[Intel-xe] [PATCH] drm/xe: Do not unbind destroyed vmas
Souza, Jose
jose.souza at intel.com
Wed May 24 14:14:02 UTC 2023
On Wed, 2023-05-24 at 14:40 +0200, Das, Nirmoy wrote:
> Hi Matt,
>
> On 5/24/2023 1:30 AM, Matthew Brost wrote:
> > On Tue, May 23, 2023 at 10:24:12PM +0200, Nirmoy Das wrote:
> > > Fix a vma UAF when userspace calls unbind ioctl more
> > > than once.
> > >
> > I see the problem, yea this is kinda an issue but will conflict with the
> > GPUVA series where this is also fixed by removing the async worker.
>
> Yes, the issue is that the async worker will access the freed vma. I did
> try to remove the
>
> async_op for that vma from the pending list but I missed some fence
> signaling somewhere.
>
>
> >
> > Is this a problem from any UMDs? If it isn't I'd say defer this until
> > the GPUVA series.
>
>
> Not sure about UMD but I hit this while trying to implement madvise for
> VMAs where I would unbind a vma if it is set to DONTNEED.
>
> From my side this can wait.
This change is so small, the conflict would be minor.
+2 for anything that can help stabilized the stack.
>
>
> Regards,
>
> Nirmoy
>
> >
> > Matt
> >
> > > Signed-off-by: Nirmoy Das <nirmoy.das at intel.com>
> > > ---
> > > drivers/gpu/drm/xe/xe_vm.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c
> > > index a0306526b269..7a9f1ba432b8 100644
> > > --- a/drivers/gpu/drm/xe/xe_vm.c
> > > +++ b/drivers/gpu/drm/xe/xe_vm.c
> > > @@ -2769,7 +2769,7 @@ static struct xe_vma *vm_unbind_all_lookup_vmas(struct xe_vm *vm,
> > > xe_bo_assert_held(bo);
> > >
> > > list_for_each_entry(vma, &bo->vmas, bo_link) {
> > > - if (vma->vm != vm)
> > > + if (vma->vm != vm || vma->destroyed)
> > > continue;
> > >
> > > prep_vma_destroy(vm, vma);
> > > --
> > > 2.39.0
> > >
More information about the Intel-xe
mailing list