On Mon, 20 Jun 2022 at 13:37, Thomas Hellström <thomas.hellstrom@xxxxxxxxxxxxxxx> wrote: > > In vma destruction, the following race may occur: > > Thread 1: Thread 2: > i915_vma_destroy(); > > ... > list_del_init(vma->vm_link); > ... > mutex_unlock(vma->vm->mutex); > __i915_vm_release(); > release_references(); > > And in release_reference() we dereference vma->vm to get to the > vm gt pointer, leading to a use-after free. > > However, __i915_vm_release() grabs the vm->mutex so the vm won't be > destroyed before vma->vm->mutex is released, so extract the gt pointer > under the vm->mutex to avoid the vma->vm dereference in > release_references(). > > v2: Fix a typo in the commit message (Andi Shyti) > > Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/5944 > Fixes: e1a7ab4fca ("drm/i915: Remove the vm open count") > > Cc: Niranjana Vishwanathapura <niranjana.vishwanathapura@xxxxxxxxx> > Cc: Matthew Auld <matthew.auld@xxxxxxxxx> > Signed-off-by: Thomas Hellström <thomas.hellstrom@xxxxxxxxxxxxxxx> Reviewed-by: Matthew Auld <matthew.auld@xxxxxxxxx>
