renegade-project/linux-next
2
0
Fork 0
mirror of https://github.com/edk2-porting/linux-next.git synced 2025-01-16 01:24:08 +08:00
Code
fc173ae6dd
linux-next/drivers/gpu/drm
History
Andrzej Hajda fc173ae6dd drm/exynos: fix cancel page flip code 
Driver code did not remove event from the list of pending events before destroy.
As a result drm core later tried to inspect invalid memory location.
The patch replaces removal code with call to core helper.

The bug was detected using KASAN:

[   10.107249] ==================================================================
[   10.107518] BUG: KASAN: use-after-free in drm_release+0xe9c/0x1000 at addr ffffffc089154a18
[   10.107784] Read of size 8 by task modetest/103
[   10.107931] =============================================================================
[   10.113191] BUG kmalloc-128 (Not tainted): kasan: bad access detected
[   10.119608] -----------------------------------------------------------------------------
[   10.119608]
[   10.129243] Disabling lock debugging due to kernel taint
[   10.134551] INFO: Allocated in drm_mode_page_flip_ioctl+0x500/0xa98 age=4 cpu=0 pid=103
[   10.142532] 	alloc_debug_processing+0x18c/0x198
[   10.147043] 	___slab_alloc.constprop.28+0x360/0x380
[   10.151906] 	__slab_alloc.isra.25.constprop.27+0x54/0xa0
[   10.157197] 	kmem_cache_alloc_trace+0x370/0x3b0
[   10.161709] 	drm_mode_page_flip_ioctl+0x500/0xa98
[   10.166400] 	drm_ioctl+0x4c4/0xb68
[   10.169787] 	do_vfs_ioctl+0x16c/0xeb8
[   10.173429] 	SyS_ioctl+0x8c/0xa0
[   10.176642] 	el0_svc_naked+0x24/0x28
[   10.180204] INFO: Freed in exynos_drm_crtc_cancel_page_flip+0xe0/0x160 age=0 cpu=0 pid=103
[   10.188447] 	free_debug_processing+0x174/0x388
[   10.192871] 	__slab_free+0x2e8/0x438
[   10.196431] 	kfree+0x350/0x360
[   10.199469] 	exynos_drm_crtc_cancel_page_flip+0xe0/0x160
[   10.204762] 	exynos_drm_preclose+0x58/0xa0
[   10.208844] 	drm_release+0x1f0/0x1000
[   10.212491] 	__fput+0x1c4/0x5b8
[   10.215613] 	____fput+0xc/0x18
[   10.218654] 	task_work_run+0x130/0x198
[   10.222385] 	do_exit+0x700/0x2278
[   10.225681] 	do_group_exit+0xe4/0x2c8
[   10.229327] 	SyS_exit_group+0x1c/0x20
[   10.232973] 	el0_svc_naked+0x24/0x28
[   10.236532] INFO: Slab 0xffffffbdc2a45500 objects=32 used=10 fp=0xffffffc089154a00 flags=0x4080
[   10.245210] INFO: Object 0xffffffc089154a00 @offset=2560 fp=0xffffffc089157600
[   10.245210]
...
[   10.384532] CPU: 0 PID: 103 Comm: modetest Tainted: G    B           4.5.0-rc3-00748-gd5e2881 #271
[   10.398325] Call trace:
[   10.400764] [<ffffffc000091428>] dump_backtrace+0x0/0x328
[   10.406141] [<ffffffc000091764>] show_stack+0x14/0x20
[   10.411176] [<ffffffc00089c550>] dump_stack+0xb0/0xe8
[   10.416210] [<ffffffc000395778>] print_trailer+0xf8/0x160
[   10.421592] [<ffffffc00039b5cc>] object_err+0x3c/0x50
[   10.426626] [<ffffffc00039d630>] kasan_report_error+0x248/0x550
[   10.432527] [<ffffffc00039da50>] __asan_report_load8_noabort+0x40/0x48
[   10.439039] [<ffffffc000b5b724>] drm_release+0xe9c/0x1000
[   10.444419] [<ffffffc0003d340c>] __fput+0x1c4/0x5b8
[   10.449280] [<ffffffc0003d3884>] ____fput+0xc/0x18
[   10.454055] [<ffffffc000101aa8>] task_work_run+0x130/0x198
[   10.459522] [<ffffffc0000bc058>] do_exit+0x700/0x2278
[   10.464557] [<ffffffc0000bdcfc>] do_group_exit+0xe4/0x2c8
[   10.469939] [<ffffffc0000bdefc>] SyS_exit_group+0x1c/0x20
[   10.475320] [<ffffffc000087530>] el0_svc_naked+0x24/0x28

Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
2016-05-10 23:11:41 +09:00
..
