On 3/5/26 09:03, Tvrtko Ursulin wrote:
>
> On 04/03/2026 23:27, Thadeu Lima de Souza Cascardo wrote:
>> When allocating a lot of buffers and putting the TTM under memory pressure,
>> during swapout, it might crash the system with the stack trace below.
>>
>> It turns out that ttm_bo_swapout_cb might replace bo->resource when it
>> moves it to system cached.
>>
>> When commit c06da4b3573a ("drm/ttm: Tidy usage of local variables a little
>> bit") used a local variable for bo->resource, it used the freed resource
>> later in the function, leading to a UAF.
>>
>> Move back to using bo->resource in all cases in that function instead of a
>> local variable.
>>
>> [ 604.814275] BUG: kernel NULL pointer dereference, address:
>> 0000000000000000
>> [ 604.814284] #PF: supervisor read access in kernel mode
>> [ 604.814288] #PF: error_code(0x0000) - not-present page
>> [ 604.814291] PGD 0 P4D 0
>> [ 604.814296] Oops: Oops: 0000 [#1] SMP NOPTI
>> [ 604.814303] CPU: 2 UID: 0 PID: 4408 Comm: vulkan Tainted: G W
>> 7.0.0-rc2-00001-gc50a051e6aca #21 PREEMPT(full)
>> aef6eb0c02036a7c8a5e62e0c84a30c2be90688d
>> [ 604.814309] Tainted: [W]=WARN
>> [ 604.814311] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0133 08/05/2024
>> [ 604.814314] RIP: 0010:ttm_resource_move_to_lru_tail+0x100/0x160 [ttm]
>> [ 604.814329] Code: 5b 5d e9 83 b4 1b cb 48 63 d2 48 c1 e0 04 48 8b 4e 40
>> 48 8d 7e 40 48 8b ac d3 d8 00 00 00 48 89 c3 48 8d 54 05 68 48 8b 46 48 <48>
>> 3b 38 0f 85 b3 3b 00 00 48 3b 79 08 0f 85 a9 3b 00 00 48 89 41
>> [ 604.814332] RSP: 0018:ffffcfe54e3d7578 EFLAGS: 00010256
>> [ 604.814336] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
>> ffff8cf09eced300
>> [ 604.814339] RDX: 0000000000000068 RSI: ffff8cf1d4c1fc00 RDI:
>> ffff8cf1d4c1fc40
>> [ 604.814341] RBP: 0000000000000000 R08: ffff8cf09eced300 R09:
>> 0000000000000000
>> [ 604.814344] R10: 0000000000000000 R11: 0000000000000016 R12:
>> ffff8cf1d4c1fc00
>> [ 604.814346] R13: 0000000000000400 R14: ffff8cf096289c00 R15:
>> ffff8cf084c8f688
>> [ 604.814349] FS: 00007f00531b7780(0000) GS:ffff8cf4217a0000(0000)
>> knlGS:0000000000000000
>> [ 604.814352] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [ 604.814355] CR2: 0000000000000000 CR3: 000000018e3df000 CR4:
>> 0000000000350ef0
>> [ 604.814358] Call Trace:
>> [ 604.814362] <TASK>
>> [ 604.814368] ttm_bo_swapout_cb+0x24c/0x280 [ttm
>> a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
>> [ 604.814380] ttm_lru_walk_for_evict+0xac/0x1d0 [ttm
>> a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
>> [ 604.814394] ttm_bo_swapout+0x5b/0x80 [ttm
>> a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
>> [ 604.814405] ttm_global_swapout+0x63/0x100 [ttm
>> a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
>> [ 604.814415] ttm_tt_populate+0x82/0x130 [ttm
>> a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
>> [ 604.814424] ttm_bo_populate+0x37/0xa0 [ttm
>> a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
>> [ 604.814433] ttm_bo_handle_move_mem+0x157/0x170 [ttm
>> a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
>> [ 604.814443] ttm_bo_validate+0xd9/0x180 [ttm
>> a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
>> [ 604.814453] ttm_bo_init_reserved+0xa0/0x1b0 [ttm
>> a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
>> [ 604.814461] ? srso_return_thunk+0x5/0x5f
>> [ 604.814469] amdgpu_bo_create+0x1f5/0x500 [amdgpu
>> 361516226706227f4403914dbfdd3f90996136ca]
