Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp4341174pxy; Tue, 27 Apr 2021 02:43:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz2UNuDVF1GaMDmpDLwB/pXmC7dLlAGbNxyO6dRe2FK2AfZLrTf24INo0/0tR6KwaiNqP+W X-Received: by 2002:a17:90a:5885:: with SMTP id j5mr26380078pji.102.1619516605933; Tue, 27 Apr 2021 02:43:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619516605; cv=none; d=google.com; s=arc-20160816; b=RnxEP8rOSV4r1qbr1aacKx4GJYn1nY8EtQGiysk8j1ZOReHeZkDdd5XBvk2t7YLxbA cB5a0FJl/pGrhbxy5D0nH2h0znP/i17gOEJzQojiC8pEhty15LxyR0euEBL/CWrWyHtC /NCcWNvmhSj1XhaTeWz6jq2Gl3DbqmcjdX3gmDXedpVdCdwMEhZIi4xBTKLE905FjtBW eYDADk30ls7GaBNWsKuTqe2CXfrGHAZlovhQX9EZWcwghP4CKOvuTXVsK8e2tW3UBQWu dwsKbgxBEkp5+Gx8sm0bZd0/urGKaflefz6O3unJlTJUt30hVFnBTNh1m9oh44eDuFvP JyJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=xZp+omIfpjqx0dOZjT8YOPOoTGLrVGaiXPBJR5pJjuM=; b=zkHOtgop13R0IlkLI2+MeZC52FKLqWwvc3vgwkLrydawROTTqdsHIuJcEGxz+u7K1y Qmakxmgy4RFCJ0dbllCpioO1xGe5tUI8ZapILu4gF8g+Onoyx1QDSwoZOPk+tBuVcelg OgTSsLpTGBq4GeeAXITYuzqnlLzz6yYt72SG46KUyAixHCKnlpfb3xGcPDvOq5A38/PB IRfPgnawOYyyZKRCNqGYUkG5J5QB4zduShBrRwgDGv6bc2OAXCXlK0z7G6ImdyHYrj5H YpV1UZemxk3j6ViW3IphDNWRa5nAWpVIgo2qp01YgVJFgvXDGFDou5At/jq4kgEHXrzY D1iQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=TNxknECt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l9si22383762pgf.93.2021.04.27.02.43.12; Tue, 27 Apr 2021 02:43:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=TNxknECt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235133AbhD0JnO (ORCPT + 99 others); Tue, 27 Apr 2021 05:43:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47332 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231148AbhD0JnN (ORCPT ); Tue, 27 Apr 2021 05:43:13 -0400 Received: from mail-qv1-xf35.google.com (mail-qv1-xf35.google.com [IPv6:2607:f8b0:4864:20::f35]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AAA43C061574 for ; Tue, 27 Apr 2021 02:42:30 -0700 (PDT) Received: by mail-qv1-xf35.google.com with SMTP id x14so5350004qvr.5 for ; Tue, 27 Apr 2021 02:42:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xZp+omIfpjqx0dOZjT8YOPOoTGLrVGaiXPBJR5pJjuM=; b=TNxknECt4W/zYw9tFnsMVcw53SpOaMiuMBNjLnRaB3s4VR2BcWbXiey7UpRFMnziG2 Pnx75BRSOcxMeQfBB05Q1OSfty1M+ZcSQml7RON27tpl2dWSk1N9Y3hbKSSqJkZ4N750 kO50D46i8NzCQenZg3IAFeGAMdBWp/gIa68A0FTLmbS3nTQzz5p3XJi/br6zXugC9YYC tHIKDr/8VDTud1fLMTiNLQfdpdgadYLxTbOtCTjzkWzoJXEjUBxqWhbf4+Zm9CPNW5yG 6ZiFKXXqE9liPfYp4W+2k0N/5XJ07c3lmDzMeflN9LiMvDIuP7bYZjoDEYY7x63bhXe8 9WmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xZp+omIfpjqx0dOZjT8YOPOoTGLrVGaiXPBJR5pJjuM=; b=qRt7XuA2UvV/GjMrxHN+sX2mKfNBx6YjftxOrU4zA6En0Np6Hl2gkjyO7p2tMKnElO uikgUPju6cpGoth0X9sfZpyAHYYArMiHlIzZWcYAwa4G/QkDIf+z7cT/N1rXa5PY9dsl exRGFiEmxo1KIjqgcsU7fDmRe/PREnHnyWK0ioJIZirPQZdql4tFxo4WkOs3AzRUgk9/ ic0n454PEA6L+4LrOAJ3Npjge2KDGj8i3r43xiThf2HKBLgLp0NLSm7StZSRIllLY9TG 7Q1nOeVg6pH/YC9MYZF6D6AtbUAMroA7pXLNPA90OQvUr2RG6BVkPsEtx4asVBD8Wzz4 wOXQ== X-Gm-Message-State: AOAM530/JFJ4CWGV+PEDYXjABGnw+iog06YY3OWKPE1ho3+B/LJNGD6w CpW6RdTD2fZAl3LvwkeIMoRHGbf/kDX2hn/i5I0= X-Received: by 2002:a05:6214:da7:: with SMTP id h7mr22459682qvh.48.1619516549875; Tue, 27 Apr 2021 02:42:29 -0700 (PDT) MIME-Version: 1.0 References: <20210426124340.4238-1-lyl2019@mail.ustc.edu.cn> In-Reply-To: <20210426124340.4238-1-lyl2019@mail.ustc.edu.cn> From: Matthew Auld Date: Tue, 27 Apr 2021 10:42:03 +0100 Message-ID: Subject: Re: [PATCH] drm/i9i5/gt: Fix a double free in gen8_preallocate_top_level_pdp To: Lv Yunlong Cc: Jani Nikula , Joonas Lahtinen , Rodrigo Vivi , David Airlie , Daniel Vetter , Chris Wilson , Intel Graphics Development , kernel list , ML dri-devel Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 26 Apr 2021 at 13:44, Lv Yunlong wrote: > > Our code analyzer reported a double free bug. > > In gen8_preallocate_top_level_pdp, pde and pde->pt.base are allocated > via alloc_pd(vm) with one reference. If pin_pt_dma() failed, pde->pt.base > is freed by i915_gem_object_put() with a reference dropped. Then free_pd > calls free_px() defined in intel_ppgtt.c, which calls i915_gem_object_put() > to put pde->pt.base again. > > As pde->pt.base is protected by refcount, so the second put will not free > pde->pt.base actually. But, maybe it is better to remove the first put? > > Fixes: 82adf901138cc ("drm/i915/gt: Shrink i915_page_directory's slab bucket") > Signed-off-by: Lv Yunlong Yes, it looks like this fixes a potential use-after-free. Thanks for the patch, Reviewed-by: Matthew Auld Pushed to drm-intel-gt-next.