Re: [PATCH v2] drm/i915: Fix vm use-after-free in vma destruction

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 20 Jun 2022 at 13:37, Thomas Hellström
<thomas.hellstrom@xxxxxxxxxxxxxxx> wrote:
>
> In vma destruction, the following race may occur:
>
> Thread 1:                         Thread 2:
> i915_vma_destroy();
>
>   ...
>   list_del_init(vma->vm_link);
>   ...
>   mutex_unlock(vma->vm->mutex);
>                                   __i915_vm_release();
> release_references();
>
> And in release_reference() we dereference vma->vm to get to the
> vm gt pointer, leading to a use-after free.
>
> However, __i915_vm_release() grabs the vm->mutex so the vm won't be
> destroyed before vma->vm->mutex is released, so extract the gt pointer
> under the vm->mutex to avoid the vma->vm dereference in
> release_references().
>
> v2: Fix a typo in the commit message (Andi Shyti)
>
> Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/5944
> Fixes: e1a7ab4fca ("drm/i915: Remove the vm open count")
>
> Cc: Niranjana Vishwanathapura <niranjana.vishwanathapura@xxxxxxxxx>
> Cc: Matthew Auld <matthew.auld@xxxxxxxxx>
> Signed-off-by: Thomas Hellström <thomas.hellstrom@xxxxxxxxxxxxxxx>
Reviewed-by: Matthew Auld <matthew.auld@xxxxxxxxx>




[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux