From eeacd86efa53e6328c63b79d1999a7d214972278 Mon Sep 17 00:00:00 2001 From: Chris Wilson Date: Wed, 19 Oct 2016 11:11:41 +0100 Subject: [PATCH] drm/i915/gvt: Remove dangerous unpin of backing storage of bound GPU object Unpinning the pages prior to the object being release from the GPU may allow the GPU to read and write into system pages (i.e. use after free by the hw). Signed-off-by: Chris Wilson Signed-off-by: Zhenyu Wang --- drivers/gpu/drm/i915/gvt/execlist.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/i915/gvt/execlist.c b/drivers/gpu/drm/i915/gvt/execlist.c index f865ce0..5534336 100644 --- a/drivers/gpu/drm/i915/gvt/execlist.c +++ b/drivers/gpu/drm/i915/gvt/execlist.c @@ -405,7 +405,11 @@ static void prepare_shadow_batch_buffer(struct intel_vgpu_workload *workload) gvt_err("Cannot pin\n"); return; } - i915_gem_object_unpin_pages(entry_obj->obj); + + /* FIXME: we are not tracking our pinned VMA leaving it + * up to the core to fix up the stray pin_count upon + * free. + */ /* update the relocate gma with shadow batch buffer*/ set_gma_to_bb_cmd(entry_obj, @@ -455,7 +459,11 @@ static void prepare_shadow_wa_ctx(struct intel_shadow_wa_ctx *wa_ctx) gvt_err("Cannot pin indirect ctx obj\n"); return; } - i915_gem_object_unpin_pages(wa_ctx->indirect_ctx.obj); + + /* FIXME: we are not tracking our pinned VMA leaving it + * up to the core to fix up the stray pin_count upon + * free. + */ wa_ctx->indirect_ctx.shadow_gma = i915_ggtt_offset(vma); -- 2.7.4