linux/drivers/gpu/drm
Chris Wilson 88326ef05b drm/i915: Confirm the request is still active before adding it to the await
Although we do check the completion-status of the request before
actually adding a wait on it (either to its submit fence or its
completion dma-fence), we currently do not check before adding it to the
dependency lists.

In fact, without checking for a completed request we may try to use the
signaler after it has been retired and its dependency tree freed:

[   60.044057] BUG: KASAN: use-after-free in __list_add_valid+0x1d/0xd0 at addr ffff880348c9e6a0
[   60.044118] Read of size 8 by task gem_exec_fence/530
[   60.044164] CPU: 1 PID: 530 Comm: gem_exec_fence Tainted: G            E   4.11.0-rc7+ #46
[   60.044226] Hardware name: ��������������������������������� ���������������������������������/���������������������������������, BIOS RYBDWi35.86A.0246.2
[   60.044290] Call Trace:
[   60.044337]  dump_stack+0x4d/0x6a
[   60.044383]  kasan_object_err+0x21/0x70
[   60.044435]  kasan_report+0x225/0x4e0
[   60.044488]  ? __list_add_valid+0x1d/0xd0
[   60.044534]  ? kasan_kmalloc+0xad/0xe0
[   60.044587]  __asan_load8+0x5e/0x70
[   60.044639]  __list_add_valid+0x1d/0xd0
[   60.044788]  __i915_priotree_add_dependency+0x67/0x130 [i915]
[   60.044895]  i915_gem_request_await_request+0xa8/0x370 [i915]
[   60.044974]  i915_gem_request_await_dma_fence+0x129/0x140 [i915]
[   60.045049]  i915_gem_do_execbuffer.isra.37+0xb0a/0x26b0 [i915]
[   60.045077]  ? save_stack+0xb1/0xd0
[   60.045105]  ? save_stack_trace+0x1b/0x20
[   60.045132]  ? save_stack+0x46/0xd0
[   60.045158]  ? kasan_kmalloc+0xad/0xe0
[   60.045184]  ? __kmalloc+0xd8/0x670
[   60.045229]  ? drm_ioctl+0x359/0x640 [drm]
[   60.045256]  ? SyS_ioctl+0x41/0x70
[   60.045330]  ? i915_vma_move_to_active+0x540/0x540 [i915]
[   60.045360]  ? tty_insert_flip_string_flags+0xa1/0xf0
[   60.045387]  ? tty_flip_buffer_push+0x63/0x70
[   60.045414]  ? remove_wait_queue+0xa9/0xc0
[   60.045441]  ? kasan_unpoison_shadow+0x35/0x50
[   60.045467]  ? kasan_kmalloc+0xad/0xe0
[   60.045494]  ? kasan_check_write+0x14/0x20
[   60.045568]  i915_gem_execbuffer2+0xdb/0x2a0 [i915]
[   60.045616]  drm_ioctl+0x359/0x640 [drm]
[   60.045705]  ? i915_gem_execbuffer+0x5a0/0x5a0 [i915]
[   60.045751]  ? drm_version+0x150/0x150 [drm]
[   60.045778]  ? compat_start_thread+0x60/0x60
[   60.045805]  ? plist_del+0xda/0x1a0
[   60.045833]  do_vfs_ioctl+0x12e/0x910
[   60.045860]  ? ioctl_preallocate+0x130/0x130
[   60.045886]  ? pci_mmcfg_check_reserved+0xc0/0xc0
[   60.045913]  ? vfs_write+0x196/0x240
[   60.045939]  ? __fget_light+0xa7/0xc0
[   60.045965]  SyS_ioctl+0x41/0x70
[   60.045991]  entry_SYSCALL_64_fastpath+0x17/0x98
[   60.046017] RIP: 0033:0x7feb2baefc47
[   60.046042] RSP: 002b:00007fff56d28e58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   60.046075] RAX: ffffffffffffffda RBX: 00007fff56d290a8 RCX: 00007feb2baefc47
[   60.046102] RDX: 00007fff56d29050 RSI: 00000000c0406469 RDI: 0000000000000003
[   60.046129] RBP: 00007fff56d29050 R08: 000055ecc4cd27d0 R09: 00007feb2bda8600
[   60.046154] R10: 0000000000000073 R11: 0000000000000246 R12: 00000000c0406469
[   60.046177] R13: 0000000000000003 R14: 000000000000000f R15: 0000000000000099
[   60.046203] Object at ffff880348c9e680, in cache i915_dependency size: 64
[   60.046225] Allocated:
[   60.046246] PID = 530
[   60.046269]  save_stack_trace+0x1b/0x20
[   60.046292]  save_stack+0x46/0xd0
[   60.046318]  kasan_kmalloc+0xad/0xe0
[   60.046343]  kasan_slab_alloc+0x12/0x20
[   60.046368]  kmem_cache_alloc+0xab/0x650
[   60.046445]  i915_gem_request_await_request+0x88/0x370 [i915]
[   60.046559]  i915_gem_request_await_dma_fence+0x129/0x140 [i915]
[   60.046705]  i915_gem_do_execbuffer.isra.37+0xb0a/0x26b0 [i915]
[   60.046849]  i915_gem_execbuffer2+0xdb/0x2a0 [i915]
[   60.046936]  drm_ioctl+0x359/0x640 [drm]
[   60.046987]  do_vfs_ioctl+0x12e/0x910
[   60.047038]  SyS_ioctl+0x41/0x70
[   60.047090]  entry_SYSCALL_64_fastpath+0x17/0x98
[   60.047139] Freed:
[   60.047179] PID = 530
[   60.047223]  save_stack_trace+0x1b/0x20
[   60.047269]  save_stack+0x46/0xd0
[   60.047317]  kasan_slab_free+0x72/0xc0
[   60.047366]  kmem_cache_free+0x39/0x160
[   60.047512]  i915_gem_request_retire+0x83f/0x930 [i915]
[   60.047657]  i915_gem_request_alloc+0x166/0x600 [i915]
[   60.047799]  i915_gem_do_execbuffer.isra.37+0xad8/0x26b0 [i915]
[   60.047897]  i915_gem_execbuffer2+0xdb/0x2a0 [i915]
[   60.047942]  drm_ioctl+0x359/0x640 [drm]
[   60.047968]  do_vfs_ioctl+0x12e/0x910
[   60.047993]  SyS_ioctl+0x41/0x70
[   60.048019]  entry_SYSCALL_64_fastpath+0x17/0x98
[   60.048044] Memory state around the buggy address:
[   60.048066]  ffff880348c9e580: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   60.048105]  ffff880348c9e600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   60.048138] >ffff880348c9e680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   60.048170]                                ^
[   60.048191]  ffff880348c9e700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   60.048225]  ffff880348c9e780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc

Note to hit the use-after-free requires us to be passed back a request
via a fence-array, that is from explicit fencing accumulated into a
sync-file fence-array.

Fixes: 52e5420907 ("drm/i915/scheduler: Record all dependencies upon request construction")
Testcase: igt/gem_exec_fence/expired-history
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Michał Winiarski <michal.winiarski@intel.com>
Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170422081537.6468-1-chris@chris-wilson.co.uk
(cherry picked from commit ade0b0c965)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
2017-04-26 16:28:47 +03:00
..
