leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
f6e47884e7
linux/drivers/gpu/drm
History
Chris Wilson f6e47884e7 drm/i915: Avoid unmapping pages from a NULL address space 
Found by gem_stress.

As we perform retirement from a workqueue, it is possible for us to free
and unbind objects after the last close on the device, and so after the
address space has been torn down and reset to NULL:

BUG: unable to handle kernel NULL pointer dereference at 00000054
IP: [<c1295a20>] mutex_lock+0xf/0x27
*pde = 00000000
Oops: 0002 [#1] SMP
last sysfs file: /sys/module/vt/parameters/default_utf8

Pid: 5, comm: kworker/u:0 Not tainted 2.6.38+ #214
EIP: 0060:[<c1295a20>] EFLAGS: 00010206 CPU: 1
EIP is at mutex_lock+0xf/0x27
EAX: 00000054 EBX: 00000054 ECX: 00000000 EDX: 00012fff
ESI: 00000028 EDI: 00000000 EBP: f706fe20 ESP: f706fe18
 DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
Process kworker/u:0 (pid: 5, ti=f706e000 task=f7060d00 task.ti=f706e000)
Stack:
 f5aa3c60 00000000 f706fe74 c107e7df 00000246 dea55380 00000054 f5aa3c60
 f706fe44 00000061 f70b4000 c13fff84 00000008 f706fe54 00000000 00000000
 00012f00 00012fff 00000028 c109e575 f6b36700 00100000 00000000 f706fe90
Call Trace:
 [<c107e7df>] unmap_mapping_range+0x7d/0x1e6
 [<c109e575>] ? mntput_no_expire+0x52/0xb6
 [<c11c12f6>] i915_gem_release_mmap+0x49/0x58
 [<c11c3449>] i915_gem_object_unbind+0x4c/0x125
 [<c11c353f>] i915_gem_free_object_tail+0x1d/0xdb
 [<c11c55a2>] i915_gem_free_object+0x3d/0x41
 [<c11a6be2>] ? drm_gem_object_free+0x0/0x27
 [<c11a6c07>] drm_gem_object_free+0x25/0x27
 [<c113c3ca>] kref_put+0x39/0x42
 [<c11c0a59>] drm_gem_object_unreference+0x16/0x18
 [<c11c0b15>] i915_gem_object_move_to_inactive+0xba/0xbe
 [<c11c0c87>] i915_gem_retire_requests_ring+0x16e/0x1a5
 [<c11c3645>] i915_gem_retire_requests+0x48/0x63
 [<c11c36ac>] i915_gem_retire_work_handler+0x4c/0x117
 [<c10385d1>] process_one_work+0x140/0x21b
 [<c103734c>] ? __need_more_worker+0x13/0x2a
 [<c10373b1>] ? need_to_create_worker+0x1c/0x35
 [<c11c3660>] ? i915_gem_retire_work_handler+0x0/0x117
 [<c1038faf>] worker_thread+0xd4/0x14b
 [<c1038edb>] ? worker_thread+0x0/0x14b
 [<c103be1b>] kthread+0x68/0x6d
 [<c103bdb3>] ? kthread+0x0/0x6d
 [<c12970f6>] kernel_thread_helper+0x6/0x10
Code: 00 e8 98 fe ff ff 5d c3 55 89 e5 3e 8d 74 26 00 ba 01 00 00 00 e8
84 fe ff ff 5d c3 55 89 e5 53 8d 64 24 fc 3e 8d 74 26 00 89 c3 <f0> ff
08 79 05 e8 ab ff ff ff 89 e0 25 00 e0 ff ff 89 43 10 58
EIP: [<c1295a20>] mutex_lock+0xf/0x27 SS:ESP 0068:f706fe18
CR2: 0000000000000054

