leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
24aac336ff
linux/drivers/gpu/drm/i915
History
Chris Wilson 24aac336ff drm/i915: Avoid dereferencing a dead context 
Once the intel_context is closed, the GEM context may be freed and so
the link from intel_context.gem_context is invalid.

<3>[  219.782944] BUG: KASAN: use-after-free in intel_engine_coredump_alloc+0x1bc3/0x2250 [i915]
<3>[  219.782996] Read of size 8 at addr ffff8881d7dff0b8 by task kworker/0:1/12

<4>[  219.783052] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G     U            5.7.0-rc2-g1f3ffd7683d54-kasan_118+ #1
<4>[  219.783055] Hardware name: System manufacturer System Product Name/Z170 PRO GAMING, BIOS 3402 04/26/2017
<4>[  219.783105] Workqueue: events heartbeat [i915]
<4>[  219.783109] Call Trace:
<4>[  219.783113]  <IRQ>
<4>[  219.783119]  dump_stack+0x96/0xdb
<4>[  219.783177]  ? intel_engine_coredump_alloc+0x1bc3/0x2250 [i915]
<4>[  219.783182]  print_address_description.constprop.6+0x16/0x310
<4>[  219.783239]  ? intel_engine_coredump_alloc+0x1bc3/0x2250 [i915]
<4>[  219.783295]  ? intel_engine_coredump_alloc+0x1bc3/0x2250 [i915]
<4>[  219.783300]  __kasan_report+0x137/0x190
<4>[  219.783359]  ? intel_engine_coredump_alloc+0x1bc3/0x2250 [i915]
<4>[  219.783366]  kasan_report+0x32/0x50
<4>[  219.783426]  intel_engine_coredump_alloc+0x1bc3/0x2250 [i915]
<4>[  219.783481]  execlists_reset+0x39c/0x13d0 [i915]
<4>[  219.783494]  ? mark_held_locks+0x9e/0xe0
<4>[  219.783546]  ? execlists_hold+0xfc0/0xfc0 [i915]
<4>[  219.783551]  ? lockdep_hardirqs_on+0x348/0x5f0
<4>[  219.783557]  ? _raw_spin_unlock_irqrestore+0x34/0x60
<4>[  219.783606]  ? execlists_submission_tasklet+0x118/0x3a0 [i915]
<4>[  219.783615]  tasklet_action_common.isra.14+0x13b/0x410
<4>[  219.783623]  ? __do_softirq+0x1e4/0x9a7
<4>[  219.783630]  __do_softirq+0x226/0x9a7
<4>[  219.783643]  do_softirq_own_stack+0x2a/0x40
<4>[  219.783647]  </IRQ>
<4>[  219.783692]  ? heartbeat+0x3e2/0x10f0 [i915]
<4>[  219.783696]  do_softirq.part.13+0x49/0x50
<4>[  219.783700]  __local_bh_enable_ip+0x1a2/0x1e0
<4>[  219.783748]  heartbeat+0x409/0x10f0 [i915]
<4>[  219.783801]  ? __live_idle_pulse+0x9f0/0x9f0 [i915]
<4>[  219.783806]  ? lock_acquire+0x1ac/0x8a0
<4>[  219.783811]  ? process_one_work+0x811/0x1870
<4>[  219.783827]  ? rcu_read_lock_sched_held+0x9c/0xd0
<4>[  219.783832]  ? rcu_read_lock_bh_held+0xb0/0xb0
<4>[  219.783836]  ? _raw_spin_unlock_irq+0x1f/0x40
<4>[  219.783845]  process_one_work+0x8ca/0x1870
<4>[  219.783848]  ? lock_acquire+0x1ac/0x8a0
<4>[  219.783852]  ? worker_thread+0x1d0/0xb80
<4>[  219.783864]  ? pwq_dec_nr_in_flight+0x2c0/0x2c0
<4>[  219.783870]  ? do_raw_spin_lock+0x129/0x290
<4>[  219.783886]  worker_thread+0x82/0xb80
<4>[  219.783895]  ? __kthread_parkme+0xaf/0x1b0
<4>[  219.783902]  ? process_one_work+0x1870/0x1870
<4>[  219.783906]  kthread+0x34e/0x420
<4>[  219.783911]  ? kthread_create_on_node+0xc0/0xc0
<4>[  219.783918]  ret_from_fork+0x3a/0x50

<3>[  219.783950] Allocated by task 1264:
<4>[  219.783975]  save_stack+0x19/0x40
<4>[  219.783978]  __kasan_kmalloc.constprop.3+0xa0/0xd0
<4>[  219.784029]  i915_gem_create_context+0xa2/0xab8 [i915]
<4>[  219.784081]  i915_gem_context_create_ioctl+0x1fa/0x450 [i915]
<4>[  219.784085]  drm_ioctl_kernel+0x1d8/0x270
<4>[  219.784088]  drm_ioctl+0x676/0x930
<4>[  219.784092]  ksys_ioctl+0xb7/0xe0
<4>[  219.784096]  __x64_sys_ioctl+0x6a/0xb0
<4>[  219.784100]  do_syscall_64+0x94/0x530
<4>[  219.784103]  entry_SYSCALL_64_after_hwframe+0x49/0xb3

