| Message ID | 1425324967-7427-1-git-send-email-tt.rantala@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Good catch. Patch is Reviewed-by: Christian König <christian.koenig@amd.com> Regards, Christian. On 02.03.2015 20:36, Tommi Rantala wrote: > Passing zeroed drm_radeon_cs struct to DRM_IOCTL_RADEON_CS produces the > following oops. > > Fix by always calling INIT_LIST_HEAD() to avoid the crash in list_sort(). > > ---------------------------------- > > #include <stdint.h> > #include <fcntl.h> > #include <unistd.h> > #include <sys/ioctl.h> > #include <drm/radeon_drm.h> > > static const struct drm_radeon_cs cs; > > int main(int argc, char **argv) > { > return ioctl(open(argv[1], O_RDWR), DRM_IOCTL_RADEON_CS, &cs); > } > > ---------------------------------- > > [ttrantal@test2 ~]$ ./main /dev/dri/card0 > [ 46.904650] BUG: unable to handle kernel NULL pointer dereference at (null) > [ 46.905022] IP: [<ffffffff814d6df2>] list_sort+0x42/0x240 > [ 46.905022] PGD 68f29067 PUD 688b5067 PMD 0 > [ 46.905022] Oops: 0002 [#1] SMP > [ 46.905022] CPU: 0 PID: 2413 Comm: main Not tainted 4.0.0-rc1+ #58 > [ 46.905022] Hardware name: Hewlett-Packard HP Compaq dc5750 Small Form Factor/0A64h, BIOS 786E3 v02.10 01/25/2007 > [ 46.905022] task: ffff880058e2bcc0 ti: ffff880058e64000 task.ti: ffff880058e64000 > [ 46.905022] RIP: 0010:[<ffffffff814d6df2>] [<ffffffff814d6df2>] list_sort+0x42/0x240 > [ 46.905022] RSP: 0018:ffff880058e67998 EFLAGS: 00010246 > [ 46.905022] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 > [ 46.905022] RDX: ffffffff81644410 RSI: ffff880058e67b40 RDI: ffff880058e67a58 > [ 46.905022] RBP: ffff880058e67a88 R08: 0000000000000000 R09: 0000000000000000 > [ 46.905022] R10: ffff880058e2bcc0 R11: ffffffff828e6ca0 R12: ffffffff81644410 > [ 46.905022] R13: ffff8800694b8018 R14: 0000000000000000 R15: ffff880058e679b0 > [ 46.905022] FS: 00007fdc65a65700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000 > [ 46.905022] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 46.905022] CR2: 0000000000000000 CR3: 0000000058dd9000 CR4: 00000000000006f0 > [ 46.905022] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [ 46.905022] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400 > [ 46.905022] Stack: > [ 46.905022] ffff880058e67b40 ffff880058e2bcc0 ffff880058e67a78 0000000000000000 > [ 46.905022] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 > [ 46.905022] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 > [ 46.905022] Call Trace: > [ 46.905022] [<ffffffff81644a65>] radeon_cs_parser_fini+0x195/0x220 > [ 46.905022] [<ffffffff81645069>] radeon_cs_ioctl+0xa9/0x960 > [ 46.905022] [<ffffffff815e1f7c>] drm_ioctl+0x19c/0x640 > [ 46.905022] [<ffffffff810f8fdd>] ? trace_hardirqs_on_caller+0xfd/0x1c0 > [ 46.905022] [<ffffffff810f90ad>] ? trace_hardirqs_on+0xd/0x10 > [ 46.905022] [<ffffffff8160c066>] radeon_drm_ioctl+0x46/0x80 > [ 46.905022] [<ffffffff81211868>] do_vfs_ioctl+0x318/0x570 > [ 46.905022] [<ffffffff81462ef6>] ? selinux_file_ioctl+0x56/0x110 > [ 46.905022] [<ffffffff81211b41>] SyS_ioctl+0x81/0xa0 > [ 46.905022] [<ffffffff81dc6312>] system_call_fastpath+0x12/0x17 > [ 46.905022] Code: 48 89 b5 10 ff ff ff 0f 84 03 01 00 00 4c 8d bd 28 ff ff > ff 31 c0 48 89 fb b9 15 00 00 00 49 89 d4 4c 89 ff f3 48 ab 48 8b 46 08 <48> c7 > 00 00 00 00 00 48 8b 0e 48 85 c9 0f 84 7d 00 00 00 c7 85 > [ 46.905022] RIP [<ffffffff814d6df2>] list_sort+0x42/0x240 > [ 46.905022] RSP <ffff880058e67998> > [ 46.905022] CR2: 0000000000000000 > [ 47.149253] ---[ end trace 09576b4e8b2c20b8 ]--- > > Signed-off-by: Tommi Rantala <tt.rantala@gmail.com> > --- > drivers/gpu/drm/radeon/radeon_cs.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c > index a579ed3..4d0f96c 100644 > --- a/drivers/gpu/drm/radeon/radeon_cs.c > +++ b/drivers/gpu/drm/radeon/radeon_cs.c > @@ -256,11 +256,13 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data) > u32 ring = RADEON_CS_RING_GFX; > s32 priority = 0; > > + INIT_LIST_HEAD(&p->validated); > + > if (!cs->num_chunks) { > return 0; > } > + > /* get chunks */ > - INIT_LIST_HEAD(&p->validated); > p->idx = 0; > p->ib.sa_bo = NULL; > p->const_ib.sa_bo = NULL;
On Tue, Mar 3, 2015 at 4:10 AM, Christian König <deathsimple@vodafone.de> wrote: > Good catch. > > Patch is Reviewed-by: Christian König <christian.koenig@amd.com> > > Regards, > Christian. > Applied to my -fixes tree. Thanks! Alex > > On 02.03.2015 20:36, Tommi Rantala wrote: >> >> Passing zeroed drm_radeon_cs struct to DRM_IOCTL_RADEON_CS produces the >> following oops. >> >> Fix by always calling INIT_LIST_HEAD() to avoid the crash in list_sort(). >> >> ---------------------------------- >> >> #include <stdint.h> >> #include <fcntl.h> >> #include <unistd.h> >> #include <sys/ioctl.h> >> #include <drm/radeon_drm.h> >> >> static const struct drm_radeon_cs cs; >> >> int main(int argc, char **argv) >> { >> return ioctl(open(argv[1], O_RDWR), DRM_IOCTL_RADEON_CS, &cs); >> } >> >> ---------------------------------- >> >> [ttrantal@test2 ~]$ ./main /dev/dri/card0 >> [ 46.904650] BUG: unable to handle kernel NULL pointer dereference at >> (null) >> [ 46.905022] IP: [<ffffffff814d6df2>] list_sort+0x42/0x240 >> [ 46.905022] PGD 68f29067 PUD 688b5067 PMD 0 >> [ 46.905022] Oops: 0002 [#1] SMP >> [ 46.905022] CPU: 0 PID: 2413 Comm: main Not tainted 4.0.0-rc1+ #58 >> [ 46.905022] Hardware name: Hewlett-Packard HP Compaq dc5750 Small Form >> Factor/0A64h, BIOS 786E3 v02.10 01/25/2007 >> [ 46.905022] task: ffff880058e2bcc0 ti: ffff880058e64000 task.ti: >> ffff880058e64000 >> [ 46.905022] RIP: 0010:[<ffffffff814d6df2>] [<ffffffff814d6df2>] >> list_sort+0x42/0x240 >> [ 46.905022] RSP: 0018:ffff880058e67998 EFLAGS: 00010246 >> [ 46.905022] RAX: 0000000000000000 RBX: 0000000000000000 RCX: >> 0000000000000000 >> [ 46.905022] RDX: ffffffff81644410 RSI: ffff880058e67b40 RDI: >> ffff880058e67a58 >> [ 46.905022] RBP: ffff880058e67a88 R08: 0000000000000000 R09: >> 0000000000000000 >> [ 46.905022] R10: ffff880058e2bcc0 R11: ffffffff828e6ca0 R12: >> ffffffff81644410 >> [ 46.905022] R13: ffff8800694b8018 R14: 0000000000000000 R15: >> ffff880058e679b0 >> [ 46.905022] FS: 00007fdc65a65700(0000) GS:ffff88006d600000(0000) >> knlGS:0000000000000000 >> [ 