>> [ 604.814855] ? __pfx_amdgpu_bo_user_destroy+0x10/0x10 [amdgpu
>> 361516226706227f4403914dbfdd3f90996136ca]
>> [ 604.815182] amdgpu_bo_create_user+0x3d/0x70 [amdgpu
>> 361516226706227f4403914dbfdd3f90996136ca]
>> [ 604.815504] amdgpu_gem_create_ioctl+0x16c/0x3b0 [amdgpu
>> 361516226706227f4403914dbfdd3f90996136ca]
>> [ 604.815830] ? __pfx_amdgpu_bo_user_destroy+0x10/0x10 [amdgpu
>> 361516226706227f4403914dbfdd3f90996136ca]
>> [ 604.816155] ? __pfx_amdgpu_gem_create_ioctl+0x10/0x10 [amdgpu
>> 361516226706227f4403914dbfdd3f90996136ca]
>> [ 604.816478] drm_ioctl_kernel+0xae/0x100
>> [ 604.816486] drm_ioctl+0x283/0x510
>> [ 604.816491] ? __pfx_amdgpu_gem_create_ioctl+0x10/0x10 [amdgpu
>> 361516226706227f4403914dbfdd3f90996136ca]
>> [ 604.816819] amdgpu_drm_ioctl+0x4a/0x80 [amdgpu
>> 361516226706227f4403914dbfdd3f90996136ca]
>> [ 604.817135] __x64_sys_ioctl+0x96/0xe0
>> [ 604.817142] do_syscall_64+0x11b/0x7e0
>> [ 604.817148] ? srso_return_thunk+0x5/0x5f
>> [ 604.817152] ? srso_return_thunk+0x5/0x5f
>> [ 604.817156] ? walk_system_ram_range+0xb0/0x110
>> [ 604.817161] ? srso_return_thunk+0x5/0x5f
>> [ 604.817165] ? __pte_offset_map+0x1b/0xb0
>> [ 604.817170] ? srso_return_thunk+0x5/0x5f
>> [ 604.817174] ? pte_offset_map_lock+0x87/0xf0
>> [ 604.817179] ? srso_return_thunk+0x5/0x5f
>> [ 604.817183] ? insert_pfn+0x9f/0x1f0
>> [ 604.817188] ? srso_return_thunk+0x5/0x5f
>> [ 604.817192] ? vmf_insert_pfn_prot+0x97/0x190
>> [ 604.817197] ? srso_return_thunk+0x5/0x5f
>> [ 604.817201] ? ttm_bo_vm_fault_reserved+0x1a6/0x3f0 [ttm
>> a469cf7fcb6737fdcf3fb5cdbcc8b1ca41f3e302]
>> [ 604.817213] ? srso_return_thunk+0x5/0x5f
>> [ 604.817217] ? amdgpu_gem_fault+0xe2/0x100 [amdgpu
>> 361516226706227f4403914dbfdd3f90996136ca]
>> [ 604.817542] ? srso_return_thunk+0x5/0x5f
>> [ 604.817546] ? __do_fault+0x33/0x180
>> [ 604.817550] ? srso_return_thunk+0x5/0x5f
>> [ 604.817554] ? do_fault+0x178/0x610
>> [ 604.817559] ? srso_return_thunk+0x5/0x5f
>> [ 604.817562] ? __handle_mm_fault+0x9be/0x1120
>> [ 604.817567] ? srso_return_thunk+0x5/0x5f
>> [ 604.817574] ? srso_return_thunk+0x5/0x5f
>> [ 604.817578] ? count_memcg_events+0xc4/0x160
>> [ 604.817583] ? srso_return_thunk+0x5/0x5f
>> [ 604.817587] ? handle_mm_fault+0x1d7/0x2e0
>> [ 604.817593] ? srso_return_thunk+0x5/0x5f
>> [ 604.817596] ? do_user_addr_fault+0x173/0x660
>> [ 604.817602] ? srso_return_thunk+0x5/0x5f
>> [ 604.817607] entry_SYSCALL_64_after_hwframe+0x76/0x7e
>> [ 604.817612] RIP: 0033:0x7f00532cef4d
>> [ 604.817617] Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45
>> b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89>
>> c2 3d 00 f0 ff ff 77 1a 48 8b 45 c8 64 48 2b 04 25 28 00 00 00
>> [ 604.817620] RSP: 002b:00007ffd69ab0650 EFLAGS: 00000246 ORIG_RAX:
>> 0000000000000010
>> [ 604.817624] RAX: ffffffffffffffda RBX: 00007ffd69ab07d0 RCX:
>> 00007f00532cef4d
>> [ 604.817627] RDX: 00007ffd69ab0700 RSI: 00000000c0206440 RDI:
>> 0000000000000005
>> [ 604.817629] RBP: 00007ffd69ab06a0 R08: 00007f00533a0ac0 R09:
>> 0000000000000000
>> [ 604.817632] R10: 00007ffd69ab07c0 R11: 0000000000000246 R12:
>> 00007ffd69ab0700
>> [ 604.817634] R13: 00000000c0206440 R14: 0000000000000005 R15:
>> 0000000000000243
>> [ 604.817642] </TASK>
>>
>> Cc: Tvrtko Ursulin <[email protected]>
>> Cc: Christian König <[email protected]>
>> Fixes: c06da4b3573a ("drm/ttm: Tidy usage of local variables a little bit")
>
> My bad, let me push this ASAP.
