[PATCH] drm/i915/gt: Delete sysfs entries for engines on driver unload
Krzysztof Niemiec
krzysztof.niemiec at intel.com
Mon Aug 5 15:46:06 UTC 2024
On 2024-08-01 at 17:40:48 GMT, Krzysztof Niemiec wrote:
> While the sysfs entries for engines are added in intel_engines_init()
> during driver load, the corresponding function intel_engines_release()
> does not correctly get rid of them. This can lead to a UAF if, after
> failed initialization (for example when gt is set wedged on init), we
> try to access the engines.
>
> Empty the engines llist in intel_engines_release().
>
> Suggested-by: Chris Wilson <chris.p.wilson at linux.intel.com>
> Signed-off-by: Krzysztof Niemiec <krzysztof.niemiec at intel.com>
> ---
> drivers/gpu/drm/i915/gt/intel_engine_cs.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
> index 3b740ca25000..4d30a86016f2 100644
> --- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c
> +++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
> @@ -693,6 +693,8 @@ void intel_engines_release(struct intel_gt *gt)
>
> memset(&engine->reset, 0, sizeof(engine->reset));
> }
> +
> + llist_del_all(>->i915->uabi_engines_llist);
> }
>
> void intel_engine_free_request_pool(struct intel_engine_cs *engine)
> --
> 2.45.2
>
I noticed that the commit message isn't totally correct. Code changes
are correct.
The message should be replaced with:
drm/i915/gt: Empty uabi engines list during intel_engines_release()
While the uabi_engines_llist is populated in intel_engines_init() during
driver load, the corresponding function intel_engines_release() does not
correctly get rid of it. This can lead to a UAF if, after failed
initialization (for example when gt is set wedged on init), we try to
access the engines.
Thanks
Krzysztof
More information about the Intel-gfx
mailing list