Re: [PATCH 1/2] drm/amdgpu: fix use after free during BO move

"Das, Nirmoy" <nirmoy.das@xxxxxxx> · Tue, 7 Sep 2021 10:49:30 +0200

Acked-by: Nirmoy Das <nirmoy.das@xxxxxxx> for the 1st patch and second 
patch is

Reviewed-by: Nirmoy Das <nirmoy.das@xxxxxxx>


On 9/7/2021 10:14 AM, Christian König wrote:
The memory backing old_mem is already freed at that point, move the
check a bit more up.

Signed-off-by: Christian König <christian.koenig@xxxxxxx>
Fixes: bfa3357ef9ab ("drm/ttm: allocate resource object instead of embedding it v2")
Bug: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.freedesktop.org%2Fdrm%2Famd%2F-%2Fissues%2F1699&amp;data=04%7C01%7Cnirmoy.das%40amd.com%7Ce76c4a0ac29e480fcf7108d971d79344%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637665992971099794%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=JttDenpA2ZII0Ttktn3HMVodWWU0kJoPVPvQ3%2BnN4sw%3D&amp;reserved=0
---
  drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 18 +++++++++---------
  1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
index 446943e32e3e..e2896ac2c9ce 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
@@ -513,6 +513,15 @@ static int amdgpu_bo_move(struct ttm_buffer_object *bo, bool evict,
  		goto out;
  	}
  
+	if (bo->type == ttm_bo_type_device &&
+	    new_mem->mem_type == TTM_PL_VRAM &&
+	    old_mem->mem_type != TTM_PL_VRAM) {
+		/* amdgpu_bo_fault_reserve_notify will re-set this if the CPU
+		 * accesses the BO after it's moved.
+		 */
+		abo->flags &= ~AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED;
+	}
+
  	if (adev->mman.buffer_funcs_enabled) {
  		if (((old_mem->mem_type == TTM_PL_SYSTEM &&
  		      new_mem->mem_type == TTM_PL_VRAM) ||
@@ -543,15 +552,6 @@ static int amdgpu_bo_move(struct ttm_buffer_object *bo, bool evict,
  			return r;
  	}
  
-	if (bo->type == ttm_bo_type_device &&
-	    new_mem->mem_type == TTM_PL_VRAM &&
-	    old_mem->mem_type != TTM_PL_VRAM) {
-		/* amdgpu_bo_fault_reserve_notify will re-set this if the CPU
-		 * accesses the BO after it's moved.
-		 */
-		abo->flags &= ~AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED;
-	}
-
  out:
  	/* update statistics */
  	atomic64_add(bo->base.size, &adev->num_bytes_moved);






