While the sysfs entries for engines are added in intel_engines_init() during driver load, the corresponding function intel_engines_release() does not correctly get rid of them. This can lead to a UAF if, after failed initialization (for example when gt is set wedged on init), we try to access the engines. Empty the engines llist in intel_engines_release(). Suggested-by: Chris Wilson <chris.p.wilson@xxxxxxxxxxxxxxx> Signed-off-by: Krzysztof Niemiec <krzysztof.niemiec@xxxxxxxxx> --- drivers/gpu/drm/i915/gt/intel_engine_cs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c index 3b740ca25000..4d30a86016f2 100644 --- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c +++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c @@ -693,6 +693,8 @@ void intel_engines_release(struct intel_gt *gt) memset(&engine->reset, 0, sizeof(engine->reset)); } + + llist_del_all(>->i915->uabi_engines_llist); } void intel_engine_free_request_pool(struct intel_engine_cs *engine) -- 2.45.2
