From: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
To: Rodrigo Vivi <rodrigo.vivi@intel.com>
Cc: Alexandr Sapozhnkiov <alsp705@gmail.com>,
Jani Nikula <jani.nikula@linux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
Tvrtko Ursulin <tursulin@ursulin.net>,
David Airlie <airlied@gmail.com>, Daniel Vetter <daniel@ffwll.ch>,
intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org, linux-media@vger.kernel.org,
lvc-project@linuxtesting.org
Subject: Re: [PATCH 5.10] gpu/i915: fix error return in mmap_offset_attach()
Date: Thu, 2 Oct 2025 19:59:54 +0300 [thread overview]
Message-ID: <aN6vivjT61-MXVlt@intel.com> (raw)
In-Reply-To: <aN6YVtnJ3Guh43n5@intel.com>
On Thu, Oct 02, 2025 at 06:20:54PM +0300, Ville Syrjälä wrote:
> On Thu, Oct 02, 2025 at 09:55:58AM -0400, Rodrigo Vivi wrote:
> > On Thu, Oct 02, 2025 at 11:48:26AM +0300, Alexandr Sapozhnkiov wrote:
> > > From: Alexandr Sapozhnikov <alsp705@gmail.com>
> >
> > About the subject, this is not just a 5.10 kernel issue.
> > This code is the current code in our tip.
> > So this needs to target drm-tip branch, and then Cc stable
> > and perhaps a Fixes: tag.
> >
> > >
> > > In the drm_vma_node_allow function, kmalloc may
> > > return NULL, in which case the file element will not be
> > > added to the mmo->vma_node list. It would be good to
> > > not ignore this event, but at least log an error message.
> > >
> > > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> > >
> > > Signed-off-by: Alexandr Sapozhnikov <alsp705@gmail.com>
> > > ---
> > > drivers/gpu/drm/i915/gem/i915_gem_mman.c | 7 +++++--
> > > 1 file changed, 5 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/gpu/drm/i915/gem/i915_gem_mman.c b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
> > > index a2195e28b625..adaef8f09d59 100644
> > > --- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c
> > > +++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
> > > @@ -706,8 +706,11 @@ mmap_offset_attach(struct drm_i915_gem_object *obj,
> > > mmo = insert_mmo(obj, mmo);
> > > GEM_BUG_ON(lookup_mmo(obj, mmap_type) != mmo);
> > > out:
> > > - if (file)
> > > - drm_vma_node_allow_once(&mmo->vma_node, file);
> > > + if (file) {
> > > + err = drm_vma_node_allow_once(&mmo->vma_node, file);
> > > + if (err)
> >
> > perhaps we also need to drm_vma_offset_remove here?
> > I mean... honest question, doubt here. Is there any further clean-up needed?
>
> Yeah, mmo->vma_node has already been linked to varius places here.
> So this will lead to use-after-free in short order.
>
> With the current code if this fails then I think all that ends up
> happening is that subsequent mmap() will fail. Maybe that's just
> fine?
Hmm, or maybe it would be better to just directly return an error
here without freeing/cleaning up anything. Looks to me like that
should work fine as well, and userspace would get the error
immediately instead of later.
>
> >
> > > + goto err;
> > > + }
> > > return mmo;
> > >
> > > err:
> > > --
> > > 2.43.0
> > >
>
> --
> Ville Syrjälä
> Intel
--
Ville Syrjälä
Intel
next prev parent reply other threads:[~2025-10-02 17:00 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-02 8:48 [PATCH 5.10] gpu/i915: fix error return in mmap_offset_attach() Alexandr Sapozhnkiov
2025-10-02 13:35 ` ✗ LGCI.VerificationFailed: failure for gpu/i915: fix error return in mmap_offset_attach() (rev2) Patchwork
2025-10-02 13:55 ` [PATCH 5.10] gpu/i915: fix error return in mmap_offset_attach() Rodrigo Vivi
2025-10-02 15:20 ` Ville Syrjälä
2025-10-02 16:59 ` Ville Syrjälä [this message]
2025-10-07 10:14 ` Andi Shyti
2025-10-07 21:23 ` Petr Vorel
-- strict thread matches above, loose matches on Subject: below --
2025-09-22 14:43 Alexandr Sapozhnkiov
2025-09-23 9:07 ` Krzysztof Karas
2025-09-24 11:31 ` Александр C
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aN6vivjT61-MXVlt@intel.com \
--to=ville.syrjala@linux.intel.com \
--cc=airlied@gmail.com \
--cc=alsp705@gmail.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=jani.nikula@linux.intel.com \
--cc=joonas.lahtinen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=rodrigo.vivi@intel.com \
--cc=tursulin@ursulin.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.