From patchwork Tue Feb 19 23:40:11 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Airlie X-Patchwork-Id: 2165421 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork1.kernel.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by patchwork1.kernel.org (Postfix) with ESMTP id 8B8793FCF6 for ; Tue, 19 Feb 2013 23:42:06 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 910ABE66B3 for ; Tue, 19 Feb 2013 15:42:06 -0800 (PST) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by gabe.freedesktop.org (Postfix) with ESMTP id 2B5CFE66AE for ; Tue, 19 Feb 2013 15:40:20 -0800 (PST) Received: from int-mx12.intmail.prod.int.phx2.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r1JNeFN8002757 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Tue, 19 Feb 2013 18:40:15 -0500 Received: from prime.bne.redhat.com (dhcp-40-183.bne.redhat.com [10.64.40.183]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id r1JNeEtb015844 for ; Tue, 19 Feb 2013 18:40:14 -0500 From: Dave Airlie To: dri-devel@lists.freedesktop.org Subject: [PATCH 1/2] drm: fix idr_remove warning during fuzzing Date: Wed, 20 Feb 2013 09:40:11 +1000 Message-Id: <1361317212-23356-1-git-send-email-airlied@gmail.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.25 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org Errors-To: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org From: Dave Airlie Lookup the context first to see if its valid before trying to remove it. Saw this WARNING a few times while fuzzing the kernel with Trinity in a qemu virtual machine: [ 22.883257] idr_remove called for id=4096 which is not allocated. [ 22.884487] Pid: 2303, comm: trinity-child1 Not tainted 3.8.0+ #87 [ 22.885601] Call Trace: [ 22.886080] [] idr_remove+0x131/0x1f0 [ 22.887107] [] drm_ctxbitmap_free+0x38/0x50 [ 22.888158] [] drm_rmctx+0x63/0x100 [ 22.889091] [] drm_ioctl+0x3d0/0x4d0 [ 22.890034] [] ? drm_newctx+0xb0/0xb0 [ 22.890970] [] ? avc_has_perm_flags+0x1d0/0x2a0 [ 22.892127] [] ? avc_has_perm_flags+0x28/0x2a0 [ 22.893218] [] ? trace_hardirqs_off_caller+0x28/0xd0 [ 22.894401] [] ? trace_hardirqs_off+0xd/0x10 [ 22.895461] [] do_vfs_ioctl+0x532/0x580 [ 22.896447] [] ? file_has_perm+0x83/0xa0 [ 22.897453] [] sys_ioctl+0x5d/0xa0 [ 22.898429] [] ? trace_hardirqs_on_thunk+0x3a/0x3f [ 22.899629] [] system_call_fastpath+0x16/0x1b Reported-by: Tommi Rantala Signed-off-by: Dave Airlie --- drivers/gpu/drm/drm_context.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/drivers/gpu/drm/drm_context.c b/drivers/gpu/drm/drm_context.c index 45adf97..a186563 100644 --- a/drivers/gpu/drm/drm_context.c +++ b/drivers/gpu/drm/drm_context.c @@ -438,6 +438,13 @@ int drm_rmctx(struct drm_device *dev, void *data, DRM_DEBUG("%d\n", ctx->handle); if (ctx->handle != DRM_KERNEL_CONTEXT) { + struct drm_local_map *map; + mutex_lock(&dev->struct_mutex); + map = idr_find(&dev->ctx_idr, ctx->handle); + mutex_unlock(&dev->struct_mutex); + + if (!map) + return -EINVAL; if (dev->driver->context_dtor) dev->driver->context_dtor(dev, ctx->handle); drm_ctxbitmap_free(dev, ctx->handle);