Re: [PATCH 2/2] nouveau/dmem: Fix memory leak in `migrate_to_ram` upon copy error

From: Yonatan Maman
Date: Mon Oct 07 2024 - 08:28:45 EST

Next message: Boqun Feng: "Re: [PATCH net-next v2 5/6] rust: Add read_poll_timeout function"
Previous message: Christian Brauner: "Re: [PATCH v7] pidfd: add ioctl to retrieve pid info"
Next in thread: Danilo Krummrich: "Re: [PATCH 2/2] nouveau/dmem: Fix memory leak in `migrate_to_ram` upon copy error"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 30/09/2024 14:20, Danilo Krummrich wrote:

External email: Use caution opening links or attachments

On Mon, Sep 23, 2024 at 01:54:58PM +0000, Yonatan Maman wrote:

A copy push command might fail, causing `migrate_to_ram` to return a
dirty HIGH_USER page to the user.

This exposes a security vulnerability in the nouveau driver. To prevent
memory leaks in `migrate_to_ram` upon a copy error, allocate a zero
page for the destination page.

So, you refer to the case where this function fails in nouveau_dmem_copy_one()?

If so, can you please explain why adding __GFP_ZERO to alloc_page_vma() helps
with that?

The nouveau_dmem_copy_one function ensures that the copy push command is sent to the device firmware but does not track whether it was executed successfully.

In the case of a copy error (e.g., firmware or hardware error), the command will be sent in the firmware channel, and nouveau_dmem_copy_one might succeed, as well as the migrate_to_ram function. Thus, a dirty page could be returned to the user.

It’s important to note that we attempted to use nouveau_fence_wait status to handle migration errors, but it does not catch all error types.

To avoid this vulnerability, we allocate a zero page. So that, in case of an error, a non-dirty (zero) page will be returned to the user.

Signed-off-by: Yonatan Maman <Ymaman@xxxxxxxxxx>
Signed-off-by: Gal Shalom <GalShalom@xxxxxxxxxx>

Since this is a bug, please also add a 'Fixes' tag, CC stable and add a
'Co-developed-by' tag if appropriate.

sure, thanks, I will add, and push it as V2 patch-series.

---
drivers/gpu/drm/nouveau/nouveau_dmem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/nouveau/nouveau_dmem.c b/drivers/gpu/drm/nouveau/nouveau_dmem.c
index 6fb65b01d778..097bd3af0719 100644
--- a/drivers/gpu/drm/nouveau/nouveau_dmem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_dmem.c
@@ -193,7 +193,7 @@ static vm_fault_t nouveau_dmem_migrate_to_ram(struct vm_fault *vmf)
if (!spage || !(src & MIGRATE_PFN_MIGRATE))
goto done;

- dpage = alloc_page_vma(GFP_HIGHUSER, vmf->vma, vmf->address);
+ dpage = alloc_page_vma(GFP_HIGHUSER | __GFP_ZERO, vmf->vma, vmf->address);
if (!dpage)
goto done;

--
2.34.1

Next message: Boqun Feng: "Re: [PATCH net-next v2 5/6] rust: Add read_poll_timeout function"
Previous message: Christian Brauner: "Re: [PATCH v7] pidfd: add ioctl to retrieve pid info"
Next in thread: Danilo Krummrich: "Re: [PATCH 2/2] nouveau/dmem: Fix memory leak in `migrate_to_ram` upon copy error"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]