[PATCH] drm/i915/buddy: fixup potential uaf

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If we are unlucky and can't allocate enough memory when splitting
blocks, where we temporarily end up with the given block and its buddy
on the respective free list, then we need to ensure we delete both
blocks, and no just the buddy, before potentially freeing them.

Fixes: 14d1b9a6247c ("drm/i915: buddy allocator")
Signed-off-by: Matthew Auld <matthew.auld@xxxxxxxxx>
Cc: Arunpravin <Arunpravin.PaneerSelvam@xxxxxxx>
Cc: Christian König <christian.koenig@xxxxxxx>
---
 drivers/gpu/drm/i915/i915_buddy.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_buddy.c b/drivers/gpu/drm/i915/i915_buddy.c
index 6e2ad68f8f3f..9ca81b095adb 100644
--- a/drivers/gpu/drm/i915/i915_buddy.c
+++ b/drivers/gpu/drm/i915/i915_buddy.c
@@ -293,8 +293,10 @@ i915_buddy_alloc(struct i915_buddy_mm *mm, unsigned int order)
 	return block;
 
 out_free:
-	if (i != order)
+	if (i != order) {
+		list_del(&block->link);
 		__i915_buddy_free(mm, block);
+	}
 	return ERR_PTR(err);
 }
 
@@ -401,8 +403,10 @@ int i915_buddy_alloc_range(struct i915_buddy_mm *mm,
 	buddy = get_buddy(block);
 	if (buddy &&
 	    (i915_buddy_block_is_free(block) &&
-	     i915_buddy_block_is_free(buddy)))
+	     i915_buddy_block_is_free(buddy))) {
+		list_del(&block->link);
 		__i915_buddy_free(mm, block);
+	}
 
 err_free:
 	i915_buddy_free_list(mm, &allocated);
-- 
2.31.1




[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux