From patchwork Wed May 4 13:23:11 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrzej Hajda X-Patchwork-Id: 9014041 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id EE6E29F39D for ; Wed, 4 May 2016 13:23:46 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id EFDB2203A5 for ; Wed, 4 May 2016 13:23:45 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id A3C9D2039D for ; Wed, 4 May 2016 13:23:44 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id E81FE6E81A; Wed, 4 May 2016 13:23:42 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mailout3.w1.samsung.com (mailout3.w1.samsung.com [210.118.77.13]) by gabe.freedesktop.org (Postfix) with ESMTPS id 9281C6E81A for ; Wed, 4 May 2016 13:23:41 +0000 (UTC) Received: from eucpsbgm2.samsung.com (unknown [203.254.199.245]) by mailout3.w1.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTP id <0O6N00BWZMJDN590@mailout3.w1.samsung.com> for dri-devel@lists.freedesktop.org; Wed, 04 May 2016 14:23:37 +0100 (BST) X-AuditID: cbfec7f5-f792a6d000001302-8e-5729f7d917da Received: from eusync2.samsung.com ( [203.254.199.212]) by eucpsbgm2.samsung.com (EUCPMTA) with SMTP id 7B.4A.04866.9D7F9275; Wed, 4 May 2016 14:23:37 +0100 (BST) Received: from amdc1061.digital.local ([106.116.147.88]) by eusync2.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0O6N00AO1MJCHH90@eusync2.samsung.com>; Wed, 04 May 2016 14:23:37 +0100 (BST) From: Andrzej Hajda To: inki.dae@samsung.com Subject: [PATCH v2] drm/exynos: fix cancel page flip code Date: Wed, 04 May 2016 15:23:11 +0200 Message-id: <1462368191-19879-1-git-send-email-a.hajda@samsung.com> X-Mailer: git-send-email 1.9.1 In-reply-to: References: X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprALMWRmVeSWpSXmKPExsVy+t/xK7o3v2uGG0yeJmlxa905VouNM9az WlxpnQ4kvr5ns5h0fwKLxYzz+5gs1h65y+7A7vHi6zZmj/vdx5k8+rasYvT4vEkugCWKyyYl NSezLLVI3y6BK+P8o+1sBQuUK05+fc7SwPhWtouRk0NCwESiced5FghbTOLCvfVsXYxcHEIC SxklVi35AOU0MUks/fWLFaSKTUBT4u/mm2wgtoiAhMTMVxeZQIqYBeYySTw/8hBslLCApcSO 5kVgRSwCqhLTZr9gB7F5BZwlXlw/ywixTk7i5LHJYEM5BYIlns48ClYvJBAg8bh7O9MERt4F jAyrGEVTS5MLipPSc430ihNzi0vz0vWS83M3MULC6esOxqXHrA4xCnAwKvHwvvDWDBdiTSwr rsw9xCjBwawkwsvyDSjEm5JYWZValB9fVJqTWnyIUZqDRUmcd+au9yFCAumJJanZqakFqUUw WSYOTqkGxm38ThKtnxc2lvpfuezAfuvUjh2f5BJ/lNg15+XX5Kkv99p49kS7gPTs/6ea92Tf P7TWNUXNT89a5LnT1T0+OvNmaPvtSvlcEp4gHntQ6kCpUfalczMchUU3bJR/lP0ocIXxv137 ZFjuudSm7duu3/bx3lQxtRkbVOTeCiiZf7YXUQnS1jduU2Ipzkg01GIuKk4EAM2cClUjAgAA Cc: linux-samsung-soc , Bartlomiej Zolnierkiewicz , dri-devel , Andrzej Hajda , Marek Szyprowski X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Spam-Status: No, score=-6.3 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Driver code did not remove event from the list of pending events before destroy. As a result drm core later tried to inspect invalid memory location. The patch replaces removal code with call to core helper. The bug was detected using KASAN: [ 10.107249] ================================================================== [ 10.107518] BUG: KASAN: use-after-free in drm_release+0xe9c/0x1000 at addr ffffffc089154a18 [ 10.107784] Read of size 8 by task modetest/103 [ 10.107931] ============================================================================= [ 10.113191] BUG kmalloc-128 (Not tainted): kasan: bad access detected [ 10.119608] ----------------------------------------------------------------------------- [ 10.119608] [ 10.129243] Disabling lock debugging due to kernel taint [ 10.134551] INFO: Allocated in drm_mode_page_flip_ioctl+0x500/0xa98 age=4 cpu=0 pid=103 [ 10.142532] alloc_debug_processing+0x18c/0x198 [ 10.147043] ___slab_alloc.constprop.28+0x360/0x380 [ 10.151906] __slab_alloc.isra.25.constprop.27+0x54/0xa0 [ 10.157197] kmem_cache_alloc_trace+0x370/0x3b0 [ 10.161709] drm_mode_page_flip_ioctl+0x500/0xa98 [ 10.166400] drm_ioctl+0x4c4/0xb68 [ 10.169787] do_vfs_ioctl+0x16c/0xeb8 [ 10.173429] SyS_ioctl+0x8c/0xa0 [ 10.176642] el0_svc_naked+0x24/0x28 [ 10.180204] INFO: Freed in exynos_drm_crtc_cancel_page_flip+0xe0/0x160 age=0 cpu=0 pid=103 [ 10.188447] free_debug_processing+0x174/0x388 [ 10.192871] __slab_free+0x2e8/0x438 [ 10.196431] kfree+0x350/0x360 [ 10.199469] exynos_drm_crtc_cancel_page_flip+0xe0/0x160 [ 10.204762] exynos_drm_preclose+0x58/0xa0 [ 10.208844] drm_release+0x1f0/0x1000 [ 10.212491] __fput+0x1c4/0x5b8 [ 10.215613] ____fput+0xc/0x18 [ 10.218654] task_work_run+0x130/0x198 [ 10.222385] do_exit+0x700/0x2278 [ 10.225681] do_group_exit+0xe4/0x2c8 [ 10.229327] SyS_exit_group+0x1c/0x20 [ 10.232973] el0_svc_naked+0x24/0x28 [ 10.236532] INFO: Slab 0xffffffbdc2a45500 objects=32 used=10 fp=0xffffffc089154a00 flags=0x4080 [ 10.245210] INFO: Object 0xffffffc089154a00 @offset=2560 fp=0xffffffc089157600 [ 10.245210] ... [ 10.384532] CPU: 0 PID: 103 Comm: modetest Tainted: G B 4.5.0-rc3-00748-gd5e2881 #271 [ 10.398325] Call trace: [ 10.400764] [] dump_backtrace+0x0/0x328 [ 10.406141] [] show_stack+0x14/0x20 [ 10.411176] [] dump_stack+0xb0/0xe8 [ 10.416210] [] print_trailer+0xf8/0x160 [ 10.421592] [] object_err+0x3c/0x50 [ 10.426626] [] kasan_report_error+0x248/0x550 [ 10.432527] [] __asan_report_load8_noabort+0x40/0x48 [ 10.439039] [] drm_release+0xe9c/0x1000 [ 10.444419] [] __fput+0x1c4/0x5b8 [ 10.449280] [] ____fput+0xc/0x18 [ 10.454055] [] task_work_run+0x130/0x198 [ 10.459522] [] do_exit+0x700/0x2278 [ 10.464557] [] do_group_exit+0xe4/0x2c8 [ 10.469939] [] SyS_exit_group+0x1c/0x20 [ 10.475320] [] el0_svc_naked+0x24/0x28 Signed-off-by: Andrzej Hajda --- v2: use exynos_crtc->event under event_lock --- drivers/gpu/drm/exynos/exynos_drm_crtc.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c index 50dd33d..785ffa6 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c +++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c @@ -233,20 +233,15 @@ void exynos_drm_crtc_cancel_page_flip(struct drm_crtc *crtc, unsigned long flags; spin_lock_irqsave(&crtc->dev->event_lock, flags); + e = exynos_crtc->event; if (e && e->base.file_priv == file) { exynos_crtc->event = NULL; - /* - * event will be destroyed by core part - * so below line should be removed later with core changes - */ - e->base.destroy(&e->base); - /* - * event_space will be increased by core part - * so below line should be removed later with core changes. - */ - file->event_space += sizeof(e->event); atomic_dec(&exynos_crtc->pending_update); } + spin_unlock_irqrestore(&crtc->dev->event_lock, flags); + + if (e && e->base.file_priv == file) + drm_event_cancel_free(crtc->dev, &e->base); }