On ke, 2016-12-07 at 10:07 +0000, Chris Wilson wrote:
> In commit a4f5ea64f0a8 ("drm/i915: Refactor object page API"), I
> reordered the object->pages teardown to be more friendly wrt to a
> separate obj->mm.lock. However, I overlooked the phys object and left it
> with a dangling use-after-free of its phys_handle. Move the allocation
> of the phys handle to get_pages and it release to put_pages to prevent
> the invalid access and to improve symmetry.
>
> Testcase: igt/drv_selftest/objects
> Reported-by: Ville Syrjälä <ville.syrjala@xxxxxxxxxxxxxxx>
> Fixes: a4f5ea64f0a8 ("drm/i915: Refactor object page API")
> Signed-off-by: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx>
> Cc: Ville Syrjälä <ville.syrjala@xxxxxxxxxxxxxxx>
> Cc: Tvrtko Ursulin <tvrtko.ursulin@xxxxxxxxx>
> Cc: Joonas Lahtinen <joonas.lahtinen@xxxxxxxxxxxxxxx>
> Cc: intel-gfx@xxxxxxxxxxxxxxxxxxxxx
<SNIP>
> i915_gem_object_get_pages_phys(struct drm_i915_gem_object *obj)
> {
> struct address_space *mapping = obj->base.filp->f_mapping;
> - char *vaddr = obj->phys_handle->vaddr;
> + drm_dma_handle_t *phys;
> struct sg_table *st;
> struct scatterlist *sg;
> + char *vaddr;
> int i;
>
> if (WARN_ON(i915_gem_object_needs_bit17_swizzle(obj)))
> return ERR_PTR(-EINVAL);
>
> + phys = drm_pci_alloc(obj->base.dev, obj->base.size, obj->base.size);
Aligning to object size sounds bit rough without any comments.
> @@ -204,21 +212,29 @@ i915_gem_object_get_pages_phys(struct drm_i915_gem_object *obj)
> i915_gem_chipset_flush(to_i915(obj->base.dev));
>
> st = kmalloc(sizeof(*st), GFP_KERNEL);
> - if (st == NULL)
> - return ERR_PTR(-ENOMEM);
> + if (st == NULL) {
Could convert to (!st) when touching, pleases checkpatch.pl.
With the align propagated or explained in a comment;
Reviewed-by: Joonas Lahtinen <joonas.lahtinen@xxxxxxxxxxxxxxx>
Regards, Joonas
--
Joonas Lahtinen
Open Source Technology Center
Intel Corporation
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
