From patchwork Wed Nov 22 17:51:11 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Boris BREZILLON X-Patchwork-Id: 10070699 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 497086038F for ; Wed, 22 Nov 2017 17:51:17 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 39EA722A6B for ; Wed, 22 Nov 2017 17:51:17 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2D5B029E0F; Wed, 22 Nov 2017 17:51:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 891B222A6B for ; Wed, 22 Nov 2017 17:51:16 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 9D4DB6E3AF; Wed, 22 Nov 2017 17:51:14 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail.free-electrons.com (mail.free-electrons.com [62.4.15.54]) by gabe.freedesktop.org (Postfix) with ESMTP id 41B346E3AF for ; Wed, 22 Nov 2017 17:51:13 +0000 (UTC) Received: by mail.free-electrons.com (Postfix, from userid 110) id 0889A20747; Wed, 22 Nov 2017 18:51:12 +0100 (CET) Received: from bbrezillon (unknown [91.160.177.164]) by mail.free-electrons.com (Postfix) with ESMTPSA id C1CD5203A1; Wed, 22 Nov 2017 18:51:11 +0100 (CET) Date: Wed, 22 Nov 2017 18:51:11 +0100 From: Boris Brezillon To: Stefan Wahren Subject: Re: [BUG] drm: vc4: refcount_t: increment on 0; use-after-free. Message-ID: <20171122185111.0ffa7fca@bbrezillon> In-Reply-To: <499324124.39558.1511369015110@email.1und1.de> References: <499324124.39558.1511369015110@email.1und1.de> X-Mailer: Claws Mail 3.14.1 (GTK+ 2.24.31; x86_64-pc-linux-gnu) MIME-Version: 1.0 Cc: David Airlie , dri-devel@lists.freedesktop.org, Daniel Vetter X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP Hi Stefan, On Wed, 22 Nov 2017 17:43:35 +0100 (CET) Stefan Wahren wrote: > Hi Boris, > if i boot Raspberry Pi 3 (ARM64, defconfig, linux-next-20171122) with sufficient CMA memory (32 MB), i'll get this warning during boot: > > [ 7.623510] vc4-drm soc:gpu: bound 3f902000.hdmi (ops vc4_hdmi_ops [vc4]) > [ 7.632453] vc4-drm soc:gpu: bound 3f806000.vec (ops vc4_vec_ops [vc4]) > [ 7.639707] vc4-drm soc:gpu: bound 3f400000.hvs (ops vc4_hvs_ops [vc4]) > [ 7.647364] vc4-drm soc:gpu: bound 3f206000.pixelvalve (ops vc4_crtc_ops [vc4]) > [ 7.655451] vc4-drm soc:gpu: bound 3f207000.pixelvalve (ops vc4_crtc_ops [vc4]) > [ 7.663415] vc4-drm soc:gpu: bound 3f807000.pixelvalve (ops vc4_crtc_ops [vc4]) > [ 7.730580] vc4-drm soc:gpu: bound 3fc00000.v3d (ops vc4_v3d_ops [vc4]) > [ 7.743965] [drm] Initialized vc4 0.0.0 20140616 for soc:gpu on minor 0 > [ 7.750841] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013). > [ 7.757620] [drm] Driver supports precise vblank timestamp query. > [ 7.811775] ------------[ cut here ]------------ > [ 7.811780] refcount_t: increment on 0; use-after-free. > [ 7.811881] WARNING: CPU: 2 PID: 2188 at lib/refcount.c:153 refcount_inc+0x44/0x50 > [ 7.811884] Modules linked in: vc4(+) cfg80211 cec drm_kms_helper smsc95xx usbnet drm rfkill brcmutil bcm2835_rng rng_core bcm2835_dma crc32_ce i2c_bcm2835 pwm_bcm2835 ip_tables x_tables ipv6 > [ 7.811950] CPU: 2 PID: 2188 Comm: systemd-udevd Not tainted 4.14.0-next-20171122 #1 > [ 7.811953] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT) > [ 7.811958] task: ffff800036b91c00 task.stack: ffff00000d6f0000 > [ 7.811967] pstate: 20000005 (nzCv daif -PAN -UAO) > [ 7.811974] pc : refcount_inc+0x44/0x50 > [ 7.811981] lr : refcount_inc+0x44/0x50 > [ 7.811984] sp : ffff00000d6f3300 > [ 7.811988] x29: ffff00000d6f3300 x28: 0000000000000000 > [ 7.811996] x27: 0000000000000003 x26: ffff800037107800 > [ 7.812004] x25: 0000000000000001 x24: ffff800035afdc00 > [ 7.812012] x23: 0000000000000000 