Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp4784086pxb; Tue, 28 Sep 2021 04:09:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzsPLJMIKslOv1Hv4CXoey7/81EHSgnhXfn/V61sGq0X6YZwaB81okgmN7zSU9+/Vw3hZCW X-Received: by 2002:a63:2a07:: with SMTP id q7mr4030712pgq.221.1632827345815; Tue, 28 Sep 2021 04:09:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632827345; cv=none; d=google.com; s=arc-20160816; b=PGKsI+Se9aI/HzIDvHK9xuE/92DM1t4jOA/80m+gOdcGZ6ZLvbszRrhFfZfidegzkJ hxb6gSEyR+PxaZYpmBVstA4to0+3SR9X7LwWroLFJRFGlyGl+ka2+OHcKj9ex7/BF8uP Ppan/hqkXFZSFfBusSph6tYzYfonCvZRWsDcRdnHQgZxGxJFUWeA48UNN6spPGY9cN0V XOKLvVOhIjaBbtLbr3MB5/XF7T/GXM011jTPoHbjuu68TcBEh9eCOEydVCUp7wDfuDtz 92T4ZC4W7ZIixYNoctvOaAk40vU5ZFgsO2po9qZzZYRVIO9fgjkxYIU2A15PsrRHOQHY Sy7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=WR6VXnQsyOwoBA0NqYwQwAM8amF8J8DkhanQviHV1Bg=; b=O4ZITkXY18UiSU/EFPzcFynlgPvgq0jZwhPBQFj3IouNXmAD6yIldIi5tiWC/qWVXj 5YLC8kc6hjeG62eL/epMNAgPmTVkjhExjmURcjR3gLPxM8OxqjK6cFqdUgfGphvG51M4 lXnk5maGm6/8rbqP5KRbD+ZuaNZuTowmSkFeALjeG0L/Oc0a5aueVufG5CSjtNONEPYu pCiCGaZTnyVuHgU11rQHf7DmAa3cvzXI0oGETsZJPhU5xaVWQpSEXnuRBJJuKJedxusM RJXbl5GjQtKnDsUSUHZyRHBQ3UjfFQxwwUt2itTMfAOWPiewrSwxJ9455MUxvRy6eDYI V9jw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Wz1ipQHn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w13si7191066plp.74.2021.09.28.04.08.51; Tue, 28 Sep 2021 04:09:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Wz1ipQHn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240375AbhI1LIs (ORCPT + 99 others); Tue, 28 Sep 2021 07:08:48 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:28539 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240346AbhI1LIr (ORCPT ); Tue, 28 Sep 2021 07:08:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1632827227; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=WR6VXnQsyOwoBA0NqYwQwAM8amF8J8DkhanQviHV1Bg=; b=Wz1ipQHn4MoRLzldiMuO5AwmuXTfmv8F/8nPl5w8qbvpdHAkpkDITgIC3GsxorDpM2pc+f rSg3Ifn8GhypYD2d2k5ZShFkOOJJsO+YgJXTFLxlledNAaJwfoAr5UthjxUaIC6S/Bax/S FKwhop1xJbEApqxpVSYw4oSwg13taRw= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-92-R4Fo0HdNMuGcJNqByjFD7w-1; Tue, 28 Sep 2021 07:07:06 -0400 X-MC-Unique: R4Fo0HdNMuGcJNqByjFD7w-1 Received: by mail-wm1-f72.google.com with SMTP id p63-20020a1c2942000000b0030ccf0767baso954644wmp.6 for ; Tue, 28 Sep 2021 04:07:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WR6VXnQsyOwoBA0NqYwQwAM8amF8J8DkhanQviHV1Bg=; b=DorZSqLm1pZblE9h1s5GBZuAJDBJBsIS3QRc3r1TdijgU5PTCmsyByx1i+taYtFuGP wksyePog2sJnRXtisepHewV9cnxtYnLfMNYXgYRRDzWoDZ/d+QdpLxzk/yrGs+xnQobk 5/RF/dm6KY3GwW3EJDHPqTdZLp/V7zl4uY/y2TSY1gu/EX8Dn8qU6aK0WNQoSTl2lanc HPz6zg+LIkwSAAGx6pN8kbUcVezcYCC292fFH1/+Q7k7SNDkp7M6kAmkX6HQokmTlOHJ J3IevBm8zyrseIOG3wwUFxw+UlZAsx0OPbVBOTN90y9ooG0uhPaOZd1XKZpGHrRsZOZc