[5/5] drm/ttm: Fix a kernel oops due to an invalid read

Commit Message

Zack Rusin March 18, 2022, 5:43 p.m. UTC

From: Zack Rusin <zackr@vmware.com>

The res is initialized here only if there's no errors so passing it to
ttm_resource_fini in the error paths results in a kernel oops. In the
error paths, instead of the unitialized res, we have to use to use
node->base on which ttm_resource_init was called.

Sample affected backtrace:
Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d8
 Mem abort info:
   ESR = 0x96000004
   EC = 0x25: DABT (current EL), IL = 32 bits
   SET = 0, FnV = 0
   EA = 0, S1PTW = 0
   FSC = 0x04: level 0 translation fault
 Data abort info:
   ISV = 0, ISS = 0x00000004
   CM = 0, WnR = 0
 user pgtable: 4k pages, 48-bit VAs, pgdp=0000000106ac0000
 [00000000000000d8] pgd=0000000000000000, p4d=0000000000000000
 Internal error: Oops: 96000004 [#1] SMP
 Modules linked in: bnep vsock_loopback vmw_vsock_virtio_transport_common
 vsock snd_hda_codec_generic snd_hda_intel snd_intel_dspcfg snd_hda_codec
 snd_hwdep >
 CPU: 0 PID: 1197 Comm: gnome-shell Tainted: G    U  5.17.0-rc2-vmwgfx #2
 Hardware name: VMware, Inc. VBSA/VBSA, BIOS VEFI 12/31/2020
 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : ttm_resource_fini+0x5c/0xac [ttm]
 lr : ttm_range_man_alloc+0x128/0x1e0 [ttm]
 sp : ffff80000d783510
 x29: ffff80000d783510 x28: 0000000000000000 x27: ffff000086514400
 x26: 0000000000000300 x25: ffff0000809f9e78 x24: 0000000000000000
 x23: ffff80000d783680 x22: ffff000086514400 x21: 00000000ffffffe4
 x20: ffff80000d7836a0 x19: ffff0000809f9e00 x18: 0000000000000000
 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
 x14: 0000000000000000 x13: 0000000000000800 x12: ffff0000f2600a00
 x11: 000000000000fc96 x10: 0000000000000000 x9 : ffff800001295c18
 x8 : 0000000000000000 x7 : 0000000000000300 x6 : 0000000000000000
 x5 : 0000000000000000 x4 : ffff0000f1034e20 x3 : ffff0000f1034600
 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000600000
 Call trace:
  ttm_resource_fini+0x5c/0xac [ttm]
  ttm_range_man_alloc+0x128/0x1e0 [ttm]
  ttm_resource_alloc+0x58/0x90 [ttm]
  ttm_bo_mem_space+0xc8/0x3e4 [ttm]
  ttm_bo_validate+0xb4/0x134 [ttm]
  vmw_bo_pin_in_start_of_vram+0xbc/0x200 [vmwgfx]
  vmw_framebuffer_pin+0xc0/0x154 [vmwgfx]
  vmw_ldu_primary_plane_atomic_update+0x8c/0x6e0 [vmwgfx]
  drm_atomic_helper_commit_planes+0x11c/0x2e0
  drm_atomic_helper_commit_tail+0x60/0xb0
  commit_tail+0x1b0/0x210
  drm_atomic_helper_commit+0x168/0x400
  drm_atomic_commit+0x64/0x74
  drm_atomic_helper_set_config+0xdc/0x11c
  drm_mode_setcrtc+0x1c4/0x780
  drm_ioctl_kernel+0xd0/0x1a0
  drm_ioctl+0x2c4/0x690
  vmw_generic_ioctl+0xe0/0x174 [vmwgfx]
  vmw_unlocked_ioctl+0x24/0x30 [vmwgfx]
  __arm64_sys_ioctl+0xb4/0x100
  invoke_syscall+0x78/0x100
  el0_svc_common.constprop.0+0x54/0x184
  do_el0_svc+0x34/0x9c
  el0_svc+0x48/0x1b0
  el0t_64_sync_handler+0xa4/0x130
  el0t_64_sync+0x1a4/0x1a8
 Code: 35000260 f9401a81 52800002 f9403a60 (f9406c23)
 ---[ end trace 0000000000000000 ]---

Signed-off-by: Zack Rusin <zackr@vmware.com>
Fixes: de3688e469b0 ("drm/ttm: add ttm_resource_fini v2")
Cc: Christian König <christian.koenig@amd.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Reviewed-by: Martin Krastev <krastevm@vmware.com>
---
 drivers/gpu/drm/ttm/ttm_range_manager.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Christian König March 21, 2022, 9:47 a.m. UTC | #1

