leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b74ad5ae14
linux/drivers/gpu/drm
History
Chris Wilson b74ad5ae14 drm: Fix use-after-free in drm_gem_vm_close() 
As we may release the last reference, we need to store the device in a
local variable in order to unlock afterwards.

[   60.140768] BUG: unable to handle kernel paging request at 6b6b6b9f
[   60.140973] IP: [<c1536d11>] __mutex_unlock_slowpath+0x5a/0x111
[   60.141014] *pdpt = 0000000024a54001 *pde = 0000000000000000
[   60.141014] Oops: 0002 [#1] PREEMPT SMP
[   60.141014] last sysfs file: /sys/devices/LNXSYSTM:00/device:00/PNP0A08:00/PNP0C0A:00/power_supply/BAT0/voltage_now
[   60.141014] Modules linked in: uvcvideo ath9k pegasus ath9k_common ath9k_hw hid_egalax ath3k joydev asus_laptop sparse_keymap battery input_polldev
[   60.141014]
[   60.141014] Pid: 771, comm: meego-ux-daemon Not tainted 2.6.37.2-7.1 #1 EXOPC EXOPG06411/EXOPG06411
[   60.141014] EIP: 0060:[<c1536d11>] EFLAGS: 00010046 CPU: 0
[   60.141014] EIP is at __mutex_unlock_slowpath+0x5a/0x111
[   60.141014] EAX: 00000100 EBX: 6b6b6b9b ECX: e9b4a1b0 EDX: e4a4e580
[   60.141014] ESI: db162558 EDI: 00000246 EBP: e480be50 ESP: e480be44
[   60.141014]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[   60.141014] Process meego-ux-daemon (pid: 771, ti=e480a000 task=e9b4a1b0 task.ti=e480a000)
[   60.141014] Stack:
[   60.141014]  e4a4e580 db162558 f5a2f838 e480be58 c1536dd0 e480be68 c125ab1b db162558
[   60.141014]  db1624e0 e480be78 c10ba071 db162558 f760241c e480be94 c10bb0bc 000155fe
[   60.141014]  f760241c f5a2f838 f5a2f8c8 00000000 e480bea4 c1037c24 00000000 f5a2f838
[   60.141014] Call Trace:
[   60.141014]  [<c1536dd0>] ? mutex_unlock+0x8/0xa
[   60.141014]  [<c125ab1b>] ? drm_gem_vm_close+0x39/0x3d
[   60.141014]  [<c10ba071>] ? remove_vma+0x2d/0x58
[   60.141014]  [<c10bb0bc>] ? exit_mmap+0x126/0x13f
[   60.141014]  [<c1037c24>] ? mmput+0x37/0x9a
[   60.141014]  [<c10d450d>] ? exec_mmap+0x178/0x19c
[   60.141014]  [<c1537f85>] ? _raw_spin_unlock+0x1d/0x36
[   60.141014]  [<c10d4eb0>] ? flush_old_exec+0x42/0x75
[   60.141014]  [<c1104442>] ? load_elf_binary+0x32a/0x922
[   60.141014]  [<c10d3f76>] ? search_binary_handler+0x200/0x2ea
[   60.141014]  [<c10d3ecf>] ? search_binary_handler+0x159/0x2ea
[   60.141014]  [<c1104118>] ? load_elf_binary+0x0/0x922
[   60.141014]  [<c10d56b2>] ? do_execve+0x1ff/0x2e6
[   60.141014]  [<c100970e>] ? sys_execve+0x2d/0x55
[   60.141014]  [<c1002a5a>] ? ptregs_execve+0x12/0x18
[   60.141014]  [<c10029dc>] ? sysenter_do_call+0x12/0x3c
[   60.141014]  [<c1530000>] ? init_centaur+0x9c/0x1ba
[   60.141014] Code: c1 00 75 0f ba 38 01 00 00 b8 8c 3a 6c c1 e8 cc 2e b0 ff 9c 58 8d 74 26 00 89 c7 fa 90 8d 74 26 00 e8 d2 b4 b2 ff b8 00 01 00 00 <f0> 66 0f c1 43 04 38 e0 74 07 f3 90 8a 43 04 eb f5 83 3d 64 ef
[   60.141014] EIP: [<c1536d11>] __mutex_unlock_slowpath+0x5a/0x111 SS:ESP 0068:e480be44
[   60.141014] CR2: 000000006b6b6b9f

