fc173ae6dd
Driver code did not remove event from the list of pending events before destroy. As a result drm core later tried to inspect invalid memory location. The patch replaces removal code with call to core helper. The bug was detected using KASAN: [ 10.107249] ================================================================== [ 10.107518] BUG: KASAN: use-after-free in drm_release+0xe9c/0x1000 at addr ffffffc089154a18 [ 10.107784] Read of size 8 by task modetest/103 [ 10.107931] ============================================================================= [ 10.113191] BUG kmalloc-128 (Not tainted): kasan: bad access detected [ 10.119608] ----------------------------------------------------------------------------- [ 10.119608] [ 10.129243] Disabling lock debugging due to kernel taint [ 10.134551] INFO: Allocated in drm_mode_page_flip_ioctl+0x500/0xa98 age=4 cpu=0 pid=103 [ 10.142532] alloc_debug_processing+0x18c/0x198 [ 10.147043] ___slab_alloc.constprop.28+0x360/0x380 [ 10.151906] __slab_alloc.isra.25.constprop.27+0x54/0xa0 [ 10.157197] kmem_cache_alloc_trace+0x370/0x3b0 [ 10.161709] drm_mode_page_flip_ioctl+0x500/0xa98 [ 10.166400] drm_ioctl+0x4c4/0xb68 [ 10.169787] do_vfs_ioctl+0x16c/0xeb8 [ 10.173429] SyS_ioctl+0x8c/0xa0 [ 10.176642] el0_svc_naked+0x24/0x28 [ 10.180204] INFO: Freed in exynos_drm_crtc_cancel_page_flip+0xe0/0x160 age=0 cpu=0 pid=103 [ 10.188447] free_debug_processing+0x174/0x388 [ 10.192871] __slab_free+0x2e8/0x438 [ 10.196431] kfree+0x350/0x360 [ 10.199469] exynos_drm_crtc_cancel_page_flip+0xe0/0x160 [ 10.204762] exynos_drm_preclose+0x58/0xa0 [ 10.208844] drm_release+0x1f0/0x1000 [ 10.212491] __fput+0x1c4/0x5b8 [ 10.215613] ____fput+0xc/0x18 [ 10.218654] task_work_run+0x130/0x198 [ 10.222385] do_exit+0x700/0x2278 [ 10.225681] do_group_exit+0xe4/0x2c8 [ 10.229327] SyS_exit_group+0x1c/0x20 [ 10.232973] el0_svc_naked+0x24/0x28 [ 10.236532] INFO: Slab 0xffffffbdc2a45500 objects=32 used=10 fp=0xffffffc089154a00 flags=0x4080 [ 10.245210] INFO: Object 0xffffffc089154a00 @offset=2560 fp=0xffffffc089157600 [ 10.245210] ... [ 10.384532] CPU: 0 PID: 103 Comm: modetest Tainted: G B 4.5.0-rc3-00748-gd5e2881 #271 [ 10.398325] Call trace: [ 10.400764] [<ffffffc000091428>] dump_backtrace+0x0/0x328 [ 10.406141] [<ffffffc000091764>] show_stack+0x14/0x20 [ 10.411176] [<ffffffc00089c550>] dump_stack+0xb0/0xe8 [ 10.416210] [<ffffffc000395778>] print_trailer+0xf8/0x160 [ 10.421592] [<ffffffc00039b5cc>] object_err+0x3c/0x50 [ 10.426626] [<ffffffc00039d630>] kasan_report_error+0x248/0x550 [ 10.432527] [<ffffffc00039da50>] __asan_report_load8_noabort+0x40/0x48 [ 10.439039] [<ffffffc000b5b724>] drm_release+0xe9c/0x1000 [ 10.444419] [<ffffffc0003d340c>] __fput+0x1c4/0x5b8 [ 10.449280] [<ffffffc0003d3884>] ____fput+0xc/0x18 [ 10.454055] [<ffffffc000101aa8>] task_work_run+0x130/0x198 [ 10.459522] [<ffffffc0000bc058>] do_exit+0x700/0x2278 [ 10.464557] [<ffffffc0000bdcfc>] do_group_exit+0xe4/0x2c8 [ 10.469939] [<ffffffc0000bdefc>] SyS_exit_group+0x1c/0x20 [ 10.475320] [<ffffffc000087530>] el0_svc_naked+0x24/0x28 Signed-off-by: Andrzej Hajda <a.hajda@samsung.com> Signed-off-by: Inki Dae <inki.dae@samsung.com>
248 lines
6.4 KiB
C
248 lines
6.4 KiB
C
/* exynos_drm_crtc.c
|
|
*
|
|
* Copyright (c) 2011 Samsung Electronics Co., Ltd.
|
|
* Authors:
|
|
* Inki Dae <inki.dae@samsung.com>
|
|
* Joonyoung Shim <jy0922.shim@samsung.com>
|
|
* Seung-Woo Kim <sw0312.kim@samsung.com>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License as published by the
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
* option) any later version.
