[PATCH 1/1] drm/i915: Debug potential GEM object UAF

[Janusz Krzysztofik]

CI report on abort from igt at gem_exec_whisper@basic-fds-priority-all with
traces from drm_i915_gem_object poison overwritten and its kmem_cache list
node->next poisoned at the time of deletion from its list looks for me
like caused by GEM object use after free.

Trigger a bug and dump ftrace if a GEM object to be freed occurs not a
valid kmem object, both before we call_rcu() for its deletion and then
before we call kmem_cache_free().

Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik at linux.intel.com>
---
 drivers/gpu/drm/i915/gem/i915_gem_object.c | 2 ++
 drivers/gpu/drm/i915/gem/i915_gem_ttm.c    | 1 +
 2 files changed, 3 insertions(+)

diff --git a/drivers/gpu/drm/i915/gem/i915_gem_object.c b/drivers/gpu/drm/i915/gem/i915_gem_object.c
index e6d4efde4fc51..a61acda7243bf 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_object.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_object.c
@@ -59,6 +59,7 @@ struct drm_i915_gem_object *i915_gem_object_alloc(void)
 
 void i915_gem_object_free(struct drm_i915_gem_object *obj)
 {
+	GEM_BUG_ON(!kmem_valid_obj(obj));
 	return kmem_cache_free(slab_objects, obj);
 }
 
@@ -349,6 +350,7 @@ static void __i915_gem_free_objects(struct drm_i915_private *i915,
 		__i915_gem_free_object(obj);
 
 		/* But keep the pointer alive for RCU-protected lookups */
+		GEM_BUG_ON(!kmem_valid_obj(obj));
 		call_rcu(&obj->rcu, __i915_gem_free_object_rcu);
 		cond_resched();
 	}
diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
index 341b94672abcb..a04f78069dc86 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
@@ -1268,6 +1268,7 @@ void i915_ttm_bo_destroy(struct ttm_buffer_object *bo)
 		/* This releases all gem object bindings to the backend. */
 		__i915_gem_free_object(obj);
 
+		GEM_BUG_ON(!kmem_valid_obj(obj));
 		call_rcu(&obj->rcu, __i915_gem_free_object_rcu);
 	} else {
 		__i915_gem_object_fini(obj);
-- 
2.25.1