| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20251110084854.750219-1-zilin@seu.edu.cn>
Date: Mon, 10 Nov 2025 08:48:54 +0000
From: Zilin Guan <zilin@....edu.cn>
To: jani.nikula@...ux.intel.com
Cc: joonas.lahtinen@...ux.intel.com,
rodrigo.vivi@...el.com,
tursulin@...ulin.net,
airlied@...il.com,
simona@...ll.ch,
andi.shyti@...ux.intel.com,
mikolaj.wasiak@...el.com,
krzysztof.karas@...el.com,
nitin.r.gote@...el.com,
intel-gfx@...ts.freedesktop.org,
dri-devel@...ts.freedesktop.org,
linux-kernel@...r.kernel.org,
jianhao.xu@....edu.cn,
Zilin Guan <zilin@....edu.cn>
Subject: [PATCH] drm/i915: Fix improper freeing of GTT resources
In the error paths of reserve_gtt_with_resource() and
insert_gtt_with_resource(), a vma_res object allocated via
i915_vma_resource_alloc() was incorrectly released using kfree().
Since i915_vma_resource_alloc() allocates objects from a dedicated
kmem_cache, using kfree() instead of the corresponding
i915_vma_resource_free() causes a mismatch between allocation and
deallocation routines, potentially leading to memory corruption.
Fix this by calling i915_vma_resource_free() to properly release the
vma_res object in both functions.
Fixes: e1a4bbb6e837d ("drm/i915: Initial introduction of vma resources")
Signed-off-by: Zilin Guan <zilin@....edu.cn>
---
drivers/gpu/drm/i915/selftests/i915_gem_gtt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c b/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c
index 7ab4c4e60264..16e72ef57bed 100644
--- a/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c
+++ b/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c
@@ -1524,7 +1524,7 @@ static int reserve_gtt_with_resource(struct i915_vma *vma, u64 offset)
i915_vma_resource_init_from_vma(vma_res, vma);
vma->resource = vma_res;
} else {
- kfree(vma_res);
+ i915_vma_resource_free(vma_res);
}
mutex_unlock(&vm->mutex);
@@ -1704,7 +1704,7 @@ static int insert_gtt_with_resource(struct i915_vma *vma)
i915_vma_resource_init_from_vma(vma_res, vma);
vma->resource = vma_res;
} else {
- kfree(vma_res);
+ i915_vma_resource_free(vma_res);
}
mutex_unlock(&vm->mutex);
--
2.34.1
Powered by blists - more mailing lists