x22: ffff800035dfa600 > [ 7.812020] x21: ffff800035afd9b0 x20: ffff800035afd9a4 > [ 7.812027] x19: 0000000000000000 x18: 0000000000000000 > [ 7.812034] x17: 0000000000000001 x16: 0000000000000019 > [ 7.812042] x15: 0000000000000001 x14: 00000000fffffff0 > [ 7.812049] x13: ffff0000090ae840 x12: ffff000008fa2d50 > [ 7.812057] x11: ffff000008fa2000 x10: ffff0000090ad000 > [ 7.812064] x9 : 0000000000000000 x8 : ffff0000090b5c2f > [ 7.812072] x7 : 0000000000000000 x6 : 000000000015ee00 > [ 7.812079] x5 : 0000000000000000 x4 : 0000000000000000 > [ 7.812087] x3 : ffffffffffffffff x2 : 0000800030047000 > [ 7.812094] x1 : ffff800036b91c00 x0 : 000000000000002b > [ 7.812102] Call trace: > [ 7.812109] refcount_inc+0x44/0x50 > [ 7.812226] vc4_bo_inc_usecnt+0x84/0x88 [vc4] > [ 7.812310] vc4_prepare_fb+0x40/0xf0 [vc4] > [ 7.812460] drm_atomic_helper_prepare_planes+0x54/0xf0 [drm_kms_helper] > [ 7.812543] vc4_atomic_commit+0x88/0x130 [vc4] > [ 7.812868] drm_atomic_commit+0x48/0x68 [drm] > [ 7.813002] restore_fbdev_mode_atomic+0x1d8/0x1e8 [drm_kms_helper] > [ 7.813113] restore_fbdev_mode+0x28/0x160 [drm_kms_helper] > [ 7.813223] drm_fb_helper_restore_fbdev_mode_unlocked.part.24+0x28/0x90 [drm_kms_helper] > [ 7.813331] drm_fb_helper_set_par+0x54/0xa8 [drm_kms_helper] > [ 7.813346] fbcon_init+0x4e8/0x538 > [ 7.813357] visual_init+0xb4/0x108 > [ 7.813366] do_bind_con_driver+0x1b8/0x3a0 > [ 7.813373] do_take_over_console+0x150/0x1d0 > [ 7.813380] do_fbcon_takeover+0x6c/0xf0 > [ 7.813387] fbcon_event_notify+0x8fc/0x928 > [ 7.813399] notifier_call_chain+0x50/0x90 > [ 7.813406] __blocking_notifier_call_chain+0x4c/0x90 > [ 7.813413] blocking_notifier_call_chain+0x14/0x20 > [ 7.813420] fb_notifier_call_chain+0x1c/0x28 > [ 7.813426] register_framebuffer+0x1d0/0x2d8 > [ 7.813533] __drm_fb_helper_initial_config_and_unlock+0x1e8/0x350 [drm_kms_helper] > [ 7.813639] drm_fb_helper_initial_config+0x40/0x58 [drm_kms_helper] > [ 7.813747] drm_fbdev_cma_init_with_funcs+0x88/0x158 [drm_kms_helper] > [ 7.813855] drm_fbdev_cma_init+0x14/0x28 [drm_kms_helper] > [ 7.813943] vc4_kms_load+0xa4/0xf0 [vc4] > [ 7.814026] vc4_drm_bind+0x100/0x168 [vc4] > [ 7.814038] try_to_bring_up_master+0x144/0x1a8 > [ 7.814044] component_master_add_with_match+0x9c/0xe0 > [ 7.814128] vc4_platform_drm_probe+0xb4/0xf0 [vc4] > [ 7.814137] platform_drv_probe+0x58/0xc0 > [ 7.814146] driver_probe_device+0x224/0x308 > [ 7.814153] __driver_attach+0xac/0xb0 > [ 7.814161] bus_for_each_dev+0x64/0xa0 > [ 7.814169] driver_attach+0x20/0x28 > [ 7.814177] bus_add_driver+0x108/0x228 > [ 7.814184] driver_register+0x60/0xf8 > [ 7.814190] __platform_driver_register+0x40/0x48 > [ 7.814274] vc4_drm_register+0x38/0x1000 [vc4] > [ 7.814283] do_one_initcall+0x38/0x120 > [ 7.814295] do_init_module+0x58/0x1b8 > [ 7.814304] load_module+0x1fa8/0x2280 > [ 7.814311] SyS_finit_module+0xc0/0xd0 > [ 7.814318] __sys_trace_return+0x0/0x4 > [ 7.814325] ---[ end trace 3348554eb91e19a1 ]--- Looks like I didn't test this code with CONFIG_REFCOUNT_FULL enabled :-/. Anyway, can you try to apply the following diff and let me know if it fixes the problem? Thanks, Boris --->8--- diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c index 4ae45d7dac42..2decc8e2c79f 100644 --- a/drivers/gpu/drm/vc4/vc4_bo.c +++ b/drivers/gpu/drm/vc4/vc4_bo.c @@ -637,7 +637,8 @@ int vc4_bo_inc_usecnt(struct vc4_bo *bo) mutex_lock(&bo->madv_lock); switch (bo->madv) { case VC4_MADV_WILLNEED: - refcount_inc(&bo->usecnt); + if (!refcount_inc_not_zero(&bo->usecnt)) + refcount_set(&bo->usecnt, 1); ret = 0; break; case VC4_MADV_DONTNEED: