| Message ID | 1607941973-32287-1-git-send-email-tiantao6@hisilicon.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm/hisilicon: Fix use-after-free | expand |
On Mon, Dec 14, 2020 at 12:17 PM Thomas Zimmermann <tzimmermann@suse.de> wrote: > > Hi > > Am 14.12.20 um 11:32 schrieb Tian Tao: > > Fix the problem of dev being released twice. > > ------------[ cut here ]------------ > > refcount_t: underflow; use-after-free. > > WARNING: CPU: 75 PID: 15700 at lib/refcount.c:28 refcount_warn_saturate+0xd4/0x150 > > CPU: 75 PID: 15700 Comm: rmmod Tainted: G E 5.10.0-rc3+ #3 > > Hardware name: Huawei TaiShan 200 (Model 2280)/BC82AMDDA, BIOS 0.88 07/24/2019 > > pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--) > > pc : refcount_warn_saturate+0xd4/0x150 > > lr : refcount_warn_saturate+0xd4/0x150 > > sp : ffff2028150cbc00 > > x29: ffff2028150cbc00 x28: ffff2028150121c0 > > x27: 0000000000000000 x26: 0000000000000000 > > x25: 0000000000000000 x24: 0000000000000003 > > x23: 0000000000000000 x22: ffff2028150cbc90 > > x21: ffff2020038a30a8 x20: ffff2028150cbc90 > > x19: ffff0020cd938020 x18: 0000000000000010 > > x17: 0000000000000000 x16: 0000000000000000 > > x15: ffffffffffffffff x14: ffff2028950cb88f > > x13: ffff2028150cb89d x12: 0000000000000000 > > x11: 0000000005f5e0ff x10: ffff2028150cb800 > > x9 : 00000000ffffffd0 x8 : 75203b776f6c6672 > > x7 : ffff800011a6f7c8 x6 : 0000000000000001 > > x5 : 0000000000000000 x4 : 0000000000000000 > > x3 : 0000000000000000 x2 : ffff202ffe2f9dc0 > > x1 : ffffa02fecf40000 x0 : 0000000000000026 > > Call trace: > > refcount_warn_saturate+0xd4/0x150 > > devm_drm_dev_init_release+0x50/0x70 > > devm_action_release+0x20/0x30 > > release_nodes+0x13c/0x218 > > devres_release_all+0x80/0x170 > > device_release_driver_internal+0x128/0x1f0 > > driver_detach+0x6c/0xe0 > > bus_remove_driver+0x74/0x100 > > driver_unregister+0x34/0x60 > > pci_unregister_driver+0x24/0xd8 > > hibmc_pci_driver_exit+0x14/0xe858 [hibmc_drm] > > __arm64_sys_delete_module+0x1fc/0x2d0 > > el0_svc_common.constprop.3+0xa8/0x188 > > do_el0_svc+0x80/0xa0 > > el0_sync_handler+0x8c/0xb0 > > el0_sync+0x15c/0x180 > > CPU: 75 PID: 15700 Comm: rmmod Tainted: G E 5.10.0-rc3+ #3 > > Hardware name: Huawei TaiShan 200 (Model 2280)/BC82AMDDA, BIOS 0.88 07/24/2019 > > Call trace: > > dump_backtrace+0x0/0x208 > > show_stack+0x2c/0x40 > > dump_stack+0xd8/0x10c > > __warn+0xac/0x128 > > report_bug+0xcc/0x180 > > bug_handler+0x24/0x78 > > call_break_hook+0x80/0xa0 > > brk_handler+0x28/0x68 > > do_debug_exception+0x9c/0x148 > > el1_sync_handler+0x7c/0x128 > > el1_sync+0x80/0x100 > > refcount_warn_saturate+0xd4/0x150 > > devm_drm_dev_init_release+0x50/0x70 > > devm_action_release+0x20/0x30 > > release_nodes+0x13c/0x218 > > devres_release_all+0x80/0x170 > > device_release_driver_internal+0x128/0x1f0 > > driver_detach+0x6c/0xe0 > > bus_remove_driver+0x74/0x100 > > driver_unregister+0x34/0x60 > > pci_unregister_driver+0x24/0xd8 > > hibmc_pci_driver_exit+0x14/0xe858 [hibmc_drm] > > __arm64_sys_delete_module+0x1fc/0x2d0 > > el0_svc_common.constprop.3+0xa8/0x188 > > do_el0_svc+0x80/0xa0 > > el0_sync_handler+0x8c/0xb0 > > el0_sync+0x15c/0x180 > > ---[ end trace 00718630d6e5ff18 ]--- > > > > Signed-off-by: Tian Tao <tiantao6@hisilicon.com> > > Acked-by: Thomas Zimmermann <tzimmermann@suse.de> > > > --- > > drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c | 1 - > > 1 file changed, 1 deletion(-) > > > > diff --git a/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c b/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c > > index 7e91ef1..e3ab765b 100644 > > --- a/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c > > +++ b/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c > > @@ -364,7 +364,6 @@ static void hibmc_pci_remove(struct pci_dev *pdev) > > > > drm_dev_unregister(dev); > > hibmc_unload(dev); > > - drm_dev_put(dev); This is incomplete, you also need to remove the drm_dev_put from hibmc_pci_probe. Cheers, Daniel > > } > > > > static const struct pci_device_id hibmc_pci_table[] = { > > > > -- > Thomas Zimmermann > Graphics Driver Developer > SUSE Software Solutions Germany GmbH > Maxfeldstr. 5, 90409 Nürnberg, Germany > (HRB 36809, AG Nürnberg) > Geschäftsführer: Felix Imendörffer >
