| Message ID | 20220208113815.314048-1-matthew.auld@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm/buddy: fixup potential uaf | expand |
On Tue, Feb 08, 2022 at 11:38:15AM +0000, Matthew Auld wrote: > If we are unlucky and somehow can't allocate enough memory when > splitting blocks, where we temporarily end up with the given block and > its buddy on the respective free list, then we need to ensure we delete > both blocks, and not just the buddy, before potentially freeing them. > > v2: rebase on i915_buddy removal > > Fixes: 14d1b9a6247c ("drm/i915: buddy allocator") > Signed-off-by: Matthew Auld <matthew.auld@intel.com> > Cc: Arunpravin <Arunpravin.PaneerSelvam@amd.com> > Cc: Christian König <christian.koenig@amd.com> btw wrt fixups, can you pls include the drm_buddy.c kerneldoc into Documentation/gpu/drm-mm.rst? That seems to be missing. Also probably some kerneldoc to polish to make it warning free and complete. -Daniel > --- > drivers/gpu/drm/drm_buddy.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c > index d60878bc9c20..2bf75e8abfaa 100644 > --- a/drivers/gpu/drm/drm_buddy.c > +++ b/drivers/gpu/drm/drm_buddy.c > @@ -333,8 +333,10 @@ drm_buddy_alloc_blocks(struct drm_buddy *mm, unsigned int order) > return block; > > out_free: > - if (i != order) > + if (i != order) { > + list_del(&block->link); > __drm_buddy_free(mm, block); > + } > return ERR_PTR(err); > } > EXPORT_SYMBOL(drm_buddy_alloc_blocks); > @@ -452,8 +454,10 @@ int drm_buddy_alloc_range(struct drm_buddy *mm, > buddy = get_buddy(block); > if (buddy && > (drm_buddy_block_is_free(block) && > - drm_buddy_block_is_free(buddy))) > + drm_buddy_block_is_free(buddy))) { > + list_del(&block->link); > __drm_buddy_free(mm, block); > + } > > err_free: > drm_buddy_free_list(mm, &allocated); > -- > 2.34.1 >
diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c index d60878bc9c20..2bf75e8abfaa 100644 --- a/drivers/gpu/drm/drm_buddy.c +++ b/drivers/gpu/drm/drm_buddy.c @@ -333,8 +333,10 @@ drm_buddy_alloc_blocks(struct drm_buddy *mm, unsigned int order) return block; out_free: - if (i != order) + if (i != order) { + list_del(&block->link); __drm_buddy_free(mm, block); + } return ERR_PTR(err); } EXPORT_SYMBOL(drm_buddy_alloc_blocks); @@ -452,8 +454,10 @@ int drm_buddy_alloc_range(struct drm_buddy *mm, buddy = get_buddy(block); if (buddy && (drm_buddy_block_is_free(block) && - drm_buddy_block_is_free(buddy))) + drm_buddy_block_is_free(buddy))) { + list_del(&block->link); __drm_buddy_free(mm, block); + } err_free: drm_buddy_free_list(mm, &allocated);
If we are unlucky and somehow can't allocate enough memory when splitting blocks, where we temporarily end up with the given block and its buddy on the respective free list, then we need to ensure we delete both blocks, and not just the buddy, before potentially freeing them. v2: rebase on i915_buddy removal Fixes: 14d1b9a6247c ("drm/i915: buddy allocator") Signed-off-by: Matthew Auld <matthew.auld@intel.com> Cc: Arunpravin <Arunpravin.PaneerSelvam@amd.com> Cc: Christian König <christian.koenig@amd.com> --- drivers/gpu/drm/drm_buddy.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)