[PATCH] drm/buddy: fixup potential uaf
Daniel Vetter
daniel at ffwll.ch
Tue Feb 8 13:16:29 UTC 2022
On Tue, Feb 08, 2022 at 11:38:15AM +0000, Matthew Auld wrote:
> If we are unlucky and somehow can't allocate enough memory when
> splitting blocks, where we temporarily end up with the given block and
> its buddy on the respective free list, then we need to ensure we delete
> both blocks, and not just the buddy, before potentially freeing them.
>
> v2: rebase on i915_buddy removal
>
> Fixes: 14d1b9a6247c ("drm/i915: buddy allocator")
> Signed-off-by: Matthew Auld <matthew.auld at intel.com>
> Cc: Arunpravin <Arunpravin.PaneerSelvam at amd.com>
> Cc: Christian König <christian.koenig at amd.com>
btw wrt fixups, can you pls include the drm_buddy.c kerneldoc into
Documentation/gpu/drm-mm.rst? That seems to be missing. Also probably some
kerneldoc to polish to make it warning free and complete.
-Daniel
> ---
> drivers/gpu/drm/drm_buddy.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c
> index d60878bc9c20..2bf75e8abfaa 100644
> --- a/drivers/gpu/drm/drm_buddy.c
> +++ b/drivers/gpu/drm/drm_buddy.c
> @@ -333,8 +333,10 @@ drm_buddy_alloc_blocks(struct drm_buddy *mm, unsigned int order)
> return block;
>
> out_free:
> - if (i != order)
> + if (i != order) {
> + list_del(&block->link);
> __drm_buddy_free(mm, block);
> + }
> return ERR_PTR(err);
> }
> EXPORT_SYMBOL(drm_buddy_alloc_blocks);
> @@ -452,8 +454,10 @@ int drm_buddy_alloc_range(struct drm_buddy *mm,
> buddy = get_buddy(block);
> if (buddy &&
> (drm_buddy_block_is_free(block) &&
> - drm_buddy_block_is_free(buddy)))
> + drm_buddy_block_is_free(buddy))) {
> + list_del(&block->link);
> __drm_buddy_free(mm, block);
> + }
>
> err_free:
> drm_buddy_free_list(mm, &allocated);
> --
> 2.34.1
>
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
More information about the dri-devel
mailing list