[PATCH] drm/i915/ttm: ensure we release the intel_memory_region
Thomas Hellström
thomas.hellstrom at linux.intel.com
Thu Aug 19 07:25:26 UTC 2021
On Wed, 2021-08-18 at 18:12 +0100, Matthew Auld wrote:
> If the ttm_bo_init_reserved() call fails ensure we also release the
> region, otherwise we leak the reference, or worse hit some uaf, when
> we
> start using the objects.list. Also remove the make_unshrinkable call
> here, which doesn't do anything.
>
> Signed-off-by: Matthew Auld <matthew.auld at intel.com>
> Cc: Thomas Hellström <thomas.hellstrom at linux.intel.com>
> ---
> drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> index 771eb2963123..2e8cdcd5e4f7 100644
> --- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> +++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> @@ -909,7 +909,6 @@ int __i915_gem_ttm_object_init(struct
> intel_memory_region *mem,
> drm_gem_private_object_init(&i915->drm, &obj->base, size);
> i915_gem_object_init(obj, &i915_gem_ttm_obj_ops, &lock_class,
> flags);
> i915_gem_object_init_memory_region(obj, mem);
> - i915_gem_object_make_unshrinkable(obj);
> INIT_RADIX_TREE(&obj->ttm.get_io_page.radix, GFP_KERNEL |
> __GFP_NOWARN);
> mutex_init(&obj->ttm.get_io_page.lock);
> bo_type = (obj->flags & I915_BO_ALLOC_USER) ?
> ttm_bo_type_device :
> @@ -932,7 +931,7 @@ int __i915_gem_ttm_object_init(struct
> intel_memory_region *mem,
> page_size >> PAGE_SHIFT,
> &ctx, NULL, NULL,
> i915_ttm_bo_destroy);
> if (ret)
> - return i915_ttm_err_to_gem(ret);
> + goto err_release_mr;
IIRC when ttm_object_init_reserved fails, it will call ttm_bo_put()
which will eventually end up in i915_ttm_bo_destroy() which will do the
right thing?
/Thomas
More information about the dri-devel
mailing list