leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dc35b1129c
linux/drivers/gpu/drm
History
Chris Wilson dc35b1129c drm/i915: Hold rcu_read_lock when iterating over the radixtree (vma idr) 
Kasan spotted

    [IGT] gem_tiled_pread_pwrite: exiting, ret=0
    ==================================================================
    BUG: KASAN: use-after-free in __i915_gem_object_reset_page_iter+0x15c/0x170 [i915]
    Read of size 8 at addr ffff8801359da310 by task kworker/3:2/182

    CPU: 3 PID: 182 Comm: kworker/3:2 Tainted: G     U          4.14.0-rc6-CI-Custom_3340+ #1
    Hardware name: Intel Corp. Geminilake/GLK RVP1 DDR4 (05), BIOS GELKRVPA.X64.0062.B30.1708222146 08/22/2017
    Workqueue: events __i915_gem_free_work [i915]
    Call Trace:
     dump_stack+0x68/0xa0
     print_address_description+0x78/0x290
     ? __i915_gem_object_reset_page_iter+0x15c/0x170 [i915]
     kasan_report+0x23d/0x350
     __asan_report_load8_noabort+0x19/0x20
     __i915_gem_object_reset_page_iter+0x15c/0x170 [i915]
     ? i915_gem_object_truncate+0x100/0x100 [i915]
     ? lock_acquire+0x380/0x380
     __i915_gem_object_put_pages+0x30d/0x530 [i915]
     __i915_gem_free_objects+0x551/0xbd0 [i915]
     ? lock_acquire+0x13e/0x380
     __i915_gem_free_work+0x4e/0x70 [i915]
     process_one_work+0x6f6/0x1590
     ? pwq_dec_nr_in_flight+0x2b0/0x2b0
     worker_thread+0xe6/0xe90
     ? pci_mmcfg_check_reserved+0x110/0x110
     kthread+0x309/0x410
     ? process_one_work+0x1590/0x1590
     ? kthread_create_on_node+0xb0/0xb0
     ret_from_fork+0x27/0x40

    Allocated by task 1801:
     save_stack_trace+0x1b/0x20
     kasan_kmalloc+0xee/0x190
     kasan_slab_alloc+0x12/0x20
     kmem_cache_alloc+0xdc/0x2e0
     radix_tree_node_alloc.constprop.12+0x48/0x330
     __radix_tree_create+0x274/0x480
     __radix_tree_insert+0xa2/0x610
     i915_gem_object_get_sg+0x224/0x670 [i915]
     i915_gem_object_get_page+0xb5/0x1c0 [i915]
     i915_gem_pread_ioctl+0x822/0xf60 [i915]
     drm_ioctl_kernel+0x13f/0x1c0
     drm_ioctl+0x6cf/0x980
     do_vfs_ioctl+0x184/0xf30
     SyS_ioctl+0x41/0x70
     entry_SYSCALL_64_fastpath+0x1c/0xb1

    Freed by task 37:
     save_stack_trace+0x1b/0x20
     kasan_slab_free+0xaf/0x190
     kmem_cache_free+0xbf/0x340
     radix_tree_node_rcu_free+0x79/0x90
     rcu_process_callbacks+0x46d/0xf40
     __do_softirq+0x21c/0x8d3

    The buggy address belongs to the object at ffff8801359da0f0
    which belongs to the cache radix_tree_node of size 576
    The buggy address is located 544 bytes inside of
    576-byte region [ffff8801359da0f0, ffff8801359da330)
    The buggy address belongs to the page:
    page:ffffea0004d67600 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
    flags: 0x8000000000008100(slab|head)
    raw: 8000000000008100 0000000000000000 0000000000000000 0000000100110011
    raw: ffffea0004b52920 ffffea0004b38020 ffff88015b416a80 0000000000000000
    page dumped because: kasan: bad access detected

    Memory state around the buggy address:
     ffff8801359da200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff8801359da280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    >ffff8801359da300: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
			     ^
     ffff8801359da380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     ffff8801359da400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    ==================================================================
    Disabling lock debugging due to kernel taint

which looks like the slab containing the radixtree iter was freed as we
traversed the tree, taking the rcu read lock across the loop should
prevent that (deferring all the frees until the end).

