[Intel-xe] [PATCH] drm/xe: Do not unbind destroyed vmas
Das, Nirmoy
nirmoy.das at linux.intel.com
Wed May 24 12:40:02 UTC 2023
Hi Matt,
On 5/24/2023 1:30 AM, Matthew Brost wrote:
> On Tue, May 23, 2023 at 10:24:12PM +0200, Nirmoy Das wrote:
>> Fix a vma UAF when userspace calls unbind ioctl more
>> than once.
>>
> I see the problem, yea this is kinda an issue but will conflict with the
> GPUVA series where this is also fixed by removing the async worker.
Yes, the issue is that the async worker will access the freed vma. I did
try to remove the
async_op for that vma from the pending list but I missed some fence
signaling somewhere.
>
> Is this a problem from any UMDs? If it isn't I'd say defer this until
> the GPUVA series.
Not sure about UMD but I hit this while trying to implement madvise for
VMAs where I would unbind a vma if it is set to DONTNEED.
From my side this can wait.
Regards,
Nirmoy
>
> Matt
>
>> Signed-off-by: Nirmoy Das <nirmoy.das at intel.com>
>> ---
>> drivers/gpu/drm/xe/xe_vm.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c
>> index a0306526b269..7a9f1ba432b8 100644
>> --- a/drivers/gpu/drm/xe/xe_vm.c
>> +++ b/drivers/gpu/drm/xe/xe_vm.c
>> @@ -2769,7 +2769,7 @@ static struct xe_vma *vm_unbind_all_lookup_vmas(struct xe_vm *vm,
>> xe_bo_assert_held(bo);
>>
>> list_for_each_entry(vma, &bo->vmas, bo_link) {
>> - if (vma->vm != vm)
>> + if (vma->vm != vm || vma->destroyed)
>> continue;
>>
>> prep_vma_destroy(vm, vma);
>> --
>> 2.39.0
>>
More information about the Intel-xe
mailing list