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Keith Packard <keithp@keithp.com>
2011-03-23 09:17:03 +00:00
..
i2c
i810 drm: rework PCI/platform driver interface. 2011-02-07 13:09:36 +10:00
i915 drm/i915: Avoid unmapping pages from a NULL address space 2011-03-23 09:17:03 +00:00
mga drm: rework PCI/platform driver interface. 2011-02-07 13:09:36 +10:00
nouveau Merge commit '5359533801e3dd3abca5b7d3d985b0b33fd9fe8b' into drm-core-next 2011-03-16 11:34:41 +10:00
r128 drm: rework PCI/platform driver interface. 2011-02-07 13:09:36 +10:00
radeon drm/radeon: fixup refcounts in radeon dumb create ioctl. 2011-03-17 13:58:34 +10:00
savage drm: rework PCI/platform driver interface. 2011-02-07 13:09:36 +10:00
sis drm: rework PCI/platform driver interface. 2011-02-07 13:09:36 +10:00
tdfx drm: rework PCI/platform driver interface. 2011-02-07 13:09:36 +10:00
ttm Revert "ttm: Include the 'struct dev' when using the DMA API." 2011-02-23 14:24:01 +10:00
via drm: rework PCI/platform driver interface. 2011-02-07 13:09:36 +10:00
vmwgfx Revert "ttm: Include the 'struct dev' when using the DMA API." 2011-02-23 14:24:01 +10:00
ati_pcigart.c
drm_agpsupport.c drm: kill drm_agp_chipset_flush 2010-11-23 20:14:44 +00:00
drm_auth.c
drm_buffer.c
drm_bufs.c
drm_cache.c
drm_context.c
drm_crtc_helper.c Merge branch 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6 2011-02-04 10:02:22 -08:00
drm_crtc.c drm: dumb scanout create/mmap for intel/radeon (v3) 2011-02-07 12:16:14 +10:00
drm_debugfs.c
drm_dma.c
drm_dp_i2c_helper.c
drm_drv.c drm/core: add ioctl to query device/driver capabilities 2011-03-04 14:47:30 +10:00
drm_edid_modes.h drm: Mark constant arrays of drm_display_mode const 2011-02-23 11:13:11 +10:00
drm_edid.c drm: Retry i2c transfer of EDID block after failure 2011-03-16 11:25:13 +10:00
drm_encoder_slave.c
drm_fb_helper.c Merge commit '5359533801e3dd3abca5b7d3d985b0b33fd9fe8b' into drm-core-next 2011-03-16 11:34:41 +10:00
drm_fops.c drm/switcheroo: track state of switch in drivers. 2011-01-05 13:45:30 +10:00
drm_gem.c drm: Fix use-after-free in drm_gem_vm_close() 2011-03-21 09:15:22 +10:00
drm_global.c
drm_hashtab.c drm: Remove unused members from struct drm_open_hash 2011-02-23 11:16:40 +10:00
drm_info.c Merge remote branch 'intel/drm-intel-next' of ../drm-next into drm-core-next 2011-03-14 14:15:13 +10:00
drm_ioc32.c
drm_ioctl.c drm/kernel: vblank wait on crtc > 1 2011-03-21 09:25:54 +10:00
drm_irq.c drm/kernel: vblank wait on crtc > 1 2011-03-21 09:25:54 +10:00
drm_lock.c
drm_memory.c
drm_mm.c drm: mm: add helper to unwind scan state 2011-02-23 10:32:57 +10:00
drm_modes.c drm: Mark constant arrays of drm_display_mode const 2011-02-23 11:13:11 +10:00
drm_pci.c drm: rework PCI/platform driver interface. 2011-02-07 13:09:36 +10:00
drm_platform.c drm: rework PCI/platform driver interface. 2011-02-07 13:09:36 +10:00
drm_proc.c
drm_scatter.c
drm_sman.c
drm_stub.c drm: add usb framework 2011-02-07 13:09:42 +10:00
drm_sysfs.c drm: Hold the mode mutex whilst probing for sysfs status 2011-03-16 11:23:04 +10:00
drm_trace_points.c
drm_trace.h
drm_usb.c drm: add usb framework 2011-02-07 13:09:42 +10:00
drm_vm.c
Kconfig drm/i810: remove the BKL 2011-02-07 12:15:04 +10:00
Makefile drm: add usb framework 2011-02-07 13:09:42 +10:00
README.drm

README.drm 

************************************************************
* For the very latest on DRI development, please see:      *
*     http://dri.freedesktop.org/                          *
************************************************************

The Direct Rendering Manager (drm) is a device-independent kernel-level
device driver that provides support for the XFree86 Direct Rendering
Infrastructure (DRI).

The DRM supports the Direct Rendering Infrastructure (DRI) in four major
ways:

    1. The DRM provides synchronized access to the graphics hardware via
       the use of an optimized two-tiered lock.

    2. The DRM enforces the DRI security policy for access to the graphics
       hardware by only allowing authenticated X11 clients access to
       restricted regions of memory.

    3. The DRM provides a generic DMA engine, complete with multiple
       queues and the ability to detect the need for an OpenGL context
       switch.

    4. The DRM is extensible via the use of small device-specific modules
       that rely extensively on the API exported by the DRM module.


Documentation on the DRI is available from:
    http://dri.freedesktop.org/wiki/Documentation
    http://sourceforge.net/project/showfiles.php?group_id=387
    http://dri.sourceforge.net/doc/

For specific information about kernel-level support, see:

    The Direct Rendering Manager, Kernel Support for the Direct Rendering
    Infrastructure
    http://dri.sourceforge.net/doc/drm_low_level.html

    Hardware Locking for the Direct Rendering Infrastructure
    http://dri.sourceforge.net/doc/hardware_locking_low_level.html

    A Security Analysis of the Direct Rendering Infrastructure
    http://dri.sourceforge.net/doc/security_low_level.html