Reported-by: Rusty Lynch <rusty.lynch@intel.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
2011-03-21 09:15:22 +10:00
..
i2c drm/i2c/ch7006: Don't use POWER_LEVEL_FULL_POWER_OFF on early chip versions. 2010-08-09 15:16:23 +10:00
i810 drm: rework PCI/platform driver interface. 2011-02-07 13:09:36 +10:00
i915 Merge commit '5359533801e3dd3abca5b7d3d985b0b33fd9fe8b' into drm-core-next 2011-03-16 11:34:41 +10:00
mga drm: rework PCI/platform driver interface. 2011-02-07 13:09:36 +10:00
nouveau Merge commit '5359533801e3dd3abca5b7d3d985b0b33fd9fe8b' into drm-core-next 2011-03-16 11:34:41 +10:00
r128 drm: rework PCI/platform driver interface. 2011-02-07 13:09:36 +10:00
radeon drm/radeon: fixup refcounts in radeon dumb create ioctl. 2011-03-17 13:58:34 +10:00
savage drm: rework PCI/platform driver interface. 2011-02-07 13:09:36 +10:00
sis drm: rework PCI/platform driver interface. 2011-02-07 13:09:36 +10:00
tdfx drm: rework PCI/platform driver interface. 2011-02-07 13:09:36 +10:00
ttm Revert "ttm: Include the 'struct dev' when using the DMA API." 2011-02-23 14:24:01 +10:00
via drm: rework PCI/platform driver interface. 2011-02-07 13:09:36 +10:00
vmwgfx Revert "ttm: Include the 'struct dev' when using the DMA API." 2011-02-23 14:24:01 +10:00
ati_pcigart.c drm/radeon: Fix pci_map_page() error checking 2010-08-12 09:38:29 +10:00
drm_agpsupport.c drm: kill drm_agp_chipset_flush 2010-11-23 20:14:44 +00:00
drm_auth.c drivers/gpu/drm: Use kzalloc 2010-05-18 15:57:05 +10:00
drm_buffer.c drm: fix trivial coding errors 2010-09-24 10:10:23 +10:00
drm_bufs.c DRM: Replace kmalloc/memset combos with kzalloc 2010-08-12 09:12:30 +10:00
drm_cache.c
drm_context.c drm: kill context_ctor callback 2010-08-30 09:38:25 +10:00
drm_crtc_helper.c Merge branch 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6 2011-02-04 10:02:22 -08:00
drm_crtc.c drm: dumb scanout create/mmap for intel/radeon (v3) 2011-02-07 12:16:14 +10:00
drm_debugfs.c drm: Move the GTT accounting to i915 2010-10-01 14:45:20 +01:00
drm_dma.c drivers/gpu/drm: Use kzalloc 2010-05-18 15:57:05 +10:00
drm_dp_i2c_helper.c
drm_drv.c drm/core: add ioctl to query device/driver capabilities 2011-03-04 14:47:30 +10:00
drm_edid_modes.h drm: Mark constant arrays of drm_display_mode const 2011-02-23 11:13:11 +10:00
drm_edid.c drm: Retry i2c transfer of EDID block after failure 2011-03-16 11:25:13 +10:00
drm_encoder_slave.c drm/kms: Simplify setup of the initial I2C encoder config. 2010-08-05 09:37:45 +10:00
drm_fb_helper.c Merge commit '5359533801e3dd3abca5b7d3d985b0b33fd9fe8b' into drm-core-next 2011-03-16 11:34:41 +10:00
drm_fops.c drm/switcheroo: track state of switch in drivers. 2011-01-05 13:45:30 +10:00
drm_gem.c drm: Fix use-after-free in drm_gem_vm_close() 2011-03-21 09:15:22 +10:00
drm_global.c drm: move ttm global code to core drm 2010-08-04 09:46:06 +10:00
drm_hashtab.c drm: Remove unused members from struct drm_open_hash 2011-02-23 11:16:40 +10:00
drm_info.c Merge remote branch 'intel/drm-intel-next' of ../drm-next into drm-core-next 2011-03-14 14:15:13 +10:00
drm_ioc32.c
drm_ioctl.c drm: add cap bit to denote if dumb ioctl is available or not. 2011-03-04 15:56:22 +10:00
drm_irq.c Merge remote branch 'intel/drm-intel-next' of ../drm-next into drm-core-next 2011-03-14 14:15:13 +10:00
drm_lock.c drm: readd drm_lock_free in drm_unlock 2010-09-26 13:35:49 +10:00
drm_memory.c drm: kill agp indirection mess 2010-08-30 09:44:40 +10:00
drm_mm.c drm: mm: add helper to unwind scan state 2011-02-23 10:32:57 +10:00
drm_modes.c drm: Mark constant arrays of drm_display_mode const 2011-02-23 11:13:11 +10:00
drm_pci.c drm: rework PCI/platform driver interface. 2011-02-07 13:09:36 +10:00
drm_platform.c drm: rework PCI/platform driver interface. 2011-02-07 13:09:36 +10:00
drm_proc.c drm: Move the GTT accounting to i915 2010-10-01 14:45:20 +01:00
drm_scatter.c drm: don't export drm_sg_alloc 2010-08-30 09:37:43 +10:00
drm_sman.c
drm_stub.c drm: add usb framework 2011-02-07 13:09:42 +10:00
drm_sysfs.c drm: Hold the mode mutex whilst probing for sysfs status 2011-03-16 11:23:04 +10:00
drm_trace_points.c drm: add vblank event trace point 2010-07-02 14:02:44 +10:00
drm_trace.h drm: add per-event vblank event trace points 2010-07-02 14:03:24 +10:00
drm_usb.c drm: add usb framework 2011-02-07 13:09:42 +10:00
drm_vm.c Merge remote branch 'korg/drm-fixes' into drm-vmware-next 2010-10-06 11:10:48 +10:00
Kconfig drm/i810: remove the BKL 2011-02-07 12:15:04 +10:00
Makefile drm: add usb framework 2011-02-07 13:09:42 +10:00
README.drm

