[Intel-gfx] [PATCH v2] drm/i915: Fix vm use-after-free in vma destruction
Matthew Auld
matthew.william.auld at gmail.com
Fri Jul 1 08:18:00 UTC 2022
On Mon, 20 Jun 2022 at 13:37, Thomas Hellström
<thomas.hellstrom at linux.intel.com> wrote:
>
> In vma destruction, the following race may occur:
>
> Thread 1: Thread 2:
> i915_vma_destroy();
>
> ...
> list_del_init(vma->vm_link);
> ...
> mutex_unlock(vma->vm->mutex);
> __i915_vm_release();
> release_references();
>
> And in release_reference() we dereference vma->vm to get to the
> vm gt pointer, leading to a use-after free.
>
> However, __i915_vm_release() grabs the vm->mutex so the vm won't be
> destroyed before vma->vm->mutex is released, so extract the gt pointer
> under the vm->mutex to avoid the vma->vm dereference in
> release_references().
>
> v2: Fix a typo in the commit message (Andi Shyti)
>
> Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/5944
> Fixes: e1a7ab4fca ("drm/i915: Remove the vm open count")
>
> Cc: Niranjana Vishwanathapura <niranjana.vishwanathapura at intel.com>
> Cc: Matthew Auld <matthew.auld at intel.com>
> Signed-off-by: Thomas Hellström <thomas.hellstrom at linux.intel.com>
Reviewed-by: Matthew Auld <matthew.auld at intel.com>
More information about the Intel-gfx
mailing list