amd Linux 4.6-rc7 2016-05-09 13:49:56 +10:00
arc drm: Add support of ARC PGU display controller 2016-04-26 17:58:02 +03:00
arm drm/arm/hdlcd: Rename async to nonblock. 2016-05-02 16:36:09 +02:00
armada mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros 2016-04-04 10:41:08 -07:00
ast drm/ttm: implement LRU add callbacks v2 2016-05-04 20:21:38 -04:00
atmel-hlcdc Merge branch 'drm-atmel-hlcdc-devel' of https://github.com/bbrezillon/linux-at91 into drm-next 2016-04-22 09:06:44 +10:00
bochs drm/ttm: implement LRU add callbacks v2 2016-05-04 20:21:38 -04:00
bridge Merge branch 'drm-next-analogix-dp-v2' of github.com:yakir-Yang/linux into drm-next 2016-04-06 09:57:33 +10:00
cirrus drm/ttm: implement LRU add callbacks v2 2016-05-04 20:21:38 -04:00
etnaviv Linux 4.6-rc7 2016-05-09 13:49:56 +10:00
exynos drm/exynos: fix cancel page flip code 2016-05-10 23:11:41 +09:00
fsl-dcu drm/fsl-dcu: use bus_flags for pixel clock polarity 2016-05-05 10:09:06 -07:00
gma500 Linux 4.6-rc3 2016-04-22 08:32:51 +10:00
hisilicon drm/hisilicon: Add support for external bridge 2016-04-29 16:39:14 +08:00
i2c Merge drm-fixes into drm-next. 2016-03-14 09:46:02 +10:00
i810
i915 drm/i915: Correctly refcount connectors in hw state readou 2016-05-06 16:09:12 +02:00
imx drm/imx: Use lockless gem BO free callback 2016-05-04 12:27:54 +02:00
mediatek drm/mediatek: Add DPI sub driver 2016-05-06 17:47:38 +02:00
mga
mgag200 drm/ttm: implement LRU add callbacks v2 2016-05-04 20:21:38 -04:00
msm drm/msm: Drop load/unload drm_driver ops 2016-05-08 10:22:19 -04:00
nouveau Linux 4.6-rc7 2016-05-09 13:49:56 +10:00
omapdrm drm/omapdrm: Rename async to nonblock. 2016-05-02 16:36:34 +02:00
panel drm/fsl-dcu: use bus_flags for pixel clock polarity 2016-05-05 10:09:06 -07:00
qxl Linux 4.6-rc7 2016-05-09 13:49:56 +10:00
r128
radeon Linux 4.6-rc7 2016-05-09 13:49:56 +10:00
rcar-du Merge tag 'topic/drm-misc-2016-05-04' of git://anongit.freedesktop.org/drm-intel into drm-next 2016-05-05 09:56:30 +10:00
rockchip Merge tag 'topic/drm-misc-2016-05-04' of git://anongit.freedesktop.org/drm-intel into drm-next 2016-05-05 09:56:30 +10:00
savage
shmobile drm/shmobile: use drm_crtc_send_vblank_event() 2016-05-02 17:04:50 +02:00
sis
sti drm/sti: Rename async to nonblock. 2016-05-02 16:36:57 +02:00
sun4i drm: sun4i: tv: Add NTSC output standard 2016-04-28 10:30:05 +02:00
tdfx
tegra drm/tegra: Rename async to nonblock. 2016-05-02 16:37:14 +02:00
tilcdc drm/tilcdc: use drm_crtc_send_vblank_event() 2016-05-02 17:04:59 +02:00
ttm Linux 4.6-rc7 2016-05-09 13:49:56 +10:00
udl drm/udl: Use drm_fb_helper deferred_io support 2016-05-02 16:25:55 +02:00
vc4 Merge tag 'topic/drm-misc-2016-05-04' of git://anongit.freedesktop.org/drm-intel into drm-next 2016-05-05 09:56:30 +10:00
vgem drm/vgem: Drop dev->struct_mutex 2016-04-20 12:58:45 +02:00
via mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros 2016-04-04 10:41:08 -07:00
virtio Linux 4.6-rc7 2016-05-09 13:49:56 +10:00
vmwgfx Linux 4.6-rc7 2016-05-09 13:49:56 +10:00
ati_pcigart.c
drm_agpsupport.c drm: Give drm_agp_clear drm_legacy_ prefix 2016-04-27 08:41:34 +02:00
drm_atomic_helper.c drm/atomic: use connector references (v3) 2016-05-05 12:52:05 +10:00