<3>[  219.784120] Freed by task 12:
<4>[  219.784141]  save_stack+0x19/0x40
<4>[  219.784145]  __kasan_slab_free+0x130/0x180
<4>[  219.784148]  kmem_cache_free_bulk+0x1bd/0x500
<4>[  219.784152]  kfree_rcu_work+0x1d8/0x890
<4>[  219.784155]  process_one_work+0x8ca/0x1870
<4>[  219.784158]  worker_thread+0x82/0xb80
<4>[  219.784162]  kthread+0x34e/0x420
<4>[  219.784165]  ret_from_fork+0x3a/0x50

Fixes: 2e46a2a0b0 ("drm/i915: Use explicit flag to mark unreachable intel_context")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Acked-by: Akeem G Abodunrin <akeem.g.abodunrin@intel.com>
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200428090255.10035-1-chris@chris-wilson.co.uk
2020-04-29 15:16:00 +01:00
..
display drm/i915: Split some long lines 2020-04-24 17:59:59 +03:00
gem drm/i915: Only close vma we open 2020-04-24 11:24:45 +01:00
gt drm/i915/gt: Avoid uninitialized use of rpcurupei in frequency_show 2020-04-29 07:46:21 +01:00
gvt drm/i915/execlists: Avoid reusing the same logical CCID 2020-04-28 22:17:36 +01:00
selftests drm/i915/execlists: Track inflight CCID 2020-04-28 22:17:36 +01:00
.gitignore .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
i915_active_types.h
i915_active.c drm/i915: Allow asynchronous waits on the i915_active barriers 2020-04-06 19:48:06 +01:00
i915_active.h drm/i915: Allow asynchronous waits on the i915_active barriers 2020-04-06 19:48:06 +01:00
i915_buddy.c drm/i915/buddy: avoid double list_add 2020-03-06 14:33:08 +00:00
i915_buddy.h
i915_cmd_parser.c
i915_debugfs_params.c
i915_debugfs_params.h
i915_debugfs.c drm/i915/gt: Use the RPM config register to determine clk frequencies 2020-04-24 19:10:17 +01:00
i915_debugfs.h drm/i915: split out display debugfs to a separate file 2020-02-14 13:26:51 +02:00
i915_drv.c drm/i915: Refactor setting dma info to a common helper 2020-04-18 07:49:11 +01:00
i915_drv.h drm/i915: Update DRIVER_DATE to 20200417 2020-04-17 09:35:00 +03:00
i915_fixed.h
i915_gem_evict.c drm/i915/evict: watch out for unevictable nodes 2020-04-08 21:39:48 +01:00
i915_gem_gtt.c drm/i915: significantly reduce the use of <drm/i915_drm.h> 2020-02-27 08:35:09 +02:00
i915_gem_gtt.h
i915_gem.c drm/i915/gem: Drop cached obj->bind_count 2020-04-02 01:17:39 +01:00
i915_gem.h
i915_getparam.c
i915_globals.c
i915_globals.h
i915_gpu_error.c drm/i915: Avoid dereferencing a dead context 2020-04-29 15:16:00 +01:00
i915_gpu_error.h drm/i915: Drop rq->ring->vma peeking from error capture 2020-04-24 22:14:35 +01:00
i915_ioc32.c drm/i915: add i915_ioc32.h for compat 2020-03-02 13:32:37 +02:00
i915_ioc32.h drm/i915: add i915_ioc32.h for compat 2020-03-02 13:32:37 +02:00
i915_irq.c drm/i915: Use proper fault mask in interrupt postinstall too 2020-04-27 11:36:41 -07:00
i915_irq.h drm/i915: Convert to CRTC VBLANK callbacks 2020-02-13 13:08:13 +01:00
i915_memcpy.c drm/i915: remove always-defined CONFIG_AS_MOVNTDQA 2020-04-09 00:01:59 +09:00
i915_memcpy.h
i915_mm.c
i915_params.c
i915_params.h drm/i915: Mark i915.reset as unsigned 2020-02-05 18:51:52 +00:00
i915_pci.c drm/i915: Refactor setting dma info to a common helper 2020-04-18 07:49:11 +01:00
i915_perf_types.h drm/i915/perf: Schedule oa_config after modifying the contexts 2020-03-30 18:20:34 +01:00
i915_perf.c drm/i915/execlists: Track inflight CCID 2020-04-28 22:17:36 +01:00
i915_perf.h
i915_pmu.c drm/i915/pmu: prefer struct drm_device based logging 2020-04-08 13:49:35 +03:00
i915_pmu.h drm/i915: significantly reduce the use of <drm/i915_drm.h> 2020-02-27 08:35:09 +02:00
i915_priolist_types.h
i915_pvinfo.h
i915_query.c
i915_query.h
i915_reg.h drm/i915: Use indirect ctx bb to mend CMD_BUF_CCTL 2020-04-25 19:08:56 +01:00