amd Merge tag 'drm-misc-next-2017-04-07' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-04-11 07:41:10 +10:00
arc drm: remove drm_vblank_no_hw_counter assignment from driver code 2017-02-07 21:43:55 +01:00
arm drm: convert drivers to use of_graph_get_remote_node 2017-04-06 17:00:27 -04:00
armada drm: Add acquire ctx parameter to ->page_flip(_target) 2017-03-29 09:50:38 +02:00
ast Merge tag 'drm-misc-next-2017-04-07' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-04-11 07:41:10 +10:00
atmel-hlcdc drm: convert drivers to use drm_of_find_panel_or_bridge 2017-04-06 17:00:27 -04:00
bochs drm/ttm: add io_mem_pfn callback 2017-04-04 23:33:42 -04:00
bridge drm: bridge: analogix: Destroy connector & encoder when unbinding 2017-04-07 13:28:32 -04:00
cirrus Merge tag 'drm-misc-next-2017-04-07' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-04-11 07:41:10 +10:00
etnaviv Linux 4.11-rc6 2017-04-11 07:40:42 +10:00
exynos drm: convert drivers to use drm_of_find_panel_or_bridge 2017-04-06 17:00:27 -04:00
fsl-dcu drm: convert drivers to use drm_of_find_panel_or_bridge 2017-04-06 17:00:27 -04:00
gma500 drm: Add acquire ctx to ->gamma_set hook 2017-04-06 10:21:55 +02:00
hisilicon drm: convert drivers to use drm_of_find_panel_or_bridge 2017-04-06 17:00:27 -04:00
i2c
i810 drm/i810: drop device_is_agp callback 2017-01-26 10:44:43 +01:00
i915 drm/i915: Confirm the request is still active before adding it to the await 2017-04-26 16:28:47 +03:00
imx Merge tag 'drm-misc-next-2017-04-07' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-04-11 07:41:10 +10:00
lib drm: Add a simple generator of random permutations 2016-12-27 12:34:00 +01:00
mediatek Merge tag 'drm-misc-next-2017-04-07' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-04-11 07:41:10 +10:00
meson drm: convert drivers to use of_graph_get_remote_node 2017-04-06 17:00:27 -04:00
mga lib/vsprintf.c: remove %Z support 2017-02-27 18:43:47 -08:00
mgag200 Merge tag 'drm-misc-next-2017-04-07' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-04-11 07:41:10 +10:00
msm Merge branch 'msm-next' of git://people.freedesktop.org/~robclark/linux into drm-next 2017-04-11 07:47:02 +10:00
mxsfb drm: convert drivers to use drm_of_find_panel_or_bridge 2017-04-06 17:00:27 -04:00
nouveau Merge tag 'drm-misc-next-2017-04-07' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-04-11 07:41:10 +10:00
omapdrm drm: omap: use common OF graph helpers 2017-04-06 17:00:27 -04:00
panel drm/panel: Changes for v4.12-rc1 2017-04-13 06:17:40 +10:00
qxl drm/ttm: add io_mem_pfn callback 2017-04-04 23:33:42 -04:00
r128 gpu: drm: drivers: Convert printk(KERN_<LEVEL> to pr_<level> 2017-03-01 09:44:11 +01:00
radeon Merge tag 'drm-misc-next-2017-04-07' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-04-11 07:41:10 +10:00
rcar-du drm: rcar-du: Add HDMI outputs to R8A7795 device description 2017-04-04 17:04:21 +03:00
rockchip drm/rockchip: Shutdown all crtcs when unbinding drm 2017-04-07 13:28:32 -04:00
savage drm: Change the return type of the unload hook to void 2017-01-09 11:25:22 +01:00
selftests drm: kselftest: fix spelling mistake: "misalinged" -> "misaligned" 2017-02-26 22:54:47 +01:00
shmobile drm: Add acquire ctx parameter to ->page_flip(_target) 2017-03-29 09:50:38 +02:00
sis drm: Improve drm_mm search (and fix topdown allocation) with rbtrees 2017-02-03 11:10:32 +01:00
