dri-devel.lists.freedesktop.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] drm/i915/ttm: ensure we release the intel_memory_region
@ 2021-08-18 17:12 Matthew Auld
  2021-08-19  7:25 ` Thomas Hellström
  0 siblings, 1 reply; 3+ messages in thread
From: Matthew Auld @ 2021-08-18 17:12 UTC (permalink / raw)
  To: intel-gfx; +Cc: dri-devel, Thomas Hellström

If the ttm_bo_init_reserved() call fails ensure we also release the
region, otherwise we leak the reference, or worse hit some uaf, when we
start using the objects.list. Also remove the make_unshrinkable call
here, which doesn't do anything.

Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
---
 drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
index 771eb2963123..2e8cdcd5e4f7 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
@@ -909,7 +909,6 @@ int __i915_gem_ttm_object_init(struct intel_memory_region *mem,
 	drm_gem_private_object_init(&i915->drm, &obj->base, size);
 	i915_gem_object_init(obj, &i915_gem_ttm_obj_ops, &lock_class, flags);
 	i915_gem_object_init_memory_region(obj, mem);
-	i915_gem_object_make_unshrinkable(obj);
 	INIT_RADIX_TREE(&obj->ttm.get_io_page.radix, GFP_KERNEL | __GFP_NOWARN);
 	mutex_init(&obj->ttm.get_io_page.lock);
 	bo_type = (obj->flags & I915_BO_ALLOC_USER) ? ttm_bo_type_device :
@@ -932,7 +931,7 @@ int __i915_gem_ttm_object_init(struct intel_memory_region *mem,
 				   page_size >> PAGE_SHIFT,
 				   &ctx, NULL, NULL, i915_ttm_bo_destroy);
 	if (ret)
-		return i915_ttm_err_to_gem(ret);
+		goto err_release_mr;
 
 	obj->ttm.created = true;
 	i915_ttm_adjust_domains_after_move(obj);
@@ -940,6 +939,10 @@ int __i915_gem_ttm_object_init(struct intel_memory_region *mem,
 	i915_gem_object_unlock(obj);
 
 	return 0;
+
+err_release_mr:
+	i915_gem_object_release_memory_region(obj);
+	return i915_ttm_err_to_gem(ret);
 }
 
 static const struct intel_memory_region_ops ttm_system_region_ops = {
-- 
2.26.3


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] drm/i915/ttm: ensure we release the intel_memory_region
  2021-08-18 17:12 [PATCH] drm/i915/ttm: ensure we release the intel_memory_region Matthew Auld
@ 2021-08-19  7:25 ` Thomas Hellström
  2021-08-19  8:29   ` [Intel-gfx] " Matthew Auld
  0 siblings, 1 reply; 3+ messages in thread
From: Thomas Hellström @ 2021-08-19  7:25 UTC (permalink / raw)
  To: Matthew Auld, intel-gfx; +Cc: dri-devel

On Wed, 2021-08-18 at 18:12 +0100, Matthew Auld wrote:
> If the ttm_bo_init_reserved() call fails ensure we also release the
> region, otherwise we leak the reference, or worse hit some uaf, when
> we
> start using the objects.list. Also remove the make_unshrinkable call
> here, which doesn't do anything.
> 
> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
> ---
>  drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> index 771eb2963123..2e8cdcd5e4f7 100644
> --- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> +++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> @@ -909,7 +909,6 @@ int __i915_gem_ttm_object_init(struct
> intel_memory_region *mem,
>         drm_gem_private_object_init(&i915->drm, &obj->base, size);
>         i915_gem_object_init(obj, &i915_gem_ttm_obj_ops, &lock_class,
> flags);
>         i915_gem_object_init_memory_region(obj, mem);
> -       i915_gem_object_make_unshrinkable(obj);
>         INIT_RADIX_TREE(&obj->ttm.get_io_page.radix, GFP_KERNEL |
> __GFP_NOWARN);
>         mutex_init(&obj->ttm.get_io_page.lock);
>         bo_type = (obj->flags & I915_BO_ALLOC_USER) ?
> ttm_bo_type_device :
> @@ -932,7 +931,7 @@ int __i915_gem_ttm_object_init(struct
> intel_memory_region *mem,
>                                    page_size >> PAGE_SHIFT,
>                                    &ctx, NULL, NULL,
> i915_ttm_bo_destroy);
>         if (ret)
> -               return i915_ttm_err_to_gem(ret);
> +               goto err_release_mr;

IIRC when ttm_object_init_reserved fails, it will call ttm_bo_put()
which will eventually end up in i915_ttm_bo_destroy() which will do the
right thing?

/Thomas



^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Intel-gfx] [PATCH] drm/i915/ttm: ensure we release the intel_memory_region
  2021-08-19  7:25 ` Thomas Hellström
@ 2021-08-19  8:29   ` Matthew Auld
  0 siblings, 0 replies; 3+ messages in thread
From: Matthew Auld @ 2021-08-19  8:29 UTC (permalink / raw)
  To: Thomas Hellström
  Cc: Matthew Auld, Intel Graphics Development, ML dri-devel

On Thu, 19 Aug 2021 at 08:25, Thomas Hellström
<thomas.hellstrom@linux.intel.com> wrote:
>
> On Wed, 2021-08-18 at 18:12 +0100, Matthew Auld wrote:
> > If the ttm_bo_init_reserved() call fails ensure we also release the
> > region, otherwise we leak the reference, or worse hit some uaf, when
> > we
> > start using the objects.list. Also remove the make_unshrinkable call
> > here, which doesn't do anything.
> >
> > Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> > Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
> > ---
> >  drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 7 +++++--
> >  1 file changed, 5 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> > b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> > index 771eb2963123..2e8cdcd5e4f7 100644
> > --- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> > +++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> > @@ -909,7 +909,6 @@ int __i915_gem_ttm_object_init(struct
> > intel_memory_region *mem,
> >         drm_gem_private_object_init(&i915->drm, &obj->base, size);
> >         i915_gem_object_init(obj, &i915_gem_ttm_obj_ops, &lock_class,
> > flags);
> >         i915_gem_object_init_memory_region(obj, mem);
> > -       i915_gem_object_make_unshrinkable(obj);
> >         INIT_RADIX_TREE(&obj->ttm.get_io_page.radix, GFP_KERNEL |
> > __GFP_NOWARN);
> >         mutex_init(&obj->ttm.get_io_page.lock);
> >         bo_type = (obj->flags & I915_BO_ALLOC_USER) ?
> > ttm_bo_type_device :
> > @@ -932,7 +931,7 @@ int __i915_gem_ttm_object_init(struct
> > intel_memory_region *mem,
> >                                    page_size >> PAGE_SHIFT,
> >                                    &ctx, NULL, NULL,
> > i915_ttm_bo_destroy);
> >         if (ret)
> > -               return i915_ttm_err_to_gem(ret);
> > +               goto err_release_mr;
>
> IIRC when ttm_object_init_reserved fails, it will call ttm_bo_put()
> which will eventually end up in i915_ttm_bo_destroy() which will do the
> right thing?

Ah right, missed that.

>
> /Thomas
>
>

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-19  8:30 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-18 17:12 [PATCH] drm/i915/ttm: ensure we release the intel_memory_region Matthew Auld
2021-08-19  7:25 ` Thomas Hellström
2021-08-19  8:29   ` [Intel-gfx] " Matthew Auld

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).