Reported-by: Tomi Sarvela <tomi.p.sarvela@intel.com>
Fixes: d1b48c1e71 ("drm/i915: Replace execbuf vma ht with an idr")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20171026130032.10677-2-chris@chris-wilson.co.uk
Reviewed-by: Matthew Auld <matthew.william.auld@gmail.com>
(cherry picked from commit 547da76b57)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
2017-10-30 10:17:50 -07:00
..
amd drm/amd/amdgpu: Remove workaround check for UVD6 on APUs 2017-10-25 09:32:14 -04:00
arc Merge tag 'drm-misc-next-2017-08-16' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-08-17 07:33:41 +10:00
arm drm: Nuke drm_atomic_helper_plane_set_property 2017-08-08 14:45:16 +02:00
armada drm: armada: remove dead empty functions 2017-08-04 11:35:34 +02:00
ast Merge tag 'drm-misc-next-2017-08-16' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-08-17 07:33:41 +10:00
atmel-hlcdc drm: Nuke drm_atomic_helper_plane_set_property 2017-08-08 14:45:16 +02:00
bochs drm/bochs: Use the drm_driver.dumb_destroy default 2017-08-16 20:18:55 +02:00
bridge main drm pull request for 4.14 merge window 2017-09-03 17:02:26 -07:00
cirrus drm/cirrus: Use the drm_driver.dumb_destroy default 2017-08-16 20:14:22 +02:00
etnaviv Merge branch 'etnaviv/fixes' of https://git.pengutronix.de/git/lst/linux into drm-fixes 2017-09-28 05:48:53 +10:00
exynos drm/exynos: Clear drvdata after component unbind 2017-10-16 07:44:49 +09:00
fsl-dcu drm: Nuke drm_atomic_helper_connector_dpms 2017-08-08 14:48:48 +02:00
gma500 Merge branch 'i2c/for-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2017-09-09 14:18:40 -07:00
hisilicon drm: kirin: Add mode_valid logic to avoid mode clocks we can't generate 2017-08-29 05:20:35 +10:00
i2c drm: Nuke drm_atomic_helper_connector_dpms 2017-08-08 14:48:48 +02:00
i810 drm/pci: Deprecate drm_pci_init/exit completely 2017-06-20 10:41:03 +02:00
i915 drm/i915: Hold rcu_read_lock when iterating over the radixtree (vma idr) 2017-10-30 10:17:50 -07:00
imx main drm pull request for 4.14 merge window 2017-09-03 17:02:26 -07:00
lib mm: treewide: remove GFP_TEMPORARY allocation flag 2017-09-13 18:53:16 -07:00
mediatek drm/mediatek: switch to drm_*_get(), drm_*_put() helpers 2017-08-11 11:35:02 -04:00
meson drm/meson: Use .dumb_map_offset and .dumb_destroy defaults 2017-08-16 20:11:43 +02:00
mga Merge airlied/drm-next into drm-misc-next 2017-07-26 13:43:33 +02:00
mgag200 drm/mgag200: Use the drm_driver.dumb_destroy default 2017-08-16 20:18:22 +02:00
msm drm/msm: fix _NO_IMPLICIT fencing case 2017-10-12 14:21:22 -04:00
mxsfb drm/mxsfb: Use .dumb_map_offset and .dumb_destroy defaults 2017-08-16 20:12:19 +02:00
nouveau drm/nouveau/fbcon: fix oops without fbdev emulation 2017-10-19 07:27:55 +10:00
omapdrm drm/omap: work-around for omap3 display enable 2017-08-23 12:22:12 +03:00
panel drm: Convert to using %pOF instead of full_name 2017-07-26 13:45:06 +02:00
pl111 drm/pl111: Use drm_gem_fb_create() and drm_gem_fb_prepare_fb() 2017-08-16 21:35:38 +02:00
qxl qxl: fix framebuffer unpinning 2017-09-25 08:35:53 +02:00
r128 drm/pci: Deprecate drm_pci_init/exit completely 2017-06-20 10:41:03 +02:00
radeon Merge branch 'drm-fixes-4.14' of git://people.freedesktop.org/~agd5f/linux into drm-fixes 2017-09-28 05:49:38 +10:00
