Skip to content

Commit ca7c52a

Browse files
matt-auldlucasdemarchi
matt-auld
authored and
lucasdemarchi
committed
drm/xe/vm: prevent UAF with asid based lookup
The asid is only erased from the xarray when the vm refcount reaches zero, however this leads to potential UAF since the xe_vm_get() only works on a vm with refcount != 0. Since the asid is allocated in the vm create ioctl, rather erase it when closing the vm, prior to dropping the potential last ref. This should also work when user closes driver fd without explicit vm destroy. Fixes: dd08ebf ("drm/xe: Introduce a new DRM driver for Intel GPUs") Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1594 Signed-off-by: Matthew Auld <[email protected]> Cc: Matthew Brost <[email protected]> Cc: <[email protected]> # v6.8+ Reviewed-by: Matthew Brost <[email protected]> Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] (cherry picked from commit 83967c5) Signed-off-by: Lucas De Marchi <[email protected]>
1 parent 652ead9 commit ca7c52a

File tree

1 file changed

+11
-10
lines changed

1 file changed

+11
-10
lines changed

drivers/gpu/drm/xe/xe_vm.c

Lines changed: 11 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1577,6 +1577,16 @@ void xe_vm_close_and_put(struct xe_vm *vm)
15771577
xe->usm.num_vm_in_fault_mode--;
15781578
else if (!(vm->flags & XE_VM_FLAG_MIGRATION))
15791579
xe->usm.num_vm_in_non_fault_mode--;
1580+
1581+
if (vm->usm.asid) {
1582+
void *lookup;
1583+
1584+
xe_assert(xe, xe->info.has_asid);
1585+
xe_assert(xe, !(vm->flags & XE_VM_FLAG_MIGRATION));
1586+
1587+
lookup = xa_erase(&xe->usm.asid_to_vm, vm->usm.asid);
1588+
xe_assert(xe, lookup == vm);
1589+
}
15801590
mutex_unlock(&xe->usm.lock);
15811591

15821592
for_each_tile(tile, xe, id)
@@ -1592,24 +1602,15 @@ static void vm_destroy_work_func(struct work_struct *w)
15921602
struct xe_device *xe = vm->xe;
15931603
struct xe_tile *tile;
15941604
u8 id;
1595-
void *lookup;
15961605

15971606
/* xe_vm_close_and_put was not called? */
15981607
xe_assert(xe, !vm->size);
15991608

16001609
mutex_destroy(&vm->snap_mutex);
16011610

1602-
if (!(vm->flags & XE_VM_FLAG_MIGRATION)) {
1611+
if (!(vm->flags & XE_VM_FLAG_MIGRATION))
16031612
xe_device_mem_access_put(xe);
16041613

1605-
if (xe->info.has_asid && vm->usm.asid) {
1606-
mutex_lock(&xe->usm.lock);
1607-
lookup = xa_erase(&xe->usm.asid_to_vm, vm->usm.asid);
1608-
xe_assert(xe, lookup == vm);
1609-
mutex_unlock(&xe->usm.lock);
1610-
}
1611-
}
1612-
16131614
for_each_tile(tile, xe, id)
16141615
XE_WARN_ON(vm->pt_root[id]);
16151616

0 commit comments

Comments
 (0)