|
|
*/
|
|
|
|
#include <drm/drmP.h>
|
|
#include <drm/drm_crtc_helper.h>
|
|
#include <drm/drm_atomic.h>
|
|
#include <drm/drm_atomic_helper.h>
|
|
|
|
#include "exynos_drm_crtc.h"
|
|
#include "exynos_drm_drv.h"
|
|
#include "exynos_drm_plane.h"
|
|
|
|
static void exynos_drm_crtc_enable(struct drm_crtc *crtc)
|
|
{
|
|
struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc);
|
|
|
|
if (exynos_crtc->ops->enable)
|
|
exynos_crtc->ops->enable(exynos_crtc);
|
|
|
|
drm_crtc_vblank_on(crtc);
|
|
}
|
|
|
|
static void exynos_drm_crtc_disable(struct drm_crtc *crtc)
|
|
{
|
|
struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc);
|
|
|
|
drm_crtc_vblank_off(crtc);
|
|
|
|
if (exynos_crtc->ops->disable)
|
|
exynos_crtc->ops->disable(exynos_crtc);
|
|
}
|
|
|
|
static void
|
|
exynos_drm_crtc_mode_set_nofb(struct drm_crtc *crtc)
|
|
{
|
|
struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc);
|
|
|
|
if (exynos_crtc->ops->commit)
|
|
exynos_crtc->ops->commit(exynos_crtc);
|
|
}
|
|
|
|
static int exynos_crtc_atomic_check(struct drm_crtc *crtc,
|
|
struct drm_crtc_state *state)
|
|
{
|
|
struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc);
|
|
|
|
if (!state->enable)
|
|
return 0;
|
|
|
|
if (exynos_crtc->ops->atomic_check)
|
|
return exynos_crtc->ops->atomic_check(exynos_crtc, state);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void exynos_crtc_atomic_begin(struct drm_crtc *crtc,
|
|
struct drm_crtc_state *old_crtc_state)
|
|
{
|
|
struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc);
|
|
|
|
exynos_crtc->event = crtc->state->event;
|
|
|
|
if (exynos_crtc->ops->atomic_begin)
|
|
exynos_crtc->ops->atomic_begin(exynos_crtc);
|
|
}
|
|
|
|
static void exynos_crtc_atomic_flush(struct drm_crtc *crtc,
|
|
struct drm_crtc_state *old_crtc_state)
|
|
{
|
|
struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc);
|
|
|
|
if (exynos_crtc->ops->atomic_flush)
|
|
exynos_crtc->ops->atomic_flush(exynos_crtc);
|
|
}
|
|
|
|
static const struct drm_crtc_helper_funcs exynos_crtc_helper_funcs = {
|
|
.enable = exynos_drm_crtc_enable,
|
|
.disable = exynos_drm_crtc_disable,
|
|
.mode_set_nofb = exynos_drm_crtc_mode_set_nofb,
|
|
.atomic_check = exynos_crtc_atomic_check,
|
|
.atomic_begin = exynos_crtc_atomic_begin,
|
|
.atomic_flush = exynos_crtc_atomic_flush,
|
|
};
|
|
|
|
static void exynos_drm_crtc_destroy(struct drm_crtc *crtc)
|
|
{
|
|
struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc);
|
|
struct exynos_drm_private *private = crtc->dev->dev_private;
|
|
|
|
private->crtc[exynos_crtc->pipe] = NULL;
|
|
|
|
drm_crtc_cleanup(crtc);
|
|
kfree(exynos_crtc);
|
|
}
|
|
|
|
static const struct drm_crtc_funcs exynos_crtc_funcs = {
|
|
.set_config = drm_atomic_helper_set_config,
|
|
.page_flip = drm_atomic_helper_page_flip,
|
|
.destroy = exynos_drm_crtc_destroy,
|
|
.reset = drm_atomic_helper_crtc_reset,
|
|
.atomic_duplicate_state = drm_atomic_helper_crtc_duplicate_state,
|
|
.atomic_destroy_state = drm_atomic_helper_crtc_destroy_state,
|
|
};
|
|
|
|
struct exynos_drm_crtc *exynos_drm_crtc_create(struct drm_device *drm_dev,
|
|
struct drm_plane *plane,
|
|
int pipe,
|
|
enum exynos_drm_output_type type,
|
|
const struct exynos_drm_crtc_ops *ops,
|
|
void *ctx)
|
|
{
|
|
struct exynos_drm_crtc *exynos_crtc;
|
|
struct exynos_drm_private *private = drm_dev->dev_private;
|
|
struct drm_crtc *crtc;