README.drm 

************************************************************
* For the very latest on DRI development, please see:      *
*     http://dri.freedesktop.org/                          *
************************************************************

The Direct Rendering Manager (drm) is a device-independent kernel-level
device driver that provides support for the XFree86 Direct Rendering
Infrastructure (DRI).

The DRM supports the Direct Rendering Infrastructure (DRI) in four major
ways:

    1. The DRM provides synchronized access to the graphics hardware via
       the use of an optimized two-tiered lock.

    2. The DRM enforces the DRI security policy for access to the graphics
       hardware by only allowing authenticated X11 clients access to
       restricted regions of memory.

    3. The DRM provides a generic DMA engine, complete with multiple
       queues and the ability to detect the need for an OpenGL context
       switch.

    4. The DRM is extensible via the use of small device-specific modules
       that rely extensively on the API exported by the DRM module.


Documentation on the DRI is available from:
    http://dri.freedesktop.org/wiki/Documentation
    http://sourceforge.net/project/showfiles.php?group_id=387
    http://dri.sourceforge.net/doc/

For specific information about kernel-level support, see:

    The Direct Rendering Manager, Kernel Support for the Direct Rendering
    Infrastructure
    http://dri.sourceforge.net/doc/drm_low_level.html

    Hardware Locking for the Direct Rendering Infrastructure
    http://dri.sourceforge.net/doc/hardware_locking_low_level.html

    A Security Analysis of the Direct Rendering Infrastructure
    http://dri.sourceforge.net/doc/security_low_level.html