sti drm: Create DEFINE_DRM_GEM_CMA_FOPS and roll it out to drivers 2017-03-14 14:38:34 +01:00
sun4i drm: convert drivers to use drm_of_find_panel_or_bridge 2017-04-06 17:00:27 -04:00
tdfx
tegra drm/tegra: Don't use modeset_lock_crtc 2017-03-27 17:50:47 +02:00
tilcdc drm: convert drivers to use of_graph_get_remote_node 2017-04-06 17:00:27 -04:00
tinydrm drm/atomic: Introduce drm_atomic_helper_shutdown 2017-03-27 09:43:58 +02:00
ttm Linux 4.11-rc6 2017-04-11 07:40:42 +10:00
udl drm: Add acquire ctx parameter to ->page_flip(_target) 2017-03-29 09:50:38 +02:00
vc4 Linux 4.11-rc6 2017-04-11 07:40:42 +10:00
vgem Pointer for Markus's image conversion work. 2017-03-14 15:07:33 +01:00
via drm/via: use get_user_pages_unlocked() 2017-02-28 10:00:50 +01:00
virtio Merge tag 'drm-misc-next-2017-04-07' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-04-11 07:41:10 +10:00
vmwgfx Merge tag 'drm-misc-next-2017-04-07' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-04-11 07:41:10 +10:00
zte drm: zte: remove leftover 'inf' from struct zx_hdmi 2017-03-22 13:44:42 +08:00
ati_pcigart.c
drm_agpsupport.c drm/i810: drop device_is_agp callback 2017-01-26 10:44:43 +01:00
drm_atomic_helper.c drm/atomic: Add connector atomic_check function, v2. 2017-04-06 17:00:27 -04:00
drm_atomic.c drm: extract legacy framebuffer remove 2017-04-06 10:22:43 +02:00
drm_auth.c drm/core: Use recommened kerneldoc for struct member refs 2017-01-25 16:22:42 +01:00
drm_blend.c drm/blend: Use new atomic iterator macros. 2017-03-06 11:43:43 +01:00
drm_bridge.c drm/bridge: Use recommened kerneldoc for struct member refs 2017-01-02 09:17:26 +01:00
drm_bufs.c
drm_cache.c gpu: drm: core: Convert printk(KERN_<LEVEL> to pr_<level> 2017-02-28 14:32:19 +01:00
drm_color_mgmt.c drm/atomic-helper: Remove legacy backoff hack from gamma_set 2017-04-06 10:22:35 +02:00
drm_connector.c drm: Rename connector list iterator API 2017-02-28 16:16:48 +01:00
drm_context.c
drm_crtc_helper_internal.h
drm_crtc_helper.c drm: Add acquire ctx parameter to ->set_config 2017-03-29 09:56:25 +02:00
drm_crtc_internal.h drm: extract legacy framebuffer remove 2017-04-06 10:22:43 +02:00
drm_crtc.c drm: Take mode_config.mutex in setcrtc ioctl 2017-04-06 22:49:50 +02:00
drm_debugfs_crc.c Revert "drm: Don't allow interruptions when opening debugfs/crc" 2017-04-07 16:18:28 -04:00
drm_debugfs.c drm/debugfs: Add kerneldoc 2017-03-24 09:36:06 +01:00
drm_dma.c
drm_dp_aux_dev.c
drm_dp_dual_mode_helper.c drm: Add name for DRM_DP_DUAL_MODE_LSPCON 2017-02-23 11:06:12 -05:00
drm_dp_helper.c drm/dp: Add missing description to parameter 2017-03-07 16:38:16 -05:00
drm_dp_mst_topology.c drm/dp: Split drm_dp_mst_allocate_vcpi 2017-03-22 21:47:44 +01:00
drm_drv.c Linux 4.10-rc8 2017-02-23 12:10:12 +10:00
drm_dumb_buffers.c drm/kms-core: Use recommened kerneldoc for struct member refs 2017-01-25 16:30:34 +01:00
drm_edid_load.c drm: move edid property update and add modes out of edid firmware loader 2017-02-21 15:41:24 +02:00
drm_edid.c Linux 4.11-rc3 2017-03-23 12:05:13 +10:00
drm_encoder_slave.c drm/kms-core: Use recommened kerneldoc for struct member refs 2017-01-25 16:30:34 +01:00
drm_encoder.c drm: Rename connector list iterator API 2017-02-28 16:16:48 +01:00
drm_fb_cma_helper.c drm: Add mode_config .get_format_info() hook 2017-03-22 19:45:00 +02:00
drm_fb_helper.c drm/fb-helper: Extract _legacy kms functions 2017-04-06 10:23:06 +02:00
drm_file.c drm/gem: Add DEFINE_DRM_GEM_FOPS 2017-03-14 14:38:34 +01:00
