[v3] drm/i915/gem: Fix relocation race and simplify VMA lookup

[PATCH v3] drm/i915/gem: Fix relocation race and simplify VMA lookup

Yassine Mounir posted 1 patch 2 months, 1 week ago

Diff against v4
Download mbox

There is a newer version of this series

drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Expand all Fold all

[PATCH v3] drm/i915/gem: Fix relocation race and simplify VMA lookup

Posted by Yassine Mounir 2 months, 1 week ago

Pin the object lifetime in eb_relocate_vma() using i915_gem_object_get()
and i915_gem_object_put() to prevent a Use-After-Free (UAF) if the
handle is closed concurrently during relocation.

Additionally, simplify eb_lookup_vma() by removing the redundant
vma->vm == vm check. As noted by Joonas, this check is unnecessary since
commit d4433c7600f7. Removing it also avoids the "insane" logic of
returning a VMA without a reference, satisfying the sanity requirements
requested by Linus.

Fixes: d4433c7600f7 ("drm/i915: Multi-vm support")
Suggested-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Suggested-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>

Signed-off-by: Yassine Mounir <sosohero200@gmail.com>
---
 drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
index 942f4eed8..65ce54b20 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
@@ -896,7 +896,7 @@ static struct i915_vma *eb_lookup_vma(struct i915_execbuffer *eb, u32 handle)
 
 		rcu_read_lock();
 		vma = radix_tree_lookup(&eb->gem_context->handles_vma, handle);
-		if (likely(vma && vma->vm == vm))
+		if (likely(vma))
 			vma = i915_vma_tryget(vma);
 		else
 			vma = NULL;
-- 
2.51.0