renegade-project/linux-next
2
0
Fork 0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-28 07:04:00 +08:00
Code
fc173ae6dd
linux-next/drivers/gpu/drm/exynos
History
Andrzej Hajda fc173ae6dd drm/exynos: fix cancel page flip code 
Driver code did not remove event from the list of pending events before destroy.
As a result drm core later tried to inspect invalid memory location.
The patch replaces removal code with call to core helper.

The bug was detected using KASAN:

[   10.107249] ==================================================================
[   10.107518] BUG: KASAN: use-after-free in drm_release+0xe9c/0x1000 at addr ffffffc089154a18
[   10.107784] Read of size 8 by task modetest/103
[   10.107931] =============================================================================
[   10.113191] BUG kmalloc-128 (Not tainted): kasan: bad access detected
[   10.119608] -----------------------------------------------------------------------------
[   10.119608]
[   10.129243] Disabling lock debugging due to kernel taint
[   10.134551] INFO: Allocated in drm_mode_page_flip_ioctl+0x500/0xa98 age=4 cpu=0 pid=103
[   10.142532] 	alloc_debug_processing+0x18c/0x198
[   10.147043] 	___slab_alloc.constprop.28+0x360/0x380
[   10.151906] 	__slab_alloc.isra.25.constprop.27+0x54/0xa0
[   10.157197] 	kmem_cache_alloc_trace+0x370/0x3b0
[   10.161709] 	drm_mode_page_flip_ioctl+0x500/0xa98
[   10.166400] 	drm_ioctl+0x4c4/0xb68
[   10.169787] 	do_vfs_ioctl+0x16c/0xeb8
[   10.173429] 	SyS_ioctl+0x8c/0xa0
[   10.176642] 	el0_svc_naked+0x24/0x28
[   10.180204] INFO: Freed in exynos_drm_crtc_cancel_page_flip+0xe0/0x160 age=0 cpu=0 pid=103
[   10.188447] 	free_debug_processing+0x174/0x388
[   10.192871] 	__slab_free+0x2e8/0x438
[   10.196431] 	kfree+0x350/0x360
[   10.199469] 	exynos_drm_crtc_cancel_page_flip+0xe0/0x160
[   10.204762] 	exynos_drm_preclose+0x58/0xa0
[   10.208844] 	drm_release+0x1f0/0x1000
[   10.212491] 	__fput+0x1c4/0x5b8
[   10.215613] 	____fput+0xc/0x18
[   10.218654] 	task_work_run+0x130/0x198
[   10.222385] 	do_exit+0x700/0x2278
[   10.225681] 	do_group_exit+0xe4/0x2c8
[   10.229327] 	SyS_exit_group+0x1c/0x20
[   10.232973] 	el0_svc_naked+0x24/0x28
[   10.236532] INFO: Slab 0xffffffbdc2a45500 objects=32 used=10 fp=0xffffffc089154a00 flags=0x4080
[   10.245210] INFO: Object 0xffffffc089154a00 @offset=2560 fp=0xffffffc089157600
[   10.245210]
...
[   10.384532] CPU: 0 PID: 103 Comm: modetest Tainted: G    B           4.5.0-rc3-00748-gd5e2881 #271
[   10.398325] Call trace:
[   10.400764] [<ffffffc000091428>] dump_backtrace+0x0/0x328
[   10.406141] [<ffffffc000091764>] show_stack+0x14/0x20
[   10.411176] [<ffffffc00089c550>] dump_stack+0xb0/0xe8
[   10.416210] [<ffffffc000395778>] print_trailer+0xf8/0x160
[   10.421592] [<ffffffc00039b5cc>] object_err+0x3c/0x50
[   10.426626] [<ffffffc00039d630>] kasan_report_error+0x248/0x550
[   10.432527] [<ffffffc00039da50>] __asan_report_load8_noabort+0x40/0x48
[   10.439039] [<ffffffc000b5b724>] drm_release+0xe9c/0x1000
[   10.444419] [<ffffffc0003d340c>] __fput+0x1c4/0x5b8
[   10.449280] [<ffffffc0003d3884>] ____fput+0xc/0x18
[   10.454055] [<ffffffc000101aa8>] task_work_run+0x130/0x198
[   10.459522] [<ffffffc0000bc058>] do_exit+0x700/0x2278
[   10.464557] [<ffffffc0000bdcfc>] do_group_exit+0xe4/0x2c8
[   10.469939] [<ffffffc0000bdefc>] SyS_exit_group+0x1c/0x20
[   10.475320] [<ffffffc000087530>] el0_svc_naked+0x24/0x28

Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
2016-05-10 23:11:41 +09:00
..
exynos7_drm_decon.c drm/exynos: clean up wait_for_vblank 2016-04-30 11:34:12 +09:00
exynos5433_drm_decon.c drm/exynos/decon5433: do not use unnecessary software trigger 2016-05-10 23:11:40 +09:00
exynos_dp.c drm/exynos: convert clock_enable crtc callback to pipeline clock 2016-04-30 11:33:48 +09:00
exynos_drm_core.c drm/exynos: fix error handling in exynos_drm_subdrv_open 2016-04-30 01:03:45 +09:00
exynos_drm_crtc.c drm/exynos: fix cancel page flip code 2016-05-10 23:11:41 +09:00
exynos_drm_crtc.h drm/exynos: fix kernel panic issue at drm releasing 2016-01-13 00:16:39 +09:00
exynos_drm_dpi.c drm/exynos: removed optional dummy encoder mode_fixup function. 2016-02-16 15:30:36 +01:00
exynos_drm_drv.c drm/exynos: Rename async to nonblock. 2016-05-02 16:36:23 +02:00
exynos_drm_drv.h Merge tag 'topic/drm-misc-2016-05-04' of git://anongit.freedesktop.org/drm-intel into drm-next 2016-05-05 09:56:30 +10:00
exynos_drm_dsi.c drm/exynos: dsi: use generic of_device_get_match_data helper 2016-04-30 11:34:07 +09:00
exynos_drm_fb.c drm/exynos: build fbdev code conditionally 2016-04-30 01:03:45 +09:00
exynos_drm_fb.h Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2016-01-17 13:40:25 -08:00
exynos_drm_fbdev.c drm/exynos: build fbdev code conditionally 2016-04-30 01:03:45 +09:00
exynos_drm_fbdev.h drm/exynos: build fbdev code conditionally 2016-04-30 01:03:45 +09:00
exynos_drm_fimc.c drm/exynos/fimc: remove unused camera interface polarization code 2016-03-01 23:37:23 +09:00
exynos_drm_fimc.h drm/exynos: change file license to GPL 2013-01-04 15:54:32 +09:00
exynos_drm_fimd.c Linux 4.6-rc7 2016-05-09 13:49:56 +10:00
exynos_drm_g2d.c drm/exynos: use real device for DMA-mapping operations 2016-03-01 23:53:47 +09:00
exynos_drm_g2d.h drm/exynos: add G2D driver 2012-05-17 20:14:48 +09:00
exynos_drm_gem.c drm/exynos: drop struct_mutex from exynos_drm_gem_get_ioctl 2016-04-20 12:57:59 +02:00
exynos_drm_gem.h drm/exynos: add DRM_EXYNOS_GEM_MAP ioctl 2016-03-13 14:54:03 +09:00
exynos_drm_gsc.c drm/exynos: ipp: fix incorrect format specifiers in debug messages 2016-03-01 23:37:08 +09:00
exynos_drm_gsc.h drm/exynos: change file license to GPL 2013-01-04 15:54:32 +09:00
exynos_drm_iommu.c drm/exynos: use real device for DMA-mapping operations 2016-03-01 23:53:47 +09:00
exynos_drm_iommu.h drm/exynos: use real device for DMA-mapping operations 2016-03-01 23:53:47 +09:00
exynos_drm_ipp.c drm/exynos: ipp: fix incorrect format specifiers in debug messages 2016-03-01 23:37:08 +09:00
exynos_drm_ipp.h drm/exynos/ipp: remove unused field in command node 2014-09-20 00:56:10 +09:00
exynos_drm_mic.c drm/exynos: fix a warning message 2016-04-30 01:03:46 +09:00
exynos_drm_plane.c drm/exynos: fix adjusted_mode pointer in exynos_plane_mode_set 2016-04-30 01:03:45 +09:00
exynos_drm_plane.h drm/exynos: rename zpos to index 2016-01-13 00:16:33 +09:00
exynos_drm_rotator.c drm/exynos: rotator: use generic of_device_get_match_data helper 2016-04-30 11:34:09 +09:00
exynos_drm_rotator.h drm/exynos: change file license to GPL 2013-01-04 15:54:32 +09:00
exynos_drm_vidi.c drm/exynos: fix types for compilation on 64bit architectures 2016-03-01 23:37:09 +09:00
exynos_drm_vidi.h drm/exynos: change file license to GPL 2013-01-04 15:54:32 +09:00
exynos_hdmi.c drm/exynos/hdmi: expose HDMI-PHY clock as pipeline clock 2016-05-10 23:11:38 +09:00
exynos_mixer.c drm/exynos: clean up wait_for_vblank 2016-04-30 11:34:12 +09:00
Kconfig drm/exynos: Use VIDEO_SAMSUNG_S5P_G2D=n as G2D Kconfig dependency 2016-04-30 01:03:46 +09:00
Makefile drm/exynos: build fbdev code conditionally 2016-04-30 01:03:45 +09:00
regs-fimc.h drm/exynos: add device tree support for fimc ipp driver 2013-04-29 14:35:32 +09:00
regs-gsc.h drm/exynos: gsc: add device tree support and remove usage of static mappings 2015-12-13 22:22:53 +09:00
regs-hdmi.h drm/exynos/hdmi: add Exynos5433 support 2016-04-30 01:03:54 +09:00
regs-mixer.h drm/exynos: mixer: refactor layer setup 2016-01-13 00:16:36 +09:00
regs-rotator.h drm/exynos: add rotator ipp driver 2012-12-15 02:39:41 +09:00
regs-vp.h drm/exynos: added hdmi display support 2011-12-29 11:21:42 +09:00