46.905022] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >> [ 46.905022] CR2: 0000000000000000 CR3: 0000000058dd9000 CR4: >> 00000000000006f0 >> [ 46.905022] DR0: 0000000000000000 DR1: 0000000000000000 DR2: >> 0000000000000000 >> [ 46.905022] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: >> 0000000000000400 >> [ 46.905022] Stack: >> [ 46.905022] ffff880058e67b40 ffff880058e2bcc0 ffff880058e67a78 >> 0000000000000000 >> [ 46.905022] 0000000000000000 0000000000000000 0000000000000000 >> 0000000000000000 >> [ 46.905022] 0000000000000000 0000000000000000 0000000000000000 >> 0000000000000000 >> [ 46.905022] Call Trace: >> [ 46.905022] [<ffffffff81644a65>] radeon_cs_parser_fini+0x195/0x220 >> [ 46.905022] [<ffffffff81645069>] radeon_cs_ioctl+0xa9/0x960 >> [ 46.905022] [<ffffffff815e1f7c>] drm_ioctl+0x19c/0x640 >> [ 46.905022] [<ffffffff810f8fdd>] ? trace_hardirqs_on_caller+0xfd/0x1c0 >> [ 46.905022] [<ffffffff810f90ad>] ? trace_hardirqs_on+0xd/0x10 >> [ 46.905022] [<ffffffff8160c066>] radeon_drm_ioctl+0x46/0x80 >> [ 46.905022] [<ffffffff81211868>] do_vfs_ioctl+0x318/0x570 >> [ 46.905022] [<ffffffff81462ef6>] ? selinux_file_ioctl+0x56/0x110 >> [ 46.905022] [<ffffffff81211b41>] SyS_ioctl+0x81/0xa0 >> [ 46.905022] [<ffffffff81dc6312>] system_call_fastpath+0x12/0x17 >> [ 46.905022] Code: 48 89 b5 10 ff ff ff 0f 84 03 01 00 00 4c 8d bd 28 ff >> ff >> ff 31 c0 48 89 fb b9 15 00 00 00 49 89 d4 4c 89 ff f3 48 ab 48 8b 46 08 >> <48> c7 >> 00 00 00 00 00 48 8b 0e 48 85 c9 0f 84 7d 00 00 00 c7 85 >> [ 46.905022] RIP [<ffffffff814d6df2>] list_sort+0x42/0x240 >> [ 46.905022] RSP <ffff880058e67998> >> [ 46.905022] CR2: 0000000000000000 >> [ 47.149253] ---[ end trace 09576b4e8b2c20b8 ]--- >> >> Signed-off-by: Tommi Rantala <tt.rantala@gmail.com> >> --- >> drivers/gpu/drm/radeon/radeon_cs.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/gpu/drm/radeon/radeon_cs.c >> b/drivers/gpu/drm/radeon/radeon_cs.c >> index a579ed3..4d0f96c 100644 >> --- a/drivers/gpu/drm/radeon/radeon_cs.c >> +++ b/drivers/gpu/drm/radeon/radeon_cs.c >> @@ -256,11 +256,13 @@ int radeon_cs_parser_init(struct radeon_cs_parser >> *p, void *data) >> u32 ring = RADEON_CS_RING_GFX; >> s32 priority = 0; >> + INIT_LIST_HEAD(&p->validated); >> + >> if (!cs->num_chunks) { >> return 0; >> } >> + >> /* get chunks */ >> - INIT_LIST_HEAD(&p->validated); >> p->idx = 0; >> p->ib.sa_bo = NULL; >> p->const_ib.sa_bo = NULL; > > > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/dri-devel
diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c index a579ed3..4d0f96c 100644 --- a/drivers/gpu/drm/radeon/radeon_cs.c +++ b/drivers/gpu/drm/radeon/radeon_cs.c @@ -256,11 +256,13 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data) u32 ring = RADEON_CS_RING_GFX; s32 priority = 0; + INIT_LIST_HEAD(&p->validated); + if (!cs->num_chunks) { return 0; } + /* get chunks */ - INIT_LIST_HEAD(&p->validated); p->idx = 0; p->ib.sa_bo = NULL; p->const_ib.sa_bo = NULL;
