1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
/*
* Copyright © 2012 Intel Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice (including the next
* paragraph) shall be included in all copies or substantial portions of the
* Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
* IN THE SOFTWARE.
*
* Authors:
* Daniel Vetter <daniel.vetter@ffwll.ch>
*
*/
/** @file gem_unfence_active_buffers.c
*
* Testcase: Check for use-after free in the fence stealing code
*
* If we're stealing the fence of a active object where the active list is the
* only thing holding a reference, we need to be careful not to access the old
* object we're stealing the fence from after that reference has been dropped by
* retire_requests.
*
* Note that this needs slab poisoning enabled in the kernel to reliably hit the
* problem - the race window is too small.
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <inttypes.h>
#include <errno.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <stdbool.h>
#include "drm.h"
#include "i915/gem.h"
#include "i915/gem_create.h"
#include "igt.h"
/**
* TEST: gem unfence active buffers
* Description: Check for use-after-free in the fence stealing code.
* Category: Core
* Mega feature: General Core features
* Sub-category: Memory management tests
* Functionality: use-after-free
* Feature: synchronization
*
* SUBTEST:
*/
IGT_TEST_DESCRIPTION("Check for use-after-free in the fence stealing code.");
static uint32_t create_tiled(int i915)
{
uint32_t handle;
handle = gem_create(i915, 1 << 20);
gem_set_tiling(i915, handle, I915_TILING_X, 1024);
return handle;
}
igt_simple_main
{
int i915, num_fences;
igt_spin_t *spin;
uint64_t ahnd;
i915 = drm_open_driver(DRIVER_INTEL);
igt_require_gem(i915);
ahnd = get_reloc_ahnd(i915, 0);
spin = igt_spin_new(i915, .ahnd = ahnd);
num_fences = gem_available_fences(i915);
igt_require(num_fences);
igt_info("creating havoc on %i fences\n", num_fences);
for (int i = 0; i < num_fences + 3; i++) {
struct drm_i915_gem_exec_object2 obj[2] = {
{
.handle = create_tiled(i915),
.flags = EXEC_OBJECT_NEEDS_FENCE,
},
spin->obj[IGT_SPIN_BATCH],
};
struct drm_i915_gem_execbuffer2 execbuf = {
.buffers_ptr = to_user_pointer(obj),
.buffer_count = ARRAY_SIZE(obj),
};
gem_execbuf(i915, &execbuf);
gem_close(i915, obj[0].handle);
}
igt_spin_free(i915, spin);
put_ahnd(ahnd);
drm_close_driver(i915);
}
|
