Hi Thomas,
On Thu, May 12, 2022 at 11:40:45AM +0200, Thomas Hellström wrote:
> In vma destruction, the following race may occur:
>
> Thread 1: Thread 2:
> i915_vma_destroy();
>
> ...
> list_del_init(vma->vm_link);
> ...
> mutex_unlock(vma->vm->mutex);
> __i915_vm_release();
> release_references();
>
> And in release_reference() we dereference vma->vm to get to the
> vm gt pointer, leadin go a use-after free.
leading to
[...]
> -static void release_references(struct i915_vma *vma, bool vm_ddestroy)
> +static void release_references(struct i915_vma *vma, struct intel_gt *gt,
> + bool vm_ddestroy)
> {
> struct drm_i915_gem_object *obj = vma->obj;
> - struct intel_gt *gt = vma->vm->gt;
>
> GEM_BUG_ON(i915_vma_is_active(vma));
but then we have
if (vm_ddestroy)
i915_vm_resv_put(vma->vm);
were we reference to a freed vm, right? Do we need to check it
here, as well?
Andi
