| Message ID | 20240801154047.115176-2-krzysztof.niemiec@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm/i915/gt: Delete sysfs entries for engines on driver unload | expand |
Hi Krzysztof, On Thu, Aug 01, 2024 at 05:40:48PM +0200, Krzysztof Niemiec wrote: > While the sysfs entries for engines are added in intel_engines_init() > during driver load, the corresponding function intel_engines_release() > does not correctly get rid of them. This can lead to a UAF if, after > failed initialization (for example when gt is set wedged on init), we > try to access the engines. > > Empty the engines llist in intel_engines_release(). > > Suggested-by: Chris Wilson <chris.p.wilson@linux.intel.com> > Signed-off-by: Krzysztof Niemiec <krzysztof.niemiec@intel.com> Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com> Thanks, Andi
On 2024-08-01 at 17:40:48 GMT, Krzysztof Niemiec wrote: > While the sysfs entries for engines are added in intel_engines_init() > during driver load, the corresponding function intel_engines_release() > does not correctly get rid of them. This can lead to a UAF if, after > failed initialization (for example when gt is set wedged on init), we > try to access the engines. > > Empty the engines llist in intel_engines_release(). > > Suggested-by: Chris Wilson <chris.p.wilson@linux.intel.com> > Signed-off-by: Krzysztof Niemiec <krzysztof.niemiec@intel.com> > --- > drivers/gpu/drm/i915/gt/intel_engine_cs.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c > index 3b740ca25000..4d30a86016f2 100644 > --- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c > +++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c > @@ -693,6 +693,8 @@ void intel_engines_release(struct intel_gt *gt) > > memset(&engine->reset, 0, sizeof(engine->reset)); > } > + > + llist_del_all(>->i915->uabi_engines_llist); > } > > void intel_engine_free_request_pool(struct intel_engine_cs *engine) > -- > 2.45.2 > I noticed that the commit message isn't totally correct. Code changes are correct. The message should be replaced with: drm/i915/gt: Empty uabi engines list during intel_engines_release() While the uabi_engines_llist is populated in intel_engines_init() during driver load, the corresponding function intel_engines_release() does not correctly get rid of it. This can lead to a UAF if, after failed initialization (for example when gt is set wedged on init), we try to access the engines. Thanks Krzysztof
On Mon, Aug 05, 2024 at 05:46:06PM +0200, Krzysztof Niemiec wrote: > On 2024-08-01 at 17:40:48 GMT, Krzysztof Niemiec wrote: > > While the sysfs entries for engines are added in intel_engines_init() > > during driver load, the corresponding function intel_engines_release() > > does not correctly get rid of them. This can lead to a UAF if, after > > failed initialization (for example when gt is set wedged on init), we > > try to access the engines. > > > > Empty the engines llist in intel_engines_release(). > > > > Suggested-by: Chris Wilson <chris.p.wilson@linux.intel.com> > > Signed-off-by: Krzysztof Niemiec <krzysztof.niemiec@intel.com> ... > drm/i915/gt: Empty uabi engines list during intel_engines_release() > > While the uabi_engines_llist is populated in intel_engines_init() during > driver load, the corresponding function intel_engines_release() does not > correctly get rid of it. This can lead to a UAF if, after failed > initialization (for example when gt is set wedged on init), we try to > access the engines. Pushed to drm-intel-gt-next with the updated commit. Thanks, Andi
diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c index 3b740ca25000..4d30a86016f2 100644 --- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c +++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c @@ -693,6 +693,8 @@ void intel_engines_release(struct intel_gt *gt) memset(&engine->reset, 0, sizeof(engine->reset)); } + + llist_del_all(>->i915->uabi_engines_llist); } void intel_engine_free_request_pool(struct intel_engine_cs *engine)
While the sysfs entries for engines are added in intel_engines_init() during driver load, the corresponding function intel_engines_release() does not correctly get rid of them. This can lead to a UAF if, after failed initialization (for example when gt is set wedged on init), we try to access the engines. Empty the engines llist in intel_engines_release(). Suggested-by: Chris Wilson <chris.p.wilson@linux.intel.com> Signed-off-by: Krzysztof Niemiec <krzysztof.niemiec@intel.com> --- drivers/gpu/drm/i915/gt/intel_engine_cs.c | 2 ++ 1 file changed, 2 insertions(+)