rcar-du Merge tag 'drm-misc-next-2017-08-08' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-08-10 10:47:33 +10:00
rockchip main drm pull request for 4.14 merge window 2017-09-03 17:02:26 -07:00
savage drm/pci: Deprecate drm_pci_init/exit completely 2017-06-20 10:41:03 +02:00
selftests mm: treewide: remove GFP_TEMPORARY allocation flag 2017-09-13 18:53:16 -07:00
shmobile drm/shmobile: Use .dumb_map_offset and .dumb_destroy defaults 2017-07-29 13:57:33 +02:00
sis drm/pci: Deprecate drm_pci_init/exit completely 2017-06-20 10:41:03 +02:00
sti drm: Nuke drm_atomic_helper_connector_dpms 2017-08-08 14:48:48 +02:00
stm drm: make DRM_STM default n 2017-08-10 11:26:49 +10:00
sun4i drm/sun4i: hdmi: Disable clks in bind function error path and unbind function 2017-10-02 21:58:47 +02:00
tdfx drm/pci: Deprecate drm_pci_init/exit completely 2017-06-20 10:41:03 +02:00
tegra drm/tegra: trace: Fix path to include 2017-09-26 11:08:17 +02:00
tilcdc drm: Nuke drm_atomic_helper_connector_dpms 2017-08-08 14:48:48 +02:00
tinydrm drm/tinydrm: make function st7586_pipe_enable static 2017-08-16 21:39:26 +02:00
ttm amd fixes pull 2017-09-15 17:52:52 -07:00
udl Merge branch 'x86-mm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-04 12:21:28 -07:00
vc4 drm/vc4: Use drm_gem_fb_create() 2017-08-16 21:35:57 +02:00
vgem drm/vgem: switch to drm_*_get(), drm_*_put() helpers 2017-08-11 11:41:43 -04:00
via drm/pci: Deprecate drm_pci_init/exit completely 2017-06-20 10:41:03 +02:00
virtio drm/ttm: make ttm_mem_type_manager_func debug more useful 2017-08-17 15:45:59 -04:00
vmwgfx main drm pull request for 4.14 merge window 2017-09-03 17:02:26 -07:00
zte drm: Nuke drm_atomic_helper_connector_dpms 2017-08-08 14:48:48 +02:00
ati_pcigart.c
drm_agpsupport.c
drm_atomic_helper.c drm/atomic: Unref duplicated drm_atomic_state in drm_atomic_helper_resume() 2017-10-09 14:26:45 +02:00
drm_atomic.c main drm pull request for 4.14 merge window 2017-09-03 17:02:26 -07:00
drm_auth.c
drm_blend.c mm: treewide: remove GFP_TEMPORARY allocation flag 2017-09-13 18:53:16 -07:00
drm_bridge.c drm: Introduce drm_bridge_mode_valid() 2017-05-30 08:37:50 +02:00
drm_bufs.c switch compat_drm_mapbufs() to drm_ioctl_kernel() 2017-07-04 13:16:26 -04:00
drm_cache.c
drm_color_mgmt.c drm: More links for gamma support helpers 2017-06-20 12:13:11 +02:00
drm_connector.c drm: Handle properties in the core for atomic drivers 2017-08-08 14:45:09 +02:00
drm_context.c
drm_crtc_helper_internal.h drm: Add drm_{crtc/encoder/connector}_mode_valid() 2017-05-30 08:37:24 +02:00
drm_crtc_helper.c drm: Handle properties in the core for atomic drivers 2017-08-08 14:45:09 +02:00
drm_crtc_internal.h drm: Handle properties in the core for atomic drivers 2017-08-08 14:45:09 +02:00
drm_crtc.c drm: Handle properties in the core for atomic drivers 2017-08-08 14:45:09 +02:00
drm_debugfs_crc.c drm/crc: Only open CRC on atomic drivers when the CRTC is active. 2017-07-17 16:34:51 +02:00
drm_debugfs.c
drm_dma.c
drm_dp_aux_dev.c drm_dp_aux_dev: switch to read_iter/write_iter 2017-07-08 20:51:46 -04:00
drm_dp_dual_mode_helper.c mm: treewide: remove GFP_TEMPORARY allocation flag 2017-09-13 18:53:16 -07:00
drm_dp_helper.c drm/dp: Don't trust drm_dp_downstream_id() 2017-07-21 17:45:26 +03:00
drm_dp_mst_topology.c Linux 4.13-rc2 2017-07-27 08:15:43 +10:00
