Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Message-ID: <7f51dbe3dac85f692e01bb5cecdf4454a40b1893.camel@redhat.com>
Subject: Re: [PATCH] drm/nouveau: avoid a use-after-free when BO init fails
From:   Lyude Paul <lyude@redhat.com>
Reply-To: lyude@redhat.com
To:     Jeremy Cline <jcline@redhat.com>, Ben Skeggs <bskeggs@redhat.com>
Cc:     David Airlie <airlied@linux.ie>, nouveau@lists.freedesktop.org,
        linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
        Thierry Reding <treding@nvidia.com>
Date:   Fri, 26 Mar 2021 17:41:05 -0400
In-Reply-To: <20201203000220.18238-1-jcline@redhat.com>
References: <20201203000220.18238-1-jcline@redhat.com>
Organization: Red Hat
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.38.4 (3.38.4-1.fc33) 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Reviewed-by: Lyude Paul <lyude@redhat.com>

On Wed, 2020-12-02 at 19:02 -0500, Jeremy Cline wrote:
> nouveau_bo_init() is backed by ttm_bo_init() and ferries its return code
> back to the caller. On failures, ttm_bo_init() invokes the provided
> destructor which should de-initialize and free the memory.
> 
> Thus, when nouveau_bo_init() returns an error the gem object has already
> been released and the memory freed by nouveau_bo_del_ttm().
> 
> Fixes: 019cbd4a4feb ("drm/nouveau: Initialize GEM object before TTM object")
> Cc: Thierry Reding <treding@nvidia.com>
> Signed-off-by: Jeremy Cline <jcline@redhat.com>
> ---
>  drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c
> b/drivers/gpu/drm/nouveau/nouveau_gem.c
> index 787d05eefd9c..d30157cc7169 100644
> --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
> +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
> @@ -211,10 +211,8 @@ nouveau_gem_new(struct nouveau_cli *cli, u64 size, int
> align, uint32_t domain,
>         }
>  
>         ret = nouveau_bo_init(nvbo, size, align, domain, NULL, NULL);
> -       if (ret) {
> -               nouveau_bo_ref(NULL, &nvbo);
> +       if (ret)
>                 return ret;
> -       }
>  
>         /* we restrict allowed domains on nv50+ to only the types
>          * that were requested at creation time.  not possibly on

-- 
Sincerely,
   Lyude Paul (she/her)
   Software Engineer at Red Hat
   
Note: I deal with a lot of emails and have a lot of bugs on my plate. If you've
asked me a question, are waiting for a review/merge on a patch, etc. and I
haven't responded in a while, please feel free to send me another email to check
on my status. I don't bite!