On Thu, 19 Aug 2021 at 08:25, Thomas Hellström thomas.hellstrom@linux.intel.com wrote:
On Wed, 2021-08-18 at 18:12 +0100, Matthew Auld wrote:
If the ttm_bo_init_reserved() call fails ensure we also release the region, otherwise we leak the reference, or worse hit some uaf, when we start using the objects.list. Also remove the make_unshrinkable call here, which doesn't do anything.
Signed-off-by: Matthew Auld matthew.auld@intel.com Cc: Thomas Hellström thomas.hellstrom@linux.intel.com
drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c index 771eb2963123..2e8cdcd5e4f7 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c @@ -909,7 +909,6 @@ int __i915_gem_ttm_object_init(struct intel_memory_region *mem, drm_gem_private_object_init(&i915->drm, &obj->base, size); i915_gem_object_init(obj, &i915_gem_ttm_obj_ops, &lock_class, flags); i915_gem_object_init_memory_region(obj, mem);
i915_gem_object_make_unshrinkable(obj); INIT_RADIX_TREE(&obj->ttm.get_io_page.radix, GFP_KERNEL |__GFP_NOWARN); mutex_init(&obj->ttm.get_io_page.lock); bo_type = (obj->flags & I915_BO_ALLOC_USER) ? ttm_bo_type_device : @@ -932,7 +931,7 @@ int __i915_gem_ttm_object_init(struct intel_memory_region *mem, page_size >> PAGE_SHIFT, &ctx, NULL, NULL, i915_ttm_bo_destroy); if (ret)
return i915_ttm_err_to_gem(ret);
goto err_release_mr;IIRC when ttm_object_init_reserved fails, it will call ttm_bo_put() which will eventually end up in i915_ttm_bo_destroy() which will do the right thing?
Ah right, missed that.
/Thomas