leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
fc173ae6dd
linux/drivers
History
Andrzej Hajda fc173ae6dd drm/exynos: fix cancel page flip code 
Driver code did not remove event from the list of pending events before destroy.
As a result drm core later tried to inspect invalid memory location.
The patch replaces removal code with call to core helper.

The bug was detected using KASAN:

[   10.107249] ==================================================================
[   10.107518] BUG: KASAN: use-after-free in drm_release+0xe9c/0x1000 at addr ffffffc089154a18
[   10.107784] Read of size 8 by task modetest/103
[   10.107931] =============================================================================
[   10.113191] BUG kmalloc-128 (Not tainted): kasan: bad access detected
[   10.119608] -----------------------------------------------------------------------------
[   10.119608]
[   10.129243] Disabling lock debugging due to kernel taint
[   10.134551] INFO: Allocated in drm_mode_page_flip_ioctl+0x500/0xa98 age=4 cpu=0 pid=103
[   10.142532] 	alloc_debug_processing+0x18c/0x198
[   10.147043] 	___slab_alloc.constprop.28+0x360/0x380
[   10.151906] 	__slab_alloc.isra.25.constprop.27+0x54/0xa0
[   10.157197] 	kmem_cache_alloc_trace+0x370/0x3b0
[   10.161709] 	drm_mode_page_flip_ioctl+0x500/0xa98
[   10.166400] 	drm_ioctl+0x4c4/0xb68
[   10.169787] 	do_vfs_ioctl+0x16c/0xeb8
[   10.173429] 	SyS_ioctl+0x8c/0xa0
[   10.176642] 	el0_svc_naked+0x24/0x28
[   10.180204] INFO: Freed in exynos_drm_crtc_cancel_page_flip+0xe0/0x160 age=0 cpu=0 pid=103
[   10.188447] 	free_debug_processing+0x174/0x388
[   10.192871] 	__slab_free+0x2e8/0x438
[   10.196431] 	kfree+0x350/0x360
[   10.199469] 	exynos_drm_crtc_cancel_page_flip+0xe0/0x160
[   10.204762] 	exynos_drm_preclose+0x58/0xa0
[   10.208844] 	drm_release+0x1f0/0x1000
[   10.212491] 	__fput+0x1c4/0x5b8
[   10.215613] 	____fput+0xc/0x18
[   10.218654] 	task_work_run+0x130/0x198
[   10.222385] 	do_exit+0x700/0x2278
[   10.225681] 	do_group_exit+0xe4/0x2c8
[   10.229327] 	SyS_exit_group+0x1c/0x20
[   10.232973] 	el0_svc_naked+0x24/0x28
[   10.236532] INFO: Slab 0xffffffbdc2a45500 objects=32 used=10 fp=0xffffffc089154a00 flags=0x4080
[   10.245210] INFO: Object 0xffffffc089154a00 @offset=2560 fp=0xffffffc089157600
[   10.245210]
...
[   10.384532] CPU: 0 PID: 103 Comm: modetest Tainted: G    B           4.5.0-rc3-00748-gd5e2881 #271
[   10.398325] Call trace:
[   10.400764] [<ffffffc000091428>] dump_backtrace+0x0/0x328
[   10.406141] [<ffffffc000091764>] show_stack+0x14/0x20
[   10.411176] [<ffffffc00089c550>] dump_stack+0xb0/0xe8
[   10.416210] [<ffffffc000395778>] print_trailer+0xf8/0x160
[   10.421592] [<ffffffc00039b5cc>] object_err+0x3c/0x50
[   10.426626] [<ffffffc00039d630>] kasan_report_error+0x248/0x550
[   10.432527] [<ffffffc00039da50>] __asan_report_load8_noabort+0x40/0x48
[   10.439039] [<ffffffc000b5b724>] drm_release+0xe9c/0x1000
[   10.444419] [<ffffffc0003d340c>] __fput+0x1c4/0x5b8
[   10.449280] [<ffffffc0003d3884>] ____fput+0xc/0x18
[   10.454055] [<ffffffc000101aa8>] task_work_run+0x130/0x198
[   10.459522] [<ffffffc0000bc058>] do_exit+0x700/0x2278
[   10.464557] [<ffffffc0000bdcfc>] do_group_exit+0xe4/0x2c8
[   10.469939] [<ffffffc0000bdefc>] SyS_exit_group+0x1c/0x20
[   10.475320] [<ffffffc000087530>] el0_svc_naked+0x24/0x28

Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
2016-05-10 23:11:41 +09:00
..
