| Message ID | 20190808103236.GB30506@mwanda (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm/i915: Use after free in error path in intel_vgpu_create_workload() | expand |
Quoting Dan Carpenter (2019-08-08 11:32:36) > We can't free "workload" until after the printk or it's a use after > free. > > Fixes: 2089a76ade90 ("drm/i915/gvt: Checking workload's gma earlier") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> That's the simpler patch, Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> -Chris
On 2019.08.08 11:44:21 +0100, Chris Wilson wrote: > Quoting Dan Carpenter (2019-08-08 11:32:36) > > We can't free "workload" until after the printk or it's a use after > > free. > > > > Fixes: 2089a76ade90 ("drm/i915/gvt: Checking workload's gma earlier") > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > That's the simpler patch, > Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> Thanks a lot, will queue this up.
diff --git a/drivers/gpu/drm/i915/gvt/scheduler.c b/drivers/gpu/drm/i915/gvt/scheduler.c index 32ae6b5b7e16..ac1dbb176874 100644 --- a/drivers/gpu/drm/i915/gvt/scheduler.c +++ b/drivers/gpu/drm/i915/gvt/scheduler.c @@ -1525,9 +1525,9 @@ intel_vgpu_create_workload(struct intel_vgpu *vgpu, int ring_id, if (!intel_gvt_ggtt_validate_range(vgpu, workload->wa_ctx.indirect_ctx.guest_gma, workload->wa_ctx.indirect_ctx.size)) { - kmem_cache_free(s->workloads, workload); gvt_vgpu_err("invalid wa_ctx at: 0x%lx\n", workload->wa_ctx.indirect_ctx.guest_gma); + kmem_cache_free(s->workloads, workload); return ERR_PTR(-EINVAL); } } @@ -1539,9 +1539,9 @@ intel_vgpu_create_workload(struct intel_vgpu *vgpu, int ring_id, if (!intel_gvt_ggtt_validate_range(vgpu, workload->wa_ctx.per_ctx.guest_gma, CACHELINE_BYTES)) { - kmem_cache_free(s->workloads, workload); gvt_vgpu_err("invalid per_ctx at: 0x%lx\n", workload->wa_ctx.per_ctx.guest_gma); + kmem_cache_free(s->workloads, workload); return ERR_PTR(-EINVAL); } }
We can't free "workload" until after the printk or it's a use after free. Fixes: 2089a76ade90 ("drm/i915/gvt: Checking workload's gma earlier") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/gpu/drm/i915/gvt/scheduler.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)