From patchwork Mon Jan 17 15:10:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Matthew Auld X-Patchwork-Id: 12715533 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id B9A1DC433F5 for ; Mon, 17 Jan 2022 15:13:03 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 8D09A10E3A1; Mon, 17 Jan 2022 15:13:02 +0000 (UTC) Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by gabe.freedesktop.org (Postfix) with ESMTPS id 3BBAA10E39B; Mon, 17 Jan 2022 15:13:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1642432381; x=1673968381; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=2HFXyBiXYHH8MavvXcoEOjIszkgRiKWHDnia4UxLVt8=; b=mfO65HqwER9TsIb6Xod9AhNmxDizeWt8IjaOddAAXt8rWUAQdjtA+nlG 0YHe+L+wLuBIAxD8hOf3WWC9gTbh776QKViE3bNf40q1A1S2IKYAGBT2D KHX21NGT416UZ/L2f5E9RAJlyYIUIsaIUJfZZ/J7V/1ZO3OM53qDRjW7T 1ggqyJ1fuUvfTyqWMWT2v266R423tyNG1BNGjX+fr/w1QZruHhHwdEfFY Bl5mdkURxGIdSDEWlwhUz5aqoTSP11BhWTxJVxcfZ7ZNJh9GIIO7zHbza ZCKddoqtmYb0tTTt6oJtU80nMi5vsbKQbreSpSQb2RQ/IwSlea8tLjl9W w==; X-IronPort-AV: E=McAfee;i="6200,9189,10229"; a="244838791" X-IronPort-AV: E=Sophos;i="5.88,295,1635231600"; d="scan'208";a="244838791" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Jan 2022 07:13:00 -0800 X-IronPort-AV: E=Sophos;i="5.88,295,1635231600"; d="scan'208";a="531376674" Received: from ajadhav-mobl1.ger.corp.intel.com (HELO mwauld-desk1.intel.com) ([10.213.243.16]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Jan 2022 07:12:59 -0800 From: Matthew Auld To: intel-gfx@lists.freedesktop.org Subject: [PATCH] drm/i915/buddy: fixup potential uaf Date: Mon, 17 Jan 2022 15:10:53 +0000 Message-Id: <20220117151053.1844062-1-matthew.auld@intel.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?utf-8?q?Christian_K=C3=B6nig?= , dri-devel@lists.freedesktop.org, Arunpravin Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" If we are unlucky and can't allocate enough memory when splitting blocks, where we temporarily end up with the given block and its buddy on the respective free list, then we need to ensure we delete both blocks, and no just the buddy, before potentially freeing them. Fixes: 14d1b9a6247c ("drm/i915: buddy allocator") Signed-off-by: Matthew Auld Cc: Arunpravin Cc: Christian König --- drivers/gpu/drm/i915/i915_buddy.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/i915/i915_buddy.c b/drivers/gpu/drm/i915/i915_buddy.c index 6e2ad68f8f3f..9ca81b095adb 100644 --- a/drivers/gpu/drm/i915/i915_buddy.c +++ b/drivers/gpu/drm/i915/i915_buddy.c @@ -293,8 +293,10 @@ i915_buddy_alloc(struct i915_buddy_mm *mm, unsigned int order) return block; out_free: - if (i != order) + if (i != order) { + list_del(&block->link); __i915_buddy_free(mm, block); + } return ERR_PTR(err); } @@ -401,8 +403,10 @@ int i915_buddy_alloc_range(struct i915_buddy_mm *mm, buddy = get_buddy(block); if (buddy && (i915_buddy_block_is_free(block) && - i915_buddy_block_is_free(buddy))) + i915_buddy_block_is_free(buddy))) { + list_del(&block->link); __i915_buddy_free(mm, block); + } err_free: i915_buddy_free_list(mm, &allocated);