drm/i915/buddy: fixup potential uaf

Submitted by Matthew Auld on Jan. 17, 2022, 3:10 p.m.

Details

Message ID 20220117151053.1844062-1-matthew.auld@intel.com
State New
Headers show
Series "drm/i915/buddy: fixup potential uaf" ( rev: 1 ) in Intel GFX

Browsing this patch as part of:
"drm/i915/buddy: fixup potential uaf" rev 1 in Intel GFX
<< prev patch [1/1] next patch >>

Commit Message

Matthew Auld Jan. 17, 2022, 3:10 p.m. 
If we are unlucky and can't allocate enough memory when splitting
blocks, where we temporarily end up with the given block and its buddy
on the respective free list, then we need to ensure we delete both
blocks, and no just the buddy, before potentially freeing them.

Fixes: 14d1b9a6247c ("drm/i915: buddy allocator")
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Arunpravin <Arunpravin.PaneerSelvam@amd.com>
Cc: Christian König <christian.koenig@amd.com>
---
 drivers/gpu/drm/i915/i915_buddy.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox 

diff --git a/drivers/gpu/drm/i915/i915_buddy.c b/drivers/gpu/drm/i915/i915_buddy.c
index 6e2ad68f8f3f..9ca81b095adb 100644
--- a/drivers/gpu/drm/i915/i915_buddy.c
+++ b/drivers/gpu/drm/i915/i915_buddy.c
@@ -293,8 +293,10 @@  i915_buddy_alloc(struct i915_buddy_mm *mm, unsigned int order)
 	return block;
 
 out_free:
-	if (i != order)
+	if (i != order) {
+		list_del(&block->link);
 		__i915_buddy_free(mm, block);
+	}
 	return ERR_PTR(err);
 }
 
@@ -401,8 +403,10 @@  int i915_buddy_alloc_range(struct i915_buddy_mm *mm,
 	buddy = get_buddy(block);
 	if (buddy &&
 	    (i915_buddy_block_is_free(block) &&
-	     i915_buddy_block_is_free(buddy)))
+	     i915_buddy_block_is_free(buddy))) {
+		list_del(&block->link);
 		__i915_buddy_free(mm, block);
+	}
 
 err_free:
 	i915_buddy_free_list(mm, &allocated);