diff --git a/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c b/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c index 7e91ef1..e3ab765b 100644 --- a/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c +++ b/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c @@ -364,7 +364,6 @@ static void hibmc_pci_remove(struct pci_dev *pdev) drm_dev_unregister(dev); hibmc_unload(dev); - drm_dev_put(dev); } static const struct pci_device_id hibmc_pci_table[] = {
Fix the problem of dev being released twice. ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 75 PID: 15700 at lib/refcount.c:28 refcount_warn_saturate+0xd4/0x150 CPU: 75 PID: 15700 Comm: rmmod Tainted: G E 5.10.0-rc3+ #3 Hardware name: Huawei TaiShan 200 (Model 2280)/BC82AMDDA, BIOS 0.88 07/24/2019 pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--) pc : refcount_warn_saturate+0xd4/0x150 lr : refcount_warn_saturate+0xd4/0x150 sp : ffff2028150cbc00 x29: ffff2028150cbc00 x28: ffff2028150121c0 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000003 x23: 0000000000000000 x22: ffff2028150cbc90 x21: ffff2020038a30a8 x20: ffff2028150cbc90 x19: ffff0020cd938020 x18: 0000000000000010 x17: 0000000000000000 x16: 0000000000000000 x15: ffffffffffffffff x14: ffff2028950cb88f x13: ffff2028150cb89d x12: 0000000000000000 x11: 0000000005f5e0ff x10: ffff2028150cb800 x9 : 00000000ffffffd0 x8 : 75203b776f6c6672 x7 : ffff800011a6f7c8 x6 : 0000000000000001 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff202ffe2f9dc0 x1 : ffffa02fecf40000 x0 : 0000000000000026 Call trace: refcount_warn_saturate+0xd4/0x150 devm_drm_dev_init_release+0x50/0x70 devm_action_release+0x20/0x30 release_nodes+0x13c/0x218 devres_release_all+0x80/0x170 device_release_driver_internal+0x128/0x1f0 driver_detach+0x6c/0xe0 bus_remove_driver+0x74/0x100 driver_unregister+0x34/0x60 pci_unregister_driver+0x24/0xd8 hibmc_pci_driver_exit+0x14/0xe858 [hibmc_drm] __arm64_sys_delete_module+0x1fc/0x2d0 el0_svc_common.constprop.3+0xa8/0x188 do_el0_svc+0x80/0xa0 el0_sync_handler+0x8c/0xb0 el0_sync+0x15c/0x180 CPU: 75 PID: 15700 Comm: rmmod Tainted: G E 5.10.0-rc3+ #3 Hardware name: Huawei TaiShan 200 (Model 2280)/BC82AMDDA, BIOS 0.88 07/24/2019 Call trace: dump_backtrace+0x0/0x208 show_stack+0x2c/0x40 dump_stack+0xd8/0x10c __warn+0xac/0x128 report_bug+0xcc/0x180 bug_handler+0x24/0x78 call_break_hook+0x80/0xa0 brk_handler+0x28/0x68 do_debug_exception+0x9c/0x148 el1_sync_handler+0x7c/0x128 el1_sync+0x80/0x100 refcount_warn_saturate+0xd4/0x150 devm_drm_dev_init_release+0x50/0x70 devm_action_release+0x20/0x30 release_nodes+0x13c/0x218 devres_release_all+0x80/0x170 device_release_driver_internal+0x128/0x1f0 driver_detach+0x6c/0xe0 bus_remove_driver+0x74/0x100 driver_unregister+0x34/0x60 pci_unregister_driver+0x24/0xd8 hibmc_pci_driver_exit+0x14/0xe858 [hibmc_drm] __arm64_sys_delete_module+0x1fc/0x2d0 el0_svc_common.constprop.3+0xa8/0x188 do_el0_svc+0x80/0xa0 el0_sync_handler+0x8c/0xb0 el0_sync+0x15c/0x180 ---[ end trace 00718630d6e5ff18 ]--- Signed-off-by: Tian Tao <tiantao6@hisilicon.com> --- drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c | 1 - 1 file changed, 1 deletion(-)