l0BA== X-Gm-Message-State: AOAM530ijd8FFXol2/RK482DoObmUuHGX8s8LFU0Vs2w+NpuCPpVzVLo jXhPZ+THfGGC30qQFGa0yV0aCehDyJHwtcvDFnnivpWgTO7evyxMGAeRHrU70uifpd8d9XTOi7i /eyn62oRy/ky2bq7+7deAZK5qysrFZDsa629qHdsv X-Received: by 2002:a7b:c5c9:: with SMTP id n9mr4036163wmk.141.1632827224641; Tue, 28 Sep 2021 04:07:04 -0700 (PDT) X-Received: by 2002:a7b:c5c9:: with SMTP id n9mr4036143wmk.141.1632827224471; Tue, 28 Sep 2021 04:07:04 -0700 (PDT) MIME-Version: 1.0 References: <20201203000220.18238-1-jcline@redhat.com> <7f51dbe3dac85f692e01bb5cecdf4454a40b1893.camel@redhat.com> In-Reply-To: <7f51dbe3dac85f692e01bb5cecdf4454a40b1893.camel@redhat.com> From: Karol Herbst Date: Tue, 28 Sep 2021 13:06:53 +0200 Message-ID: Subject: Re: [PATCH] drm/nouveau: avoid a use-after-free when BO init fails To: Lyude Paul Cc: Jeremy Cline , Ben Skeggs , David Airlie , nouveau , Thierry Reding , LKML , dri-devel Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Reviewed-by: Karol Herbst and queued On Fri, Mar 26, 2021 at 10:41 PM Lyude Paul wrote: > > Reviewed-by: Lyude Paul > > On Wed, 2020-12-02 at 19:02 -0500, Jeremy Cline wrote: > > nouveau_bo_init() is backed by ttm_bo_init() and ferries its return code > > back to the caller. On failures, ttm_bo_init() invokes the provided > > destructor which should de-initialize and free the memory. > > > > Thus, when nouveau_bo_init() returns an error the gem object has already > > been released and the memory freed by nouveau_bo_del_ttm(). > > > > Fixes: 019cbd4a4feb ("drm/nouveau: Initialize GEM object before TTM object") > > Cc: Thierry Reding > > Signed-off-by: Jeremy Cline > > --- > > drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +--- > > 1 file changed, 1 insertion(+), 3 deletions(-) > > > > diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c > > b/drivers/gpu/drm/nouveau/nouveau_gem.c > > index 787d05eefd9c..d30157cc7169 100644 > > --- a/drivers/gpu/drm/nouveau/nouveau_gem.c > > +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c > > @@ -211,10 +211,8 @@ nouveau_gem_new(struct nouveau_cli *cli, u64 size, int > > align, uint32_t domain, > > } > > > > ret = nouveau_bo_init(nvbo, size, align, domain, NULL, NULL); > > - if (ret) { > > - nouveau_bo_ref(NULL, &nvbo); > > + if (ret) > > return ret; > > - } > > > > /* we restrict allowed domains on nv50+ to only the types > > * that were requested at creation time. not possibly on > > -- > Sincerely, > Lyude Paul (she/her) > Software Engineer at Red Hat > > Note: I deal with a lot of emails and have a lot of bugs on my plate. If you've > asked me a question, are waiting for a review/merge on a patch, etc. and I > haven't responded in a while, please feel free to send me another email to check > on my status. I don't bite! > > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/dri-devel