On Thu, Oct 02, 2025 at 06:20:54PM +0300, Ville Syrjälä wrote: > On Thu, Oct 02, 2025 at 09:55:58AM -0400, Rodrigo Vivi wrote: > > On Thu, Oct 02, 2025 at 11:48:26AM +0300, Alexandr Sapozhnkiov wrote: > > > From: Alexandr Sapozhnikov <[email protected]> > > > > About the subject, this is not just a 5.10 kernel issue. > > This code is the current code in our tip. > > So this needs to target drm-tip branch, and then Cc stable > > and perhaps a Fixes: tag. > > > > > > > > In the drm_vma_node_allow function, kmalloc may > > > return NULL, in which case the file element will not be > > > added to the mmo->vma_node list. It would be good to > > > not ignore this event, but at least log an error message. > > > > > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > > > > > Signed-off-by: Alexandr Sapozhnikov <[email protected]> > > > --- > > > drivers/gpu/drm/i915/gem/i915_gem_mman.c | 7 +++++-- > > > 1 file changed, 5 insertions(+), 2 deletions(-) > > > > > > diff --git a/drivers/gpu/drm/i915/gem/i915_gem_mman.c > > > b/drivers/gpu/drm/i915/gem/i915_gem_mman.c > > > index a2195e28b625..adaef8f09d59 100644 > > > --- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c > > > +++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c > > > @@ -706,8 +706,11 @@ mmap_offset_attach(struct drm_i915_gem_object *obj, > > > mmo = insert_mmo(obj, mmo); > > > GEM_BUG_ON(lookup_mmo(obj, mmap_type) != mmo); > > > out: > > > - if (file) > > > - drm_vma_node_allow_once(&mmo->vma_node, file); > > > + if (file) { > > > + err = drm_vma_node_allow_once(&mmo->vma_node, file); > > > + if (err) > > > > perhaps we also need to drm_vma_offset_remove here? > > I mean... honest question, doubt here. Is there any further clean-up needed? > > Yeah, mmo->vma_node has already been linked to varius places here. > So this will lead to use-after-free in short order. > > With the current code if this fails then I think all that ends up > happening is that subsequent mmap() will fail. Maybe that's just > fine?
Hmm, or maybe it would be better to just directly return an error here without freeing/cleaning up anything. Looks to me like that should work fine as well, and userspace would get the error immediately instead of later. > > > > > > + goto err; > > > + } > > > return mmo; > > > > > > err: > > > -- > > > 2.43.0 > > > > > -- > Ville Syrjälä > Intel -- Ville Syrjälä Intel