drm_drv.c drm: Clean up drm_dev_unplug 2017-08-11 10:49:21 +02:00
drm_dumb_buffers.c drm/dumb-buffers: Add defaults for .dumb_map_offset and .dumb_destroy 2017-07-29 13:51:44 +02:00
drm_edid_load.c
drm_edid.c drm/edid: parse ycbcr 420 deep color information 2017-07-14 21:23:54 +03:00
drm_encoder_slave.c
drm_encoder.c
drm_fb_cma_helper.c drm/fb-cma-helper: Use drm_gem_framebuffer_helper 2017-08-16 21:34:38 +02:00
drm_fb_helper.c drm/fb-helper: pass physical dimensions to fbdev 2017-08-07 17:01:15 +02:00
drm_file.c drm: Document device unplug infrastructure 2017-08-11 10:48:03 +02:00
drm_flip_work.c
drm_fourcc.c
drm_framebuffer.c Merge airlied/drm-next into drm-misc-next 2017-07-26 13:43:33 +02:00
drm_gem_cma_helper.c drm/gem-cma-helper: Remove drm_gem_cma_dumb_map_offset() 2017-08-16 20:21:24 +02:00
drm_gem_framebuffer_helper.c drm: Add GEM backed framebuffer library 2017-08-16 21:32:23 +02:00
drm_gem.c Merge branch 'x86-mm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-04 12:21:28 -07:00
drm_global.c
drm_hashtab.c
drm_info.c
drm_internal.h drm/syncobj: Add a signal ioctl (v3) 2017-08-29 10:16:25 +10:00
drm_ioc32.c Merge airlied/drm-next into drm-misc-next 2017-07-26 13:43:33 +02:00
drm_ioctl.c drm/syncobj: Add a signal ioctl (v3) 2017-08-29 10:16:25 +10:00
drm_irq.c drm/doc: Polish irq helper documentation 2017-06-01 08:02:14 +02:00
drm_kms_helper_common.c
drm_legacy.h switch compat_drm_mapbufs() to drm_ioctl_kernel() 2017-07-04 13:16:26 -04:00
drm_lock.c
drm_memory.c
drm_mipi_dsi.c drm: Convert to using %pOF instead of full_name 2017-07-26 13:45:06 +02:00
drm_mm.c lib/interval_tree: fast overlap detection 2017-09-08 18:26:49 -07:00
drm_mode_config.c drm: Create a format/modifier blob 2017-08-01 17:50:06 +01:00
drm_mode_object.c drm: Handle properties in the core for atomic drivers 2017-08-08 14:45:09 +02:00
drm_modes.c drm/modes: Fix drm_mode_is_420_only() comment 2017-07-31 14:23:30 +02:00
drm_modeset_helper.c drm: Plumb modifiers through plane init 2017-08-01 17:50:06 +01:00
drm_modeset_lock.c drm: Improve kerneldoc for drm_modeset_lock 2017-07-26 13:45:08 +02:00
drm_of.c drm: Convert to using %pOF instead of full_name 2017-07-26 13:45:06 +02:00
drm_panel.c
drm_pci.c drm/pci: Deprecate drm_pci_init/exit completely 2017-06-20 10:41:03 +02:00
drm_plane_helper.c
drm_plane.c main drm pull request for 4.14 merge window 2017-09-03 17:02:26 -07:00
drm_prime.c
drm_print.c
drm_probe_helper.c drm: add helper to validate YCBCR420 modes 2017-07-14 21:23:54 +03:00
drm_property.c drm: rename, adjust and export drm_atomic_replace_property_blob 2017-07-14 15:53:06 +02:00
drm_rect.c
drm_scatter.c
drm_scdc_helper.c mm: treewide: remove GFP_TEMPORARY allocation flag 2017-09-13 18:53:16 -07:00
drm_simple_kms_helper.c drm: Plumb modifiers through plane init 2017-08-01 17:50:06 +01:00
drm_syncobj.c drm/syncobj: Add a signal ioctl (v3) 2017-08-29 10:16:25 +10:00
drm_sysfs.c
drm_trace_points.c
drm_trace.h
drm_vblank.c Merge airlied/drm-next into drm-misc-next 2017-07-26 13:43:33 +02:00
drm_vm.c Merge branch 'x86-mm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-04 12:21:28 -07:00
drm_vma_manager.c lib/interval_tree: fast overlap detection 2017-09-08 18:26:49 -07:00
Kconfig
Makefile drm: Add GEM backed framebuffer library 2017-08-16 21:32:23 +02:00