diff options
| author | Thomas Hellström <thomas.hellstrom@linux.intel.com> | 2022-06-20 14:36:59 +0200 |
|---|---|---|
| committer | Rodrigo Vivi <rodrigo.vivi@intel.com> | 2022-07-12 18:16:40 -0400 |
| commit | 48da0f67c53eecd2594c302be6c8a665b7740eaf (patch) | |
| tree | 2bdd18e9a663ff589fde610b796abdf820c39a80 /drivers/usb/cdns3/cdns3-ti.c | |
| parent | 1391b9cfd35bb8f10785a17cb4bb5ea8d10faaae (diff) | |
drm/i915: Fix vm use-after-free in vma destruction
In vma destruction, the following race may occur:
Thread 1: Thread 2:
i915_vma_destroy();
...
list_del_init(vma->vm_link);
...
mutex_unlock(vma->vm->mutex);
__i915_vm_release();
release_references();
And in release_reference() we dereference vma->vm to get to the
vm gt pointer, leading to a use-after free.
However, __i915_vm_release() grabs the vm->mutex so the vm won't be
destroyed before vma->vm->mutex is released, so extract the gt pointer
under the vm->mutex to avoid the vma->vm dereference in
release_references().
v2: Fix a typo in the commit message (Andi Shyti)
Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/5944
Fixes: e1a7ab4fca0c ("drm/i915: Remove the vm open count")
Cc: Niranjana Vishwanathapura <niranjana.vishwanathapura@intel.com>
Cc: Matthew Auld <matthew.auld@intel.com>
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Acked-by: Nirmoy Das <nirmoy.das@intel.con>
Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com>
Reviewed-by: Matthew Auld <matthew.auld@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220620123659.381772-1-thomas.hellstrom@linux.intel.com
(cherry picked from commit 1926a6b75954fc1a8b44d10bd0c67db957b78cf7)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Diffstat (limited to 'drivers/usb/cdns3/cdns3-ti.c')
0 files changed, 0 insertions, 0 deletions