diff options
| author | Thomas Hellström <[email protected]> | 2022-06-20 14:36:59 +0200 |
|---|---|---|
| committer | Rodrigo Vivi <[email protected]> | 2022-07-06 23:04:55 -0400 |
| commit | 12058077b2e963d16d2d673d46233a7f46add7c9 (patch) | |
| tree | f5c5d35b8486725a227597cd0b2b3d4990fd889f /tools/perf/util/scripting-engines/trace-event-perl.c | |
| parent | 25c95bf494067f7bd1dfa8064ef964abe88cafc2 (diff) | |
drm/i915: Fix vm use-after-free in vma destruction
In vma destruction, the following race may occur:
Thread 1: Thread 2:
i915_vma_destroy();
...
list_del_init(vma->vm_link);
...
mutex_unlock(vma->vm->mutex);
__i915_vm_release();
release_references();
And in release_reference() we dereference vma->vm to get to the
vm gt pointer, leading to a use-after free.
However, __i915_vm_release() grabs the vm->mutex so the vm won't be
destroyed before vma->vm->mutex is released, so extract the gt pointer
under the vm->mutex to avoid the vma->vm dereference in
release_references().
v2: Fix a typo in the commit message (Andi Shyti)
Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/5944
Fixes: e1a7ab4fca0c ("drm/i915: Remove the vm open count")
Cc: Niranjana Vishwanathapura <[email protected]>
Cc: Matthew Auld <[email protected]>
Signed-off-by: Thomas Hellström <[email protected]>
Acked-by: Nirmoy Das <[email protected]>
Reviewed-by: Andrzej Hajda <[email protected]>
Reviewed-by: Matthew Auld <[email protected]>
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
(cherry picked from commit 1926a6b75954fc1a8b44d10bd0c67db957b78cf7)
Signed-off-by: Rodrigo Vivi <[email protected]>
Diffstat (limited to 'tools/perf/util/scripting-engines/trace-event-perl.c')
0 files changed, 0 insertions, 0 deletions