On 5/27/25 21:43, Natalie Vock wrote:
If we hand out cleared blocks to users, they are expected to write at least some non-zero values somewhere. If we keep the CLEAR bit set on the block, amdgpu_fill_buffer will assume there is nothing to do and incorrectly skip clearing the block. Ultimately, the (still dirty) block will be reused as if it were cleared, without any wiping of the memory contents.
Most severely, this means that any buffer allocated with AMDGPU_GEM_CREATE_VRAM_CLEARED | AMDGPU_GEM_CREATE_WIPE_ON_RELEASE (which is the case for **all userspace buffers**) are neither guaranteed to contain cleared VRAM, nor are they being wiped on release, potentially leaking application memory to arbitrary other applications.
Fixes: a68c7eaa7a8ff ("drm/amdgpu: Enable clear page functionality") Cc: stable@vger.kernel.org
Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3812
Signed-off-by: Natalie Vock natalie.vock@gmx.de
drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c index 2d7f82e98df9..cecc67d0f0b8 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c @@ -591,6 +591,13 @@ static int amdgpu_vram_mgr_new(struct ttm_resource_manager *man, list_for_each_entry(block, &vres->blocks, link) { unsigned long start;
/** Allocated blocks may be dirtied as soon as we return.* Mark all blocks as dirty here, otherwise we might* incorrectly assume the memory is still zeroed.*/drm_buddy_block_set_dirty(block);
Exactly that makes no sense.
We need the information if it's dirty or not later while clearing the blocks. Otherwise we will clear all blocks and completely loose the advantage of the clear tracking.
So we should set them dirty as soon as we are done with the clearing.
But the problem rather seems to be that we sometimes don't clear the buffers on release for some reason, but still set it as cleared.
Regards, Christian.
- start = amdgpu_vram_mgr_block_start(block) + amdgpu_vram_mgr_block_size(block); start >>= PAGE_SHIFT;