[PATCH] drm/buddy: fixup potential uaf

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If we are unlucky and somehow can't allocate enough memory when
splitting blocks, where we temporarily end up with the given block and
its buddy on the respective free list, then we need to ensure we delete
both blocks, and not just the buddy, before potentially freeing them.

v2: rebase on i915_buddy removal

Fixes: 14d1b9a6247c ("drm/i915: buddy allocator")
Signed-off-by: Matthew Auld <matthew.auld@xxxxxxxxx>
Cc: Arunpravin <Arunpravin.PaneerSelvam@xxxxxxx>
Cc: Christian König <christian.koenig@xxxxxxx>
---
 drivers/gpu/drm/drm_buddy.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c
index d60878bc9c20..2bf75e8abfaa 100644
--- a/drivers/gpu/drm/drm_buddy.c
+++ b/drivers/gpu/drm/drm_buddy.c
@@ -333,8 +333,10 @@ drm_buddy_alloc_blocks(struct drm_buddy *mm, unsigned int order)
 	return block;
 
 out_free:
-	if (i != order)
+	if (i != order) {
+		list_del(&block->link);
 		__drm_buddy_free(mm, block);
+	}
 	return ERR_PTR(err);
 }
 EXPORT_SYMBOL(drm_buddy_alloc_blocks);
@@ -452,8 +454,10 @@ int drm_buddy_alloc_range(struct drm_buddy *mm,
 	buddy = get_buddy(block);
 	if (buddy &&
 	    (drm_buddy_block_is_free(block) &&
-	     drm_buddy_block_is_free(buddy)))
+	     drm_buddy_block_is_free(buddy))) {
+		list_del(&block->link);
 		__drm_buddy_free(mm, block);
+	}
 
 err_free:
 	drm_buddy_free_list(mm, &allocated);
-- 
2.34.1




[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux