drm/i915/gt: Empty uabi engines list during intel_engines_release()

k-niemiec · Andi Shyti · commit fceff12e5298 · 2024-08-05T23:10:46.000+01:00
While the uabi_engines_llist is populated in intel_engines_init() during driver load, the corresponding function intel_engines_release() does not correctly get rid of it. This can lead to a UAF if, after failed initialization (for example when gt is set wedged on init), we try to access the engines. Suggested-by: Chris Wilson <chris.p.wilson@linux.intel.com> Signed-off-by: Krzysztof Niemiec <krzysztof.niemiec@intel.com> Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com> Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240801154047.115176-2-krzysztof.niemiec@intel.com
diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
@@ -693,6 +693,8 @@ void intel_engines_release(struct intel_gt *gt)
 
 		memset(&engine->reset, 0, sizeof(engine->reset));
 	}
+
+	llist_del_all(&gt->i915->uabi_engines_llist);
 }
 
 void intel_engine_free_request_pool(struct intel_engine_cs *engine)

Original file line number	Diff line number	Diff line change
`@@ -693,6 +693,8 @@ void intel_engines_release(struct intel_gt *gt)`
`693`	`693`
`694`	`694`	`memset(&engine->reset, 0, sizeof(engine->reset));`
`695`	`695`	`}`
	`696`	`+`
	`697`	`+ llist_del_all(&gt->i915->uabi_engines_llist);`
`696`	`698`	`}`
`697`	`699`
`698`	`700`	`void intel_engine_free_request_pool(struct intel_engine_cs *engine)`