[PATCH 02/26] drm/buddy: fixup potential uaf
Matthew Auld
matthew.auld at intel.com
Mon Feb 14 10:12:05 UTC 2022
If we are unlucky and somehow can't allocate enough memory when
splitting blocks, where we temporarily end up with the given block and
its buddy on the respective free list, then we need to ensure we delete
both blocks, and not just the buddy, before potentially freeing them.
v2: rebase on i915_buddy removal
Fixes: 14d1b9a6247c ("drm/i915: buddy allocator")
Signed-off-by: Matthew Auld <matthew.auld at intel.com>
Cc: Arunpravin <Arunpravin.PaneerSelvam at amd.com>
Cc: Christian König <christian.koenig at amd.com>
---
drivers/gpu/drm/drm_buddy.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c
index d60878bc9c20..2bf75e8abfaa 100644
--- a/drivers/gpu/drm/drm_buddy.c
+++ b/drivers/gpu/drm/drm_buddy.c
@@ -333,8 +333,10 @@ drm_buddy_alloc_blocks(struct drm_buddy *mm, unsigned int order)
return block;
out_free:
- if (i != order)
+ if (i != order) {
+ list_del(&block->link);
__drm_buddy_free(mm, block);
+ }
return ERR_PTR(err);
}
EXPORT_SYMBOL(drm_buddy_alloc_blocks);
@@ -452,8 +454,10 @@ int drm_buddy_alloc_range(struct drm_buddy *mm,
buddy = get_buddy(block);
if (buddy &&
(drm_buddy_block_is_free(block) &&
- drm_buddy_block_is_free(buddy)))
+ drm_buddy_block_is_free(buddy))) {
+ list_del(&block->link);
__drm_buddy_free(mm, block);
+ }
err_free:
drm_buddy_free_list(mm, &allocated);
--
2.34.1
More information about the Intel-gfx-trybot
mailing list