Commit 101ba90f authored by Christian König's avatar Christian König Committed by Alex Deucher
Browse files

drm/amdgpu: fix use after free during BO move 



The memory backing old_mem is already freed at that point, move the
check a bit more up.

Signed-off-by: default avatarChristian König <christian.koenig@amd.com>
Fixes: bfa3357e ("drm/ttm: allocate resource object instead of embedding it v2")
Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1699


Acked-by: default avatarNirmoy Das <nirmoy.das@amd.com>
Reviewed-by: default avatarMichel Dänzer <mdaenzer@redhat.com>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
parent ac1509d1

drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c

+9 −9
Original line number Diff line number Diff line
@@ -515,6 +515,15 @@ static int amdgpu_bo_move(struct ttm_buffer_object *bo, bool evict, 
		goto out;

	}



	if (bo->type == ttm_bo_type_device &&

	    new_mem->mem_type == TTM_PL_VRAM &&

	    old_mem->mem_type != TTM_PL_VRAM) {

		/* amdgpu_bo_fault_reserve_notify will re-set this if the CPU

		 * accesses the BO after it's moved.

		 */

		abo->flags &= ~AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED;

	}



	if (adev->mman.buffer_funcs_enabled) {

		if (((old_mem->mem_type == TTM_PL_SYSTEM &&

		      new_mem->mem_type == TTM_PL_VRAM) ||
@@ -545,15 +554,6 @@ static int amdgpu_bo_move(struct ttm_buffer_object *bo, bool evict, 
			return r;

	}



	if (bo->type == ttm_bo_type_device &&

	    new_mem->mem_type == TTM_PL_VRAM &&

	    old_mem->mem_type != TTM_PL_VRAM) {

		/* amdgpu_bo_fault_reserve_notify will re-set this if the CPU

		 * accesses the BO after it's moved.

		 */

		abo->flags &= ~AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED;

	}



out:

	/* update statistics */

	atomic64_add(bo->base.size, &adev->num_bytes_moved);