Commit ca7c52a
drm/xe/vm: prevent UAF with asid based lookup
The asid is only erased from the xarray when the vm refcount reaches
zero, however this leads to potential UAF since the xe_vm_get() only
works on a vm with refcount != 0. Since the asid is allocated in the vm
create ioctl, rather erase it when closing the vm, prior to dropping the
potential last ref. This should also work when user closes driver fd
without explicit vm destroy.
Fixes: dd08ebf ("drm/xe: Introduce a new DRM driver for Intel GPUs")
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1594
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: <stable@vger.kernel.org> # v6.8+
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240412113144.259426-4-matthew.auld@intel.com
(cherry picked from commit 83967c5)
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>1 parent 652ead9 commit ca7c52a
1 file changed
Lines changed: 11 additions & 10 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1577 | 1577 | | |
1578 | 1578 | | |
1579 | 1579 | | |
| 1580 | + | |
| 1581 | + | |
| 1582 | + | |
| 1583 | + | |
| 1584 | + | |
| 1585 | + | |
| 1586 | + | |
| 1587 | + | |
| 1588 | + | |
| 1589 | + | |
1580 | 1590 | | |
1581 | 1591 | | |
1582 | 1592 | | |
| |||
1592 | 1602 | | |
1593 | 1603 | | |
1594 | 1604 | | |
1595 | | - | |
1596 | 1605 | | |
1597 | 1606 | | |
1598 | 1607 | | |
1599 | 1608 | | |
1600 | 1609 | | |
1601 | 1610 | | |
1602 | | - | |
| 1611 | + | |
1603 | 1612 | | |
1604 | 1613 | | |
1605 | | - | |
1606 | | - | |
1607 | | - | |
1608 | | - | |
1609 | | - | |
1610 | | - | |
1611 | | - | |
1612 | | - | |
1613 | 1614 | | |
1614 | 1615 | | |
1615 | 1616 | | |
| |||
0 commit comments