drm_flip_work.c
drm_fourcc.c Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux into drm-misc-next 2017-03-23 08:15:55 +01:00
drm_framebuffer.c drm: extract legacy framebuffer remove 2017-04-06 10:22:43 +02:00
drm_gem_cma_helper.c Pointer for Markus's image conversion work. 2017-03-14 15:07:33 +01:00
drm_gem.c drm: Introduce drm_gem_object_{get,put}() 2017-02-28 16:16:43 +01:00
drm_global.c drm: Update TTM initialization documentation 2016-12-30 12:52:10 +01:00
drm_hashtab.c
drm_info.c locking/atomic, kref: Add kref_read() 2017-01-14 11:37:18 +01:00
drm_internal.h drm/debugfs: Add kerneldoc 2017-03-24 09:36:06 +01:00
drm_ioc32.c drm: document drm_ioctl.[hc] 2017-04-04 20:47:54 +02:00
drm_ioctl.c drm: Pass CRTC ID in userspace vblank events 2017-04-04 20:59:12 +01:00
drm_irq.c drm: Pass CRTC ID in userspace vblank events 2017-04-04 20:59:12 +01:00
drm_kms_helper_common.c drm: Remove drmP.h include from drm_kms_helper_common.c 2017-03-09 16:18:02 +01:00
drm_legacy.h drm: compile drm_vm.c only when needed 2017-01-06 11:03:07 +01:00
drm_lock.c sched/headers: Prepare for new header dependencies before moving code to <linux/sched/signal.h> 2017-03-02 08:42:29 +01:00
drm_memory.c
drm_mipi_dsi.c
drm_mm.c drm: Micro-optimise drm_mm_for_each_node_in_range() 2017-02-06 16:57:37 +01:00
drm_mode_config.c drm: Rename connector list iterator API 2017-02-28 16:16:48 +01:00
drm_mode_object.c Pointer for Markus's image conversion work. 2017-03-14 15:07:33 +01:00
drm_modes.c drm: Rename drm_mode_object_get() 2017-02-28 16:14:53 +01:00
drm_modeset_helper.c drm: Add mode_config .get_format_info() hook 2017-03-22 19:45:00 +02:00
drm_modeset_lock.c drm: Remove drm_modeset_legacy_acquire_ctx and crtc->acquire_ctx 2017-04-05 09:26:45 +02:00
drm_of.c drm: of: introduce drm_of_find_panel_or_bridge 2017-04-06 17:00:27 -04:00
drm_panel.c drm/panel: Constify device node argument to of_drm_find_panel() 2017-01-04 08:30:37 +01:00
drm_pci.c drm: Extract drm_pci.h 2017-03-09 16:18:02 +01:00
drm_plane_helper.c drm: Add acquire ctx parameter to ->set_config 2017-03-29 09:56:25 +02:00
drm_plane.c drm: Only take cursor locks when the cursor plane exists 2017-04-07 13:28:32 -04:00
drm_prime.c drm: Extract drm_prime.h 2017-03-09 16:18:02 +01:00
drm_print.c drm: drm_printer: add __printf validation 2017-02-26 21:43:08 +01:00
drm_probe_helper.c drm/atomic: Acquire connection_mutex lock in drm_helper_probe_single_connector_modes, v4. 2017-04-06 21:29:23 +02:00
drm_property.c drm: Drop modeset_lock_all from the getproperty ioctl 2017-04-05 09:27:16 +02:00
drm_rect.c drm/rect: Fix formatting of example code 2016-12-30 13:35:54 +01:00
drm_scatter.c
drm_scdc_helper.c drm/edid: detect SCDC support in HF-VSDB 2017-03-21 10:15:56 +02:00
drm_simple_kms_helper.c drm: Clarify the role of plane_state argument to drm_simple update(). 2017-03-30 12:02:00 -07:00
drm_sysfs.c drm: Consolidate and document sysfs support 2017-04-04 20:47:54 +02:00
drm_trace_points.c
drm_trace.h drm: Remove drm_pending_event->pid 2017-03-14 14:38:33 +01:00
drm_vm.c drm: remove unnecessary fault wrappers 2017-02-24 17:46:55 -08:00
drm_vma_manager.c drm: Improve drm_mm search (and fix topdown allocation) with rbtrees 2017-02-03 11:10:32 +01:00
Kconfig drm/fb-helper: Add multi buffer support for cma fbdev 2017-02-26 22:11:37 +01:00
Makefile drm: Add SCDC helpers 2017-03-21 10:15:39 +02:00