drm_atomic.c drm/atomic: use connector references (v3) 2016-05-05 12:52:05 +10:00
drm_auth.c
drm_bridge.c drm: bridge: Make (pre/post) enable/disable callbacks optional 2016-03-29 08:34:05 +02:00
drm_bufs.c drm: Hide master MAP cleanup in drm_bufs.c 2016-04-27 10:14:17 +02:00
drm_cache.c
drm_context.c
drm_crtc_helper.c drm/crtc: take references to connectors used in a modeset. (v2) 2016-05-05 12:52:01 +10:00
drm_crtc_internal.h drm/mode: rework drm_mode_object_put to drm_mode_object_unregister. 2016-04-22 10:26:37 +10:00
drm_crtc.c drm/core: Do not preserve framebuffer on rmfb, v4. 2016-05-05 13:50:53 +02:00
drm_debugfs.c
drm_dma.c
drm_dp_aux_dev.c drm/dp: Allow signals to interrupt drm_aux-dev reads/writes 2016-04-28 11:48:09 +02:00
drm_dp_helper.c drm/dp_helper: Perform throw-away read before actual read in drm_dp_dpcd_read() 2016-04-22 18:52:24 +02:00
drm_dp_mst_topology.c Linux 4.6-rc7 2016-05-09 13:49:56 +10:00
drm_drv.c drm: Protect dev->filelist with its own mutex 2016-04-27 10:16:17 +02:00
drm_edid_load.c drm/edid: convert to use match_string() helper 2016-03-17 15:09:34 -07:00
drm_edid.c Linux 4.6-rc7 2016-05-09 13:49:56 +10:00
drm_encoder_slave.c
drm_fb_cma_helper.c drm/fb-cma-helper: Add fb_deferred_io support 2016-05-02 16:25:08 +02:00
drm_fb_helper.c drm/fb_helper: Fix a few typos 2016-05-05 09:12:42 +02:00
drm_flip_work.c
drm_fops.c drm: Protect dev->filelist with its own mutex 2016-04-27 10:16:17 +02:00
drm_gem_cma_helper.c dma, mm/pat: Rename dma_*_writecombine() to dma_*_wc() 2016-03-09 14:57:51 +01:00
drm_gem.c drm: Fixup locking WARN_ON mistake around gem_object_free_unlocked 2016-05-04 15:24:32 +02:00
drm_global.c
drm_hashtab.c
drm_info.c drm: Protect dev->filelist with its own mutex 2016-04-27 10:16:17 +02:00
drm_internal.h drm: Make drm_vm_open/close_locked private to drm_vm.c 2016-04-27 10:15:56 +02:00
drm_ioc32.c
drm_ioctl.c drm: Move drm_getmap into drm_bufs.c and give it a legacy prefix 2016-04-27 08:42:48 +02:00
drm_irq.c Merge tag 'topic/drm-misc-2016-04-01' of git://anongit.freedesktop.org/drm-intel into drm-next 2016-04-06 09:39:01 +10:00
drm_kms_helper_common.c
drm_legacy.h drm: Move drm_getmap into drm_bufs.c and give it a legacy prefix 2016-04-27 08:42:48 +02:00
drm_lock.c
drm_memory.c
drm_mipi_dsi.c drm/dsi: Get DSI host by DT device node 2016-03-02 17:02:54 +01:00
drm_mm.c
drm_modes.c drm/mode: rework drm_mode_object_put to drm_mode_object_unregister. 2016-04-22 10:26:37 +10:00
drm_modeset_lock.c
drm_of.c
drm_panel.c drm/panel: Flesh out kerneldoc 2016-05-06 16:04:48 +02:00
drm_pci.c drm: Give drm_agp_clear drm_legacy_ prefix 2016-04-27 08:41:34 +02:00
drm_plane_helper.c
drm_platform.c
drm_prime.c
drm_probe_helper.c drm: probe_helper: Hide ugly ifdef 2016-04-20 13:35:14 +02:00
drm_rect.c
drm_scatter.c
drm_sysfs.c drm/sysfs: Annote lockless show functions with READ_ONCE 2016-04-26 13:23:24 +02:00
drm_trace_points.c
drm_trace.h
drm_vm.c drm: Make drm_vm_open/close_locked private to drm_vm.c 2016-04-27 10:15:56 +02:00
drm_vma_manager.c
Kconfig drm/mediatek: Add DRM Driver for Mediatek SoC MT8173. 2016-05-06 17:47:35 +02:00
Makefile drm/mediatek: Add DRM Driver for Mediatek SoC MT8173. 2016-05-06 17:47:35 +02:00