From patchwork Fri Apr  2 19:09:01 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Tim Gardner <tim.gardner@canonical.com>
X-Patchwork-Id: 1461862
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4FBqNZ5lxMz9sRf;
	Sat,  3 Apr 2021 06:09:18 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1lSPAR-0001C0-AA; Fri, 02 Apr 2021 19:09:15 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <tim.gardner@canonical.com>) id 1lSPAK-0001B7-SV
 for kernel-team@lists.ubuntu.com; Fri, 02 Apr 2021 19:09:08 +0000
Received: from mail-pg1-f197.google.com ([209.85.215.197])
 by youngberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <tim.gardner@canonical.com>) id 1lSPAK-0003fN-F2
 for kernel-team@lists.ubuntu.com; Fri, 02 Apr 2021 19:09:08 +0000
Received: by mail-pg1-f197.google.com with SMTP id q19so434827pgk.14
 for <kernel-team@lists.ubuntu.com>; Fri, 02 Apr 2021 12:09:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=iaxzaclO9RpzxPz2Rnw7BoM91bqkl2DHOSAOEO7Z9NA=;
 b=h2ou/rB2fCwfuYJFxvXq27546NEKTW9AR6/fg1r5SO6SXH5DYkk9lHaHKqgbISU8Ge
 l97EWeo1JXOvBIphCeHKLbmQfS2mOm6f9Q4pf/eBJTo40eSG/CBO7QbRmFlH8o+paLjV
 AimCBfMztKl5ts/aTOViFYGHu0hOpw1I9/f8BQnP+emaEkDpI3oQGFKfw+EOJG0nT7fJ
 o45+E1dfEhZLDk2ssF8tA7TgVPOJsxFNFtRaYoy6HRNLXEbTaJlDQoHd6lDW5JclOCLu
 a8mOtUwFKMvACsex3oo+C3hfOObTiOqsyLevmfgwS+WhP4tbcYWyXgNhVRy8F5/FENJv
 AjMw==
X-Gm-Message-State: AOAM5334jl3HzEJl3XiQNcEmgBjHDFz4ApCqqARqZ8wvLTPfjX5NPz4O
 b+xivc6SRdfDb826lkuh44Xa5lYajeFa82I0hmmdyVO5pvuRuIxZWP+FRS4gXPDSxsMtiNIZn9s
 gB3KxkHq8jTG5j6LdUMKMNiDAPd8pGucJdmvABhUarg==
X-Received: by 2002:a63:5562:: with SMTP id f34mr7099192pgm.391.1617390546660;
 Fri, 02 Apr 2021 12:09:06 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJz0EhYnyDg0DUghhuhl5HRyffPcpAcf0h3LYAv01e/MmSDWo7HupRehmYuDtA3iNuy2pD8Vug==
X-Received: by 2002:a63:5562:: with SMTP id f34mr7099176pgm.391.1617390546387;
 Fri, 02 Apr 2021 12:09:06 -0700 (PDT)
Received: from localhost.localdomain ([69.163.84.166])
 by smtp.gmail.com with ESMTPSA id r23sm8998032pje.38.2021.04.02.12.09.05
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 02 Apr 2021 12:09:05 -0700 (PDT)
From: Tim Gardner <tim.gardner@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH] drm/ttm/nouveau: don't call tt destroy callback on alloc
 failure.
Date: Fri,  2 Apr 2021 13:09:01 -0600
Message-Id: <20210402190901.12033-2-tim.gardner@canonical.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20210402190901.12033-1-tim.gardner@canonical.com>
References: <20210402190901.12033-1-tim.gardner@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Dave Airlie <airlied@redhat.com>

CVE-2021-20292

This is confusing, and from my reading of all the drivers only
nouveau got this right.

Just make the API act under driver control of it's own allocation
failing, and don't call destroy, if the page table fails to
create there is nothing to cleanup here.

(I'm willing to believe I've missed something here, so please
review deeply).

Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200728041736.20689-1-airlied@gmail.com
(backported from commit 5de5b6ecf97a021f29403aa272cb4e03318ef586)
[rtg - ttm_sg_tt_init() was not introduced unilt commit 75a57669cbc881032c60615a31bfc6bfab4c813c
 ("drm/ttm: add ttm_sg_tt_init") (v4.17)]
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 drivers/gpu/drm/nouveau/nouveau_sgdma.c | 9 +++------
 drivers/gpu/drm/ttm/ttm_tt.c            | 2 --
 2 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/drivers/gpu/drm/nouveau/nouveau_sgdma.c b/drivers/gpu/drm/nouveau/nouveau_sgdma.c
index 11f6ca89769b4..3a397d78c8acd 100644
--- a/drivers/gpu/drm/nouveau/nouveau_sgdma.c
+++ b/drivers/gpu/drm/nouveau/nouveau_sgdma.c
@@ -98,12 +98,9 @@ nouveau_sgdma_create_ttm(struct ttm_bo_device *bdev,
 	else
 		nvbe->ttm.ttm.func = &nv50_sgdma_backend;
 
-	if (ttm_dma_tt_init(&nvbe->ttm, bdev, size, page_flags, dummy_read_page))
-		/*
-		 * A failing ttm_dma_tt_init() will call ttm_tt_destroy()
-		 * and thus our nouveau_sgdma_destroy() hook, so we don't need
-		 * to free nvbe here.
-		 */
+	if (ttm_dma_tt_init(&nvbe->ttm, bdev, size, page_flags, dummy_read_page)) {
+		kfree(nvbe);
 		return NULL;
+	}
 	return &nvbe->ttm.ttm;
 }
diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c
index 8ebc8d3560c36..fc8bdcc1541b6 100644
--- a/drivers/gpu/drm/ttm/ttm_tt.c
+++ b/drivers/gpu/drm/ttm/ttm_tt.c
@@ -199,7 +199,6 @@ int ttm_tt_init(struct ttm_tt *ttm, struct ttm_bo_device *bdev,
 
 	ttm_tt_alloc_page_directory(ttm);
 	if (!ttm->pages) {
-		ttm_tt_destroy(ttm);
 		pr_err("Failed allocating page table\n");
 		return -ENOMEM;
 	}
@@ -232,7 +231,6 @@ int ttm_dma_tt_init(struct ttm_dma_tt *ttm_dma, struct ttm_bo_device *bdev,
 	INIT_LIST_HEAD(&ttm_dma->pages_list);
 	ttm_dma_tt_alloc_page_directory(ttm_dma);
 	if (!ttm->pages) {
-		ttm_tt_destroy(ttm);
 		pr_err("Failed allocating page table\n");
 		return -ENOMEM;
 	}