>
> Reviewed-by: Tvrtko Ursulin <[email protected]>
Should it not be in the branch already: Reviewed-by: Christian König
<[email protected]>.
Regards,
Christian.
>
> Regards,
>
> Tvrtko
>
>> Signed-off-by: Thadeu Lima de Souza Cascardo <[email protected]>
>> ---
>> drivers/gpu/drm/ttm/ttm_bo.c | 11 +++++------
>> 1 file changed, 5 insertions(+), 6 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
>> index
>> acb9197db8798659da178186115c2912b84f64e6..0765d69423d2f4028bf2effd21af53e117ee7a29
>> 100644
>> --- a/drivers/gpu/drm/ttm/ttm_bo.c
>> +++ b/drivers/gpu/drm/ttm/ttm_bo.c
>> @@ -1107,8 +1107,7 @@ struct ttm_bo_swapout_walk {
>> static s64
>> ttm_bo_swapout_cb(struct ttm_lru_walk *walk, struct ttm_buffer_object *bo)
>> {
>> - struct ttm_resource *res = bo->resource;
>> - struct ttm_place place = { .mem_type = res->mem_type };
>> + struct ttm_place place = { .mem_type = bo->resource->mem_type };
>> struct ttm_bo_swapout_walk *swapout_walk =
>> container_of(walk, typeof(*swapout_walk), walk);
>> struct ttm_operation_ctx *ctx = walk->arg.ctx;
>> @@ -1148,7 +1147,7 @@ ttm_bo_swapout_cb(struct ttm_lru_walk *walk, struct
>> ttm_buffer_object *bo)
>> /*
>> * Move to system cached
>> */
>> - if (res->mem_type != TTM_PL_SYSTEM) {
>> + if (bo->resource->mem_type != TTM_PL_SYSTEM) {
>> struct ttm_resource *evict_mem;
>> struct ttm_place hop;
>> @@ -1180,15 +1179,15 @@ ttm_bo_swapout_cb(struct ttm_lru_walk *walk,
>> struct ttm_buffer_object *bo)
>> if (ttm_tt_is_populated(tt)) {
>> spin_lock(&bdev->lru_lock);
>> - ttm_resource_del_bulk_move(res, bo);
>> + ttm_resource_del_bulk_move(bo->resource, bo);
>> spin_unlock(&bdev->lru_lock);
>> ret = ttm_tt_swapout(bdev, tt, swapout_walk->gfp_flags);
>> spin_lock(&bdev->lru_lock);
>> if (ret)
>> - ttm_resource_add_bulk_move(res, bo);
>> - ttm_resource_move_to_lru_tail(res);
>> + ttm_resource_add_bulk_move(bo->resource, bo);
>> + ttm_resource_move_to_lru_tail(bo->resource);
>> spin_unlock(&bdev->lru_lock);
>> }
>>
>> ---
>> base-commit: 11439c4635edd669ae435eec308f4ab8a0804808
>> change-id: 20260304-ttm_bo_res_uaf-f2096356dff5
>>
>> Best regards,
>
