Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp1801874iof; Tue, 7 Jun 2022 11:34:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyOZL7tn+1rQdVMSCLk1CuwCrR7zOZ3H3X3yaNe98G7xfD9yw5eMvJ+VsjxLmX4kgvjdVa6 X-Received: by 2002:a17:902:cf0c:b0:15b:63a4:9f47 with SMTP id i12-20020a170902cf0c00b0015b63a49f47mr30295422plg.1.1654626861713; Tue, 07 Jun 2022 11:34:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654626861; cv=none; d=google.com; s=arc-20160816; b=TCxk33FdB2dCJ/kbS+w1hzV5oJrzrGSIHs4ix9rPqZAkbejTSuEmw4YHRrwLgX9i1p s81fHarUn3h24qNab/G+EWo7XCN0mTKUPI6Vmm6sLdN0nDX4OgcWiMoeyHumCNTxgGLI 6QuryQTi4/9AZBQQt1UdBC/pzBq14FMXkqBZTpIH7aWJ9clgpeTk+reT5tFN6VjFA7zI IyuvUvmCNlms29LvCG+JrSc9nksXMUN5l1Up5TFe7395bcWsmQvc6kYWr7414j9Ms2Gn N7pgEzcnif1+VHsYC6weVabd57Da8RMnK0zmghczmMsUqey23QUN9f2EIM11ad0Kz+mx 6JoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:to:from; bh=y24pcVsrnj9ONZleOYay3FP26HNdEKhh/Jhi5flqaTc=; b=bSWoGFrtOPfjAxvkbxC9lOrt/6C4HQ+P9CMe7QYEUPOSf58K8oobj620sGCquCfmIm kgmc8Js+lL8Epua5E/RRDy97fTkwzWMitC6WTPdtjxETQiCbo2c/IZOmLCjhJ5WGcTLR JYz+s7j2I5cHtFRwqSEnEylLk86R4Q3WH6XlIZRaNUG8SxZzJqv/+lLowAQzGO7iLG34 7vyNVR305Vp38zDCb7Ejz7Ye/4y8H+TnroSm17DA3enXfFYZmO6dXq68pFYZ7AOqlyhs MGu0u2iPSLm5IEkrnprasNe1dK2T2wTDVzd3WBIVZ453EIxnNb5bHR77fESk+CH4VwGy exUw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ruc.edu.cn Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i10-20020a170902e48a00b00153bc4c8388si22553433ple.499.2022.06.07.11.34.07; Tue, 07 Jun 2022 11:34:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ruc.edu.cn Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343970AbiFGPTp (ORCPT + 99 others); Tue, 7 Jun 2022 11:19:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53784 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231551AbiFGPTo (ORCPT ); Tue, 7 Jun 2022 11:19:44 -0400 Received: from smtp.ruc.edu.cn (m177126.mail.qiye.163.com [123.58.177.126]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4745B205EA for ; Tue, 7 Jun 2022 08:19:43 -0700 (PDT) Received: from localhost.localdomain (unknown [202.112.113.212]) by smtp.ruc.edu.cn (Hmail) with ESMTPSA id 79D2D80053; Tue, 7 Jun 2022 23:19:39 +0800 (CST) From: Xiaohui Zhang To: Xiaohui Zhang , Alex Deucher , christian.koenig@amd.com, Xinhui.Pan@amd.com, David Airlie , Daniel Vetter , amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/1] drm/radeon: Initialize fences array entries in radeon_sa_bo_next_hole Date: Tue, 7 Jun 2022 23:19:33 +0800 Message-Id: <20220607151933.32850-1-xiaohuizhang@ruc.edu.cn> X-Mailer: git-send-email 2.17.1 X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgPGg8OCBgUHx5ZQUlOS1dZCBgUCR5ZQVlLVUtZV1 kWDxoPAgseWUFZKDYvK1lXWShZQUhPN1dZLVlBSVdZDwkaFQgSH1lBWRoZGB5WSkpPGU4fSR5IGk MaVRMBExYaEhckFA4PWVdZFhoPEhUdFFlBWU9LSFVKSktITUpVS1kG X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6MhA6Nio4Qj01ORcoSjAzDTQa PRgaCg9VSlVKTU5PTUpOSkNLSk5JVTMWGhIXVQMSGhQTDhIBExoVHDsJDhhVHh8OVRgVRVlXWRIL WUFZSUtJVUpKSVVKSkhVSUpJWVdZCAFZQUlOTEs3Bg++ X-HM-Tid: 0a813ec0021e2c20kusn79d2d80053 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Similar to the handling of amdgpu_sa_bo_next_hole in commit 6a15f3ff19a8 ("drm/amdgpu: Initialize fences array entries in amdgpu_sa_bo_next_hole"), we thought a patch might be needed here as well. The entries were only initialized once in radeon_sa_bo_new. If a fence wasn't signalled yet in the first radeon_sa_bo_next_hole call, but then got signalled before a later radeon_sa_bo_next_hole call, it could destroy the fence but leave its pointer in the array, resulting in use-after-free in radeon_sa_bo_new. Signed-off-by: Xiaohui Zhang --- drivers/gpu/drm/radeon/radeon_sa.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/radeon/radeon_sa.c b/drivers/gpu/drm/radeon/radeon_sa.c index 310c322c7112..0981948bd9ed 100644 --- a/drivers/gpu/drm/radeon/radeon_sa.c +++ b/drivers/gpu/drm/radeon/radeon_sa.c @@ -267,6 +267,8 @@ static bool radeon_sa_bo_next_hole(struct radeon_sa_manager *sa_manager, for (i = 0; i < RADEON_NUM_RINGS; ++i) { struct radeon_sa_bo *sa_bo; + fences[i] = NULL; + if (list_empty(&sa_manager->flist[i])) { continue; } @@ -332,10 +334,8 @@ int radeon_sa_bo_new(struct radeon_device *rdev, spin_lock(&sa_manager->wq.lock); do { - for (i = 0; i < RADEON_NUM_RINGS; ++i) { - fences[i] = NULL; + for (i = 0; i < RADEON_NUM_RINGS; ++i) tries[i] = 0; - } do { radeon_sa_bo_try_free(sa_manager); -- 2.17.1