From: Krzysztof Niemiec <krzysztof.niemiec@intel.com>
Date: Thu, 1 Aug 2024 15:40:48 +0000 (+0200)
Subject: drm/i915/gt: Empty uabi engines list during intel_engines_release()
X-Git-Tag: v6.12-rc1~126^2~19^2~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fceff12e52985e49c464f402e11b2f97bce3cc24;p=thirdparty%2Fkernel%2Flinux.git

drm/i915/gt: Empty uabi engines list during intel_engines_release()

While the uabi_engines_llist is populated in intel_engines_init() during
driver load, the corresponding function intel_engines_release() does not
correctly get rid of it. This can lead to a UAF if, after failed
initialization (for example when gt is set wedged on init), we try to
access the engines.

Suggested-by: Chris Wilson <chris.p.wilson@linux.intel.com>
Signed-off-by: Krzysztof Niemiec <krzysztof.niemiec@intel.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240801154047.115176-2-krzysztof.niemiec@intel.com
---

diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
index 3b740ca250009..4d30a86016f24 100644
--- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
@@ -693,6 +693,8 @@ void intel_engines_release(struct intel_gt *gt)
 
 		memset(&engine->reset, 0, sizeof(engine->reset));
 	}
+
+	llist_del_all(&gt->i915->uabi_engines_llist);
 }
 
 void intel_engine_free_request_pool(struct intel_engine_cs *engine)