accessibility
acpi Power management and ACPI fixes for v4.6-rc7 2016-05-06 11:58:45 -07:00
amba
android
ata ata: add AMD Seattle platform driver 2016-04-13 15:14:24 -04:00
atm Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2016-03-17 21:38:27 -07:00
auxdisplay
base Merge branches 'pm-opp-fixes', 'pm-cpufreq-fixes' and 'pm-cpuidle-fixes' 2016-05-06 13:16:22 +02:00
bcma bcma: fix building without OF_IRQ 2016-03-23 17:52:10 +02:00
block rbd: report unsupported features to syslog 2016-04-28 10:07:43 +02:00
bluetooth Bluetooth: btmrvl_sdio: fix firmware activation failure 2016-03-10 19:51:29 +01:00
bus mvebu fixes for 4.6 (part 1) 2016-04-12 12:35:07 -07:00
cdrom
char hwrng: bcm63xx - fix device tree compilation 2016-04-05 20:23:11 +08:00
clk MT8173 DRM support 2016-05-10 15:01:47 +10:00
clocksource Merge branches 'perf-urgent-for-linus', 'smp-urgent-for-linus' and 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2016-04-23 11:45:52 -07:00
connector
cpufreq Merge branches 'pm-opp-fixes', 'pm-cpufreq-fixes' and 'pm-cpuidle-fixes' 2016-05-06 13:16:22 +02:00
cpuidle ARM: cpuidle: Pass on arm_cpuidle_suspend()'s return value 2016-04-28 15:15:14 +02:00
crypto crypto: talitos - fix AEAD tcrypt tests 2016-04-20 17:42:49 +08:00
dca
devfreq PM / devfreq: Spelling s/frequnecy/frequency/ 2016-03-17 02:30:16 +01:00
dio
dma Merge branch 'fix/edma' into fixes 2016-04-16 22:52:03 +05:30
dma-buf dma-buf: Update docs for SYNC ioctl 2016-03-21 09:26:45 +01:00
edac EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder callback 2016-04-29 15:43:10 +02:00
eisa
extcon extcon: palmas: Drop stray IRQF_EARLY_RESUME flag 2016-04-04 08:32:45 +09:00
firewire IEEE 1394 subsystem patch: 2016-03-25 08:52:25 -07:00
firmware virtio/qemu: fixes for 4.6 2016-05-05 08:26:54 -07:00
fmc
fpga
gpio gpiolib-acpi: Duplicate con_id string when adding it to the crs lookup list 2016-04-30 13:51:59 +02:00
gpu drm/exynos: fix cancel page flip code 2016-05-10 23:11:41 +09:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2016-05-03 11:06:01 -07:00
hsi
hv Drivers: hv: vmbus: Fix signaling logic in hv_need_to_signal_on_read() 2016-04-30 14:05:44 -07:00
hwmon hwmon: (max1111) Return -ENODEV from max1111_read_channel if not instantiated 2016-03-27 10:37:48 -07:00
hwspinlock
hwtracing drivers/hwtracing: make coresight-etm-perf.c explicitly non-modular 2016-03-05 12:19:39 -08:00
i2c i2c: exynos5: Fix possible ABBA deadlock by keeping I2C clock prepared 2016-04-22 15:31:54 +02:00
ide ide: palm_bk3710: test clock rate to avoid division by 0 2016-03-20 16:59:27 -04:00
idle intel_idle: Add KBL support 2016-04-07 22:11:08 +02:00
iio iio: imu: mpu6050: Fix name/chip_id when using ACPI 2016-05-04 08:44:27 +01:00
infiniband Late 4.6-rc fixes 2016-05-07 08:10:08 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2016-05-04 16:07:50 -07:00
iommu iommu/arm-smmu: Don't allocate resources for bypass domains 2016-04-21 16:47:32 +02:00
ipack
irqchip irqchip/mips-gic: Don't overrun pcpu_masks array 2016-04-21 21:04:29 +02:00
isdn mISDN: Fixing missing validation in base_sock_bind() 2016-04-13 23:00:50 -04:00
leds platform-drivers-x86 for 4.6-1 2016-03-23 17:20:59 -07:00
lguest lguest, x86/entry/32: Fix handling of guest syscalls using interrupt gates 2016-04-01 08:58:13 +02:00
lightnvm lightnvm: do not load L2P table if not supported 2016-03-18 18:10:38 -07:00
macintosh
mailbox Merge branch 'mailbox-devel' of git://git.linaro.org/landing-teams/working/fujitsu/integration 2016-04-14 18:40:47 -07:00
mcb
md Merge tag 'md/4.6-rc6-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md 2016-05-02 12:22:51 -07:00
media media fixes for v4.6-rc7 2016-05-07 08:17:45 -07:00
memory memory: mtk-smi: export mtk_smi_larb_get/put 2016-05-06 14:20:56 +02:00