i915_request.c drm/i915: Keep a per-engine request pool 2020-04-03 15:20:03 +01:00
i915_request.h drm/i915: Keep a per-engine request pool 2020-04-03 15:20:03 +01:00
i915_scatterlist.c
i915_scatterlist.h
i915_scheduler_types.h
i915_scheduler.c drm/i915/gt: Include a few tracek for timeslicing 2020-03-31 21:42:12 +01:00
i915_scheduler.h
i915_selftest.h
i915_suspend.c drm/i915: significantly reduce the use of <drm/i915_drm.h> 2020-02-27 08:35:09 +02:00
i915_suspend.h
i915_sw_fence_work.c drm/i915: Immediately execute the fenced work 2020-03-25 13:05:04 +00:00
i915_sw_fence_work.h drm/i915: Immediately execute the fenced work 2020-03-25 13:05:04 +00:00
i915_sw_fence.c drm/i915: Prefer '%ps' for printing function symbol names 2020-03-19 16:18:14 +00:00
i915_sw_fence.h drm/i915/gem: Don't leak non-persistent requests on changing engines 2020-02-11 21:58:39 +00:00
i915_switcheroo.c drm/i915/switcheroo: use struct drm_device based logging 2020-04-08 13:49:35 +03:00
i915_switcheroo.h
i915_syncmap.c
i915_syncmap.h
i915_sysfs.c drm/i915/gt: Expose engine properties via sysfs 2020-02-28 22:03:19 +00:00
i915_sysfs.h
i915_trace_points.c
i915_trace.h
i915_user_extensions.c
i915_user_extensions.h
i915_utils.c drm/i915: Avoid setting timer->expires to 0 2020-04-03 16:33:09 +01:00
i915_utils.h drm/i915: be more solid in checking the alignment 2020-03-11 23:12:39 +02:00
i915_vgpu.c drm/i915/vgpu: improve vgpu abstractions 2020-03-03 17:46:54 +02:00
i915_vgpu.h drm/i915/vgpu: improve vgpu abstractions 2020-03-03 17:46:54 +02:00
i915_vma_types.h drm/i915/gem: Extract transient execbuf flags from i915_vma 2020-03-03 21:52:51 +00:00
i915_vma.c drm/i915: Only close vma we open 2020-04-24 11:24:45 +01:00
i915_vma.h drm/i915/gt: Make fence revocation unequivocal 2020-04-01 23:34:17 +01:00
intel_device_info.c drm/i915: Refactor setting dma info to a common helper 2020-04-18 07:49:11 +01:00
intel_device_info.h drm/i915: Refactor setting dma info to a common helper 2020-04-18 07:49:11 +01:00
intel_dram.c drm/i915/dram: prefer struct drm_device based logging 2020-04-08 13:49:35 +03:00
intel_dram.h drm/i915: split out intel_dram.[ch] from i915_drv.c 2020-02-27 09:16:01 +02:00
intel_gvt.c drm/i915/gvt: make intel_gvt_active internal to intel_gvt 2020-03-03 17:47:03 +02:00
intel_gvt.h
intel_memory_region.c
intel_memory_region.h
intel_pch.c
intel_pch.h
intel_pm.c drm/i915/tgl: Wa_14011059788 2020-04-28 11:14:34 -07:00
intel_pm.h drm/i915: Add pre/post plane updates for SAGV 2020-04-17 20:41:00 +03:00
intel_region_lmem.c
intel_region_lmem.h
intel_runtime_pm.c
intel_runtime_pm.h
intel_sideband.c drm/i915: drop a bunch of superfluous inlines 2020-04-21 09:31:37 +03:00
intel_sideband.h
intel_uncore.c drm/i915/icl: Update forcewake firmware ranges 2020-04-17 19:35:43 +01:00
intel_uncore.h drm/i915/selftests: Measure the energy consumed while in RC6 2020-03-25 11:33:05 +00:00
intel_wakeref.c drm/i915: Extend intel_wakeref to support delayed puts 2020-03-23 12:51:05 +00:00
intel_wakeref.h drm/i915: Extend intel_wakeref to support delayed puts 2020-03-23 12:51:05 +00:00
intel_wopcm.c drm/i915: drop a bunch of superfluous inlines 2020-04-21 09:31:37 +03:00
intel_wopcm.h
Kconfig drm/i915: Update drm/i915 bug filing URL 2020-02-17 21:16:45 +02:00
Kconfig.debug
Kconfig.profile drm/i915/gen12: Disable preemption timeout 2020-03-12 13:46:01 +00:00
Kconfig.unstable
Makefile drm/i915: re-disable -Wframe-address 2020-04-27 09:58:27 +01:00
vlv_suspend.c drm/i915: switch vlv_suspend to use intel uncore register accessors 2020-02-17 11:29:51 +02:00
vlv_suspend.h drm/i915: split out vlv/chv specific suspend/resume code 2020-02-17 11:29:35 +02:00