[Intel-xe] [PATCH] drm/xe: Do not unbind destroyed vmas
Nirmoy Das
nirmoy.das at intel.com
Tue May 23 20:24:12 UTC 2023
Fix a vma UAF when userspace calls unbind ioctl more
than once.
Signed-off-by: Nirmoy Das <nirmoy.das at intel.com>
---
drivers/gpu/drm/xe/xe_vm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c
index a0306526b269..7a9f1ba432b8 100644
--- a/drivers/gpu/drm/xe/xe_vm.c
+++ b/drivers/gpu/drm/xe/xe_vm.c
@@ -2769,7 +2769,7 @@ static struct xe_vma *vm_unbind_all_lookup_vmas(struct xe_vm *vm,
xe_bo_assert_held(bo);
list_for_each_entry(vma, &bo->vmas, bo_link) {
- if (vma->vm != vm)
+ if (vma->vm != vm || vma->destroyed)
continue;
prep_vma_destroy(vm, vma);
--
2.39.0
More information about the Intel-xe
mailing list