Re: [Intel-gfx] [PATCH] drm/i915/ttm: ensure we release the intel_memory_region

2021-08-19 Thread Matthew Auld 
On Thu, 19 Aug 2021 at 08:25, Thomas Hellström
 wrote:
>
> On Wed, 2021-08-18 at 18:12 +0100, Matthew Auld wrote:
> > If the ttm_bo_init_reserved() call fails ensure we also release the
> > region, otherwise we leak the reference, or worse hit some uaf, when
> > we
> > start using the objects.list. Also remove the make_unshrinkable call
> > here, which doesn't do anything.
> >
> > Signed-off-by: Matthew Auld 
> > Cc: Thomas Hellström 
> > ---
> >  drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 7 +--
> >  1 file changed, 5 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> > b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> > index 771eb2963123..2e8cdcd5e4f7 100644
> > --- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> > +++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> > @@ -909,7 +909,6 @@ int __i915_gem_ttm_object_init(struct
> > intel_memory_region *mem,
> > drm_gem_private_object_init(>drm, >base, size);
> > i915_gem_object_init(obj, _gem_ttm_obj_ops, _class,
> > flags);
> > i915_gem_object_init_memory_region(obj, mem);
> > -   i915_gem_object_make_unshrinkable(obj);
> > INIT_RADIX_TREE(>ttm.get_io_page.radix, GFP_KERNEL |
> > __GFP_NOWARN);
> > mutex_init(>ttm.get_io_page.lock);
> > bo_type = (obj->flags & I915_BO_ALLOC_USER) ?
> > ttm_bo_type_device :
> > @@ -932,7 +931,7 @@ int __i915_gem_ttm_object_init(struct
> > intel_memory_region *mem,
> >page_size >> PAGE_SHIFT,
> >, NULL, NULL,
> > i915_ttm_bo_destroy);
> > if (ret)
> > -   return i915_ttm_err_to_gem(ret);
> > +   goto err_release_mr;
>
> IIRC when ttm_object_init_reserved fails, it will call ttm_bo_put()
> which will eventually end up in i915_ttm_bo_destroy() which will do the
> right thing?

Ah right, missed that.

>
> /Thomas
>
>

Re: [Intel-gfx] [PATCH] drm/i915/ttm: ensure we release the intel_memory_region

2021-08-19 Thread Thomas Hellström 
On Wed, 2021-08-18 at 18:12 +0100, Matthew Auld wrote:
> If the ttm_bo_init_reserved() call fails ensure we also release the
> region, otherwise we leak the reference, or worse hit some uaf, when
> we
> start using the objects.list. Also remove the make_unshrinkable call
> here, which doesn't do anything.
> 
> Signed-off-by: Matthew Auld 
> Cc: Thomas Hellström 
> ---
>  drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 7 +--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> index 771eb2963123..2e8cdcd5e4f7 100644
> --- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> +++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> @@ -909,7 +909,6 @@ int __i915_gem_ttm_object_init(struct
> intel_memory_region *mem,
> drm_gem_private_object_init(>drm, >base, size);
> i915_gem_object_init(obj, _gem_ttm_obj_ops, _class,
> flags);
> i915_gem_object_init_memory_region(obj, mem);
> -   i915_gem_object_make_unshrinkable(obj);
> INIT_RADIX_TREE(>ttm.get_io_page.radix, GFP_KERNEL |
> __GFP_NOWARN);
> mutex_init(>ttm.get_io_page.lock);
> bo_type = (obj->flags & I915_BO_ALLOC_USER) ?
> ttm_bo_type_device :
> @@ -932,7 +931,7 @@ int __i915_gem_ttm_object_init(struct
> intel_memory_region *mem,
>    page_size >> PAGE_SHIFT,
>    , NULL, NULL,
> i915_ttm_bo_destroy);
> if (ret)
> -   return i915_ttm_err_to_gem(ret);
> +   goto err_release_mr;

IIRC when ttm_object_init_reserved fails, it will call ttm_bo_put()
which will eventually end up in i915_ttm_bo_destroy() which will do the
right thing?

/Thomas

[Intel-gfx] [PATCH] drm/i915/ttm: ensure we release the intel_memory_region

2021-08-18 Thread Matthew Auld 
If the ttm_bo_init_reserved() call fails ensure we also release the
region, otherwise we leak the reference, or worse hit some uaf, when we
start using the objects.list. Also remove the make_unshrinkable call
here, which doesn't do anything.

Signed-off-by: Matthew Auld 
Cc: Thomas Hellström 
---
 drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c 
b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
index 771eb2963123..2e8cdcd5e4f7 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
@@ -909,7 +909,6 @@ int __i915_gem_ttm_object_init(struct intel_memory_region 
*mem,
drm_gem_private_object_init(>drm, >base, size);
i915_gem_object_init(obj, _gem_ttm_obj_ops, _class, flags);
i915_gem_object_init_memory_region(obj, mem);
-   i915_gem_object_make_unshrinkable(obj);
INIT_RADIX_TREE(>ttm.get_io_page.radix, GFP_KERNEL | __GFP_NOWARN);
mutex_init(>ttm.get_io_page.lock);
bo_type = (obj->flags & I915_BO_ALLOC_USER) ? ttm_bo_type_device :
@@ -932,7 +931,7 @@ int __i915_gem_ttm_object_init(struct intel_memory_region 
*mem,
   page_size >> PAGE_SHIFT,
   , NULL, NULL, i915_ttm_bo_destroy);
if (ret)
-   return i915_ttm_err_to_gem(ret);
+   goto err_release_mr;
 
obj->ttm.created = true;
i915_ttm_adjust_domains_after_move(obj);
@@ -940,6 +939,10 @@ int __i915_gem_ttm_object_init(struct intel_memory_region 
*mem,
i915_gem_object_unlock(obj);
 
return 0;
+
+err_release_mr:
+   i915_gem_object_release_memory_region(obj);
+   return i915_ttm_err_to_gem(ret);
 }
 
 static const struct intel_memory_region_ops ttm_system_region_ops = {
-- 
2.26.3