memstick drivers/memstick/host/r592.c: avoid gcc-6 warning 2016-03-25 16:37:42 -07:00
message
mfd - New Drivers 2016-03-18 10:15:11 -07:00
misc Char/Misc driver fixes for 4.6-rc7 2016-05-07 10:53:32 -07:00
mmc mmc: sunxi: Disable eMMC HS-DDR (MMC_CAP_1_8V_DDR) for Allwinner A80 2016-04-28 11:43:54 +02:00
mtd One MTD fix for v4.6-rc4: 2016-04-15 15:25:09 -07:00
net net: macb: Probe MDIO bus before registering netdev 2016-05-03 16:06:05 -04:00
nfc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2016-03-19 10:05:34 -07:00
ntb NTB: Remove _addr functions from ntb_hw_amd 2016-03-26 11:44:33 -04:00
nubus
nvdimm libnvdimm, pfn: fix memmap reservation sizing 2016-04-30 13:07:06 -07:00
nvme NVMe: Always use MSI/MSI-x interrupts 2016-04-14 14:04:50 -06:00
nvmem nvmem: mxs-ocotp: fix buffer overflow in read 2016-05-02 08:18:01 -07:00
of DeviceTree updates for 4.6: 2016-03-19 15:15:07 -07:00
oprofile mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros 2016-04-04 10:41:08 -07:00
parisc PCI changes for the v4.6 merge window: 2016-03-16 14:45:55 -07:00
parport
pci PCI updates for v4.6: 2016-04-18 19:52:47 -07:00
pcmcia pcmcia: db1xxx_ss: fix last irq_to_gpio user 2016-03-29 22:48:53 +02:00
perf drivers/perf: arm-pmu: fix RCU usage on pmu resume from low-power 2016-04-21 15:03:06 +01:00
phy phy: rockchip-emmc: should be a child device of the GRF 2016-04-13 18:33:05 +05:30
pinctrl pinctrl: single: Fix pcs_parse_bits_in_pinctrl_entry to use __ffs than ffs 2016-04-15 11:26:55 +02:00
platform platform-drivers-x86 for 4.6-3 2016-04-27 08:57:11 -07:00
pnp PNP / ACPI: add ACPI_RESOURCE_TYPE_SERIAL_BUS as a valid type 2016-03-09 23:50:55 +01:00
power Power management and ACPI material for v4.6-rc1, part 2 2016-03-25 16:55:37 -07:00
powercap powercap: intel_rapl: Add missing Haswell model 2016-04-05 03:44:48 +02:00
pps
ps3
ptp Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2016-03-15 12:13:56 -07:00
pwm pwm: fsl-ftm: Use flat regmap cache 2016-04-14 16:54:00 +02:00
rapidio rapidio/mport_cdev: fix uapi type definitions 2016-05-05 17:38:53 -07:00
ras
regulator - New Drivers 2016-03-18 10:15:11 -07:00
remoteproc remoteproc: st: fix check of syscon_regmap_lookup_by_phandle() return value 2016-03-28 16:19:00 -07:00
reset
rpmsg
rtc rtc: ds1307: Use irq when available for wakeup-source device 2016-04-21 23:21:00 +02:00
s390 s390/sclp_ctl: fix potential information leak with /dev/sclp 2016-04-27 09:33:39 +02:00
sbus
scsi cxgbi: fix uninitialized flowi6 2016-04-25 16:20:49 -04:00
sfi
sh Linux 4.5-rc6 2016-03-04 12:12:08 +01:00
sn
soc Revert "soc: mediatek: SCPSYS: Fix double enabling of regulators" 2016-04-13 11:55:08 +02:00
spi Merge remote-tracking branches 'spi/fix/omap2' and 'spi/fix/rockchip' into spi-linus 2016-04-04 10:05:49 -07:00
spmi
ssb
staging Final set of -rc fixes for 4.6 2016-04-29 17:07:54 -07:00
target target: add a new add_wwn_groups fabrics method 2016-03-30 20:06:44 -07:00
tc
thermal thermal: use %d to print S32 parameters 2016-04-27 15:54:51 -07:00
thunderbolt
tty devpts: more pty driver interface cleanups 2016-04-26 15:47:32 -07:00
uio
usb Revert "USB / PM: Allow USB devices to remain runtime-suspended when sleeping" 2016-05-02 08:44:31 -07:00
uwb
vfio VFIO updates for v4.6-rc1 2016-03-17 13:05:09 -07:00
vhost Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2016-03-22 12:41:14 -07:00
video Linux 4.6-rc7 2016-05-09 13:49:56 +10:00
virt
virtio virtio: Silence uninitialized variable warning 2016-05-01 15:50:08 +03:00
vlynq
vme
w1
watchdog hpwdt: use nmi_panic() when kernel panics in NMI handler 2016-03-22 15:36:02 -07:00
xen xen/evtchn: fix ring resize when binding new events 2016-05-04 16:37:01 +01:00
zorro
Kconfig
Makefile