Passing zeroed drm_radeon_cs struct to DRM_IOCTL_RADEON_CS produces the following oops. Fix by always calling INIT_LIST_HEAD() to avoid the crash in list_sort(). ---------------------------------- #include <stdint.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <drm/radeon_drm.h> static const struct drm_radeon_cs cs; int main(int argc, char **argv) { return ioctl(open(argv[1], O_RDWR), DRM_IOCTL_RADEON_CS, &cs); } ---------------------------------- [ttrantal@test2 ~]$ ./main /dev/dri/card0 [ 46.904650] BUG: unable to handle kernel NULL pointer dereference at (null) [ 46.905022] IP: [<ffffffff814d6df2>] list_sort+0x42/0x240 [ 46.905022] PGD 68f29067 PUD 688b5067 PMD 0 [ 46.905022] Oops: 0002 [#1] SMP [ 46.905022] CPU: 0 PID: 2413 Comm: main Not tainted 4.0.0-rc1+ #58 [ 46.905022] Hardware name: Hewlett-Packard HP Compaq dc5750 Small Form Factor/0A64h, BIOS 786E3 v02.10 01/25/2007 [ 46.905022] task: ffff880058e2bcc0 ti: ffff880058e64000 task.ti: ffff880058e64000 [ 46.905022] RIP: 0010:[<ffffffff814d6df2>] [<ffffffff814d6df2>] list_sort+0x42/0x240 [ 46.905022] RSP: 0018:ffff880058e67998 EFLAGS: 00010246 [ 46.905022] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 46.905022] RDX: ffffffff81644410 RSI: ffff880058e67b40 RDI: ffff880058e67a58 [ 46.905022] RBP: ffff880058e67a88 R08: 0000000000000000 R09: 0000000000000000 [ 46.905022] R10: ffff880058e2bcc0 R11: ffffffff828e6ca0 R12: ffffffff81644410 [ 46.905022] R13: ffff8800694b8018 R14: 0000000000000000 R15: ffff880058e679b0 [ 46.905022] FS: 00007fdc65a65700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000 [ 46.905022] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 46.905022] CR2: 0000000000000000 CR3: 0000000058dd9000 CR4: 00000000000006f0 [ 46.905022] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 46.905022] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400 [ 46.905022] Stack: [ 46.905022] ffff880058e67b40 ffff880058e2bcc0 ffff880058e67a78 0000000000000000 [ 46.905022] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 46.905022] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 46.905022] Call Trace: [ 46.905022] [<ffffffff81644a65>] radeon_cs_parser_fini+0x195/0x220 [ 46.905022] [<ffffffff81645069>] radeon_cs_ioctl+0xa9/0x960 [ 46.905022] [<ffffffff815e1f7c>] drm_ioctl+0x19c/0x640 [ 46.905022] [<ffffffff810f8fdd>] ? trace_hardirqs_on_caller+0xfd/0x1c0 [ 46.905022] [<ffffffff810f90ad>] ? trace_hardirqs_on+0xd/0x10 [ 46.905022] [<ffffffff8160c066>] radeon_drm_ioctl+0x46/0x80 [ 46.905022] [<ffffffff81211868>] do_vfs_ioctl+0x318/0x570 [ 46.905022] [<ffffffff81462ef6>] ? selinux_file_ioctl+0x56/0x110 [ 46.905022] [<ffffffff81211b41>] SyS_ioctl+0x81/0xa0 [ 46.905022] [<ffffffff81dc6312>] system_call_fastpath+0x12/0x17 [ 46.905022] Code: 48 89 b5 10 ff ff ff 0f 84 03 01 00 00 4c 8d bd 28 ff ff ff 31 c0 48 89 fb b9 15 00 00 00 49 89 d4 4c 89 ff f3 48 ab 48 8b 46 08 <48> c7 00 00 00 00 00 48 8b 0e 48 85 c9 0f 84 7d 00 00 00 c7 85 [ 46.905022] RIP [<ffffffff814d6df2>] list_sort+0x42/0x240 [ 46.905022] RSP <ffff880058e67998> [ 46.905022] CR2: 0000000000000000 [ 47.149253] ---[ end trace 09576b4e8b2c20b8 ]--- Signed-off-by: Tommi Rantala <tt.rantala@gmail.com> --- drivers/gpu/drm/radeon/radeon_cs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)