfree(nv_connector);
-   return ERR_PTR(ret);
+   goto drm_conn_err;
}
}
}
@@ -1475,4 +1473,9 @@ nouveau_connector_create(struct drm_device *dev,
 
drm_connector_register(connector);
return connector;
+
+drm_conn_err:
+   drm_connector_cleanup(connector);
+   kfree(nv_connector);
+   return ERR_PTR(ret);
 }
-- 
2.41.0