diff options
| author | Jonathan Gray <jsg@cvs.openbsd.org> | 2023-02-10 14:37:17 +0000 |
|---|---|---|
| committer | Jonathan Gray <jsg@cvs.openbsd.org> | 2023-02-10 14:37:17 +0000 |
| commit | 5f32a3c04c658630652f986b291875140dccbf93 (patch) | |
| tree | 6b80f81bd084aa92baf59047ea0c9d3170db5c8a | |
| parent | e0a621aed2afe31f60f4c45b65206eb79c299038 (diff) | |
drm/i915: Avoid potential vm use-after-free
From Rob Clark
764accc2c1b8fd1507be2e7f436c94cdce887a00 in linux-6.1.y/6.1.11
41d419382ec7e257e54b7b6ff0d3623aafb1316d in mainline linux
| -rw-r--r-- | sys/dev/pci/drm/i915/gem/i915_gem_context.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/sys/dev/pci/drm/i915/gem/i915_gem_context.c b/sys/dev/pci/drm/i915/gem/i915_gem_context.c index 2a49ede2eb6..92711306e0b 100644 --- a/sys/dev/pci/drm/i915/gem/i915_gem_context.c +++ b/sys/dev/pci/drm/i915/gem/i915_gem_context.c @@ -1890,11 +1890,19 @@ static int get_ppgtt(struct drm_i915_file_private *file_priv, vm = ctx->vm; GEM_BUG_ON(!vm); + /* + * Get a reference for the allocated handle. Once the handle is + * visible in the vm_xa table, userspace could try to close it + * from under our feet, so we need to hold the extra reference + * first. + */ + i915_vm_get(vm); + err = xa_alloc(&file_priv->vm_xa, &id, vm, xa_limit_32b, GFP_KERNEL); - if (err) + if (err) { + i915_vm_put(vm); return err; - - i915_vm_get(vm); + } GEM_BUG_ON(id == 0); /* reserved for invalid/unassigned ppgtt */ args->value = id; |