|
|
int ret;
|
|
|
|
exynos_crtc = kzalloc(sizeof(*exynos_crtc), GFP_KERNEL);
|
|
if (!exynos_crtc)
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
exynos_crtc->pipe = pipe;
|
|
exynos_crtc->type = type;
|
|
exynos_crtc->ops = ops;
|
|
exynos_crtc->ctx = ctx;
|
|
|
|
init_waitqueue_head(&exynos_crtc->wait_update);
|
|
|
|
crtc = &exynos_crtc->base;
|
|
|
|
private->crtc[pipe] = crtc;
|
|
|
|
ret = drm_crtc_init_with_planes(drm_dev, crtc, plane, NULL,
|
|
&exynos_crtc_funcs, NULL);
|
|
if (ret < 0)
|
|
goto err_crtc;
|
|
|
|
drm_crtc_helper_add(crtc, &exynos_crtc_helper_funcs);
|
|
|
|
return exynos_crtc;
|
|
|
|
err_crtc:
|
|
plane->funcs->destroy(plane);
|
|
kfree(exynos_crtc);
|
|
return ERR_PTR(ret);
|
|
}
|
|
|
|
int exynos_drm_crtc_enable_vblank(struct drm_device *dev, unsigned int pipe)
|
|
{
|
|
struct exynos_drm_crtc *exynos_crtc = exynos_drm_crtc_from_pipe(dev,
|
|
pipe);
|
|
|
|
if (exynos_crtc->ops->enable_vblank)
|
|
return exynos_crtc->ops->enable_vblank(exynos_crtc);
|
|
|
|
return 0;
|
|
}
|
|
|
|
void exynos_drm_crtc_disable_vblank(struct drm_device *dev, unsigned int pipe)
|
|
{
|
|
struct exynos_drm_crtc *exynos_crtc = exynos_drm_crtc_from_pipe(dev,
|
|
pipe);
|
|
|
|
if (exynos_crtc->ops->disable_vblank)
|
|
exynos_crtc->ops->disable_vblank(exynos_crtc);
|
|
}
|
|
|
|
void exynos_drm_crtc_wait_pending_update(struct exynos_drm_crtc *exynos_crtc)
|
|
{
|
|
wait_event_timeout(exynos_crtc->wait_update,
|
|
(atomic_read(&exynos_crtc->pending_update) == 0),
|
|
msecs_to_jiffies(50));
|
|
}
|
|
|
|
void exynos_drm_crtc_finish_update(struct exynos_drm_crtc *exynos_crtc,
|
|
struct exynos_drm_plane *exynos_plane)
|
|
{
|
|
struct drm_crtc *crtc = &exynos_crtc->base;
|
|
unsigned long flags;
|
|
|
|
exynos_plane->pending_fb = NULL;
|
|
|
|
if (atomic_dec_and_test(&exynos_crtc->pending_update))
|
|
wake_up(&exynos_crtc->wait_update);
|
|
|
|
spin_lock_irqsave(&crtc->dev->event_lock, flags);
|
|
if (exynos_crtc->event)
|
|
drm_crtc_send_vblank_event(crtc, exynos_crtc->event);
|
|
|
|
exynos_crtc->event = NULL;
|
|
spin_unlock_irqrestore(&crtc->dev->event_lock, flags);
|
|
}
|
|
|
|
int exynos_drm_crtc_get_pipe_from_type(struct drm_device *drm_dev,
|
|
enum exynos_drm_output_type out_type)
|
|
{
|
|
struct drm_crtc *crtc;
|
|
|
|
list_for_each_entry(crtc, &drm_dev->mode_config.crtc_list, head) {
|
|
struct exynos_drm_crtc *exynos_crtc;
|
|
|
|
exynos_crtc = to_exynos_crtc(crtc);
|
|
if (exynos_crtc->type == out_type)
|
|
return exynos_crtc->pipe;
|
|
}
|
|
|
|
return -EPERM;
|
|
}
|
|
|
|
void exynos_drm_crtc_te_handler(struct drm_crtc *crtc)
|
|
{
|
|
struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc);
|
|
|
|
if (exynos_crtc->ops->te_handler)
|
|
exynos_crtc->ops->te_handler(exynos_crtc);
|
|
}
|
|
|
|
void exynos_drm_crtc_cancel_page_flip(struct drm_crtc *crtc,
|
|
struct drm_file *file)
|
|
{
|
|
struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc);
|
|
struct drm_pending_vblank_event *e;
|
|
unsigned long flags;
|
|
|
|
spin_lock_irqsave(&crtc->dev->event_lock, flags);
|
|
|
|
e = exynos_crtc->event;
|
|
if (e && e->base.file_priv == file) {
|
|
exynos_crtc->event = NULL;
|
|
atomic_dec(&exynos_crtc->pending_update);
|
|
}
|
|
|
|
spin_unlock_irqrestore(&crtc->dev->event_lock, flags);
|
|
|
|
if (e && e->base.file_priv == file)
|
|
drm_event_cancel_free(crtc->dev, &e->base);
|
|
}
|