Am 18.03.22 um 18:43 schrieb Zack Rusin:
> From: Zack Rusin <zackr@vmware.com>
>
> The res is initialized here only if there's no errors so passing it to
> ttm_resource_fini in the error paths results in a kernel oops. In the
> error paths, instead of the unitialized res, we have to use to use
> node->base on which ttm_resource_init was called.
>
> Sample affected backtrace:
> Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d8
>   Mem abort info:
>     ESR = 0x96000004
>     EC = 0x25: DABT (current EL), IL = 32 bits
>     SET = 0, FnV = 0
>     EA = 0, S1PTW = 0
>     FSC = 0x04: level 0 translation fault
>   Data abort info:
>     ISV = 0, ISS = 0x00000004
>     CM = 0, WnR = 0
>   user pgtable: 4k pages, 48-bit VAs, pgdp=0000000106ac0000
>   [00000000000000d8] pgd=0000000000000000, p4d=0000000000000000
>   Internal error: Oops: 96000004 [#1] SMP
>   Modules linked in: bnep vsock_loopback vmw_vsock_virtio_transport_common
>   vsock snd_hda_codec_generic snd_hda_intel snd_intel_dspcfg snd_hda_codec
>   snd_hwdep >
>   CPU: 0 PID: 1197 Comm: gnome-shell Tainted: G    U  5.17.0-rc2-vmwgfx #2
>   Hardware name: VMware, Inc. VBSA/VBSA, BIOS VEFI 12/31/2020
>   pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
>   pc : ttm_resource_fini+0x5c/0xac [ttm]
>   lr : ttm_range_man_alloc+0x128/0x1e0 [ttm]
>   sp : ffff80000d783510
>   x29: ffff80000d783510 x28: 0000000000000000 x27: ffff000086514400
>   x26: 0000000000000300 x25: ffff0000809f9e78 x24: 0000000000000000
>   x23: ffff80000d783680 x22: ffff000086514400 x21: 00000000ffffffe4
>   x20: ffff80000d7836a0 x19: ffff0000809f9e00 x18: 0000000000000000
>   x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
>   x14: 0000000000000000 x13: 0000000000000800 x12: ffff0000f2600a00
>   x11: 000000000000fc96 x10: 0000000000000000 x9 : ffff800001295c18
>   x8 : 0000000000000000 x7 : 0000000000000300 x6 : 0000000000000000
>   x5 : 0000000000000000 x4 : ffff0000f1034e20 x3 : ffff0000f1034600
>   x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000600000
>   Call trace:
>    ttm_resource_fini+0x5c/0xac [ttm]
>    ttm_range_man_alloc+0x128/0x1e0 [ttm]
>    ttm_resource_alloc+0x58/0x90 [ttm]
>    ttm_bo_mem_space+0xc8/0x3e4 [ttm]
>    ttm_bo_validate+0xb4/0x134 [ttm]
>    vmw_bo_pin_in_start_of_vram+0xbc/0x200 [vmwgfx]
>    vmw_framebuffer_pin+0xc0/0x154 [vmwgfx]
>    vmw_ldu_primary_plane_atomic_update+0x8c/0x6e0 [vmwgfx]
>    drm_atomic_helper_commit_planes+0x11c/0x2e0
>    drm_atomic_helper_commit_tail+0x60/0xb0
>    commit_tail+0x1b0/0x210
>    drm_atomic_helper_commit+0x168/0x400
>    drm_atomic_commit+0x64/0x74
>    drm_atomic_helper_set_config+0xdc/0x11c
>    drm_mode_setcrtc+0x1c4/0x780
>    drm_ioctl_kernel+0xd0/0x1a0
>    drm_ioctl+0x2c4/0x690
>    vmw_generic_ioctl+0xe0/0x174 [vmwgfx]
>    vmw_unlocked_ioctl+0x24/0x30 [vmwgfx]
>    __arm64_sys_ioctl+0xb4/0x100
>    invoke_syscall+0x78/0x100
>    el0_svc_common.constprop.0+0x54/0x184
>    do_el0_svc+0x34/0x9c
>    el0_svc+0x48/0x1b0
>    el0t_64_sync_handler+0xa4/0x130
>    el0t_64_sync+0x1a4/0x1a8
>   Code: 35000260 f9401a81 52800002 f9403a60 (f9406c23)
>   ---[ end trace 0000000000000000 ]---
>
> Signed-off-by: Zack Rusin <zackr@vmware.com>
> Fixes: de3688e469b0 ("drm/ttm: add ttm_resource_fini v2")
> Cc: Christian König <christian.koenig@amd.com>
> Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
> Reviewed-by: Martin Krastev <krastevm@vmware.com>

Reviewed-by: Christian König <christian.koenig@amd.com> and pushed to 
drm-misc-next-fixes.

> ---
>   drivers/gpu/drm/ttm/ttm_range_manager.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/ttm/ttm_range_manager.c b/drivers/gpu/drm/ttm/ttm_range_manager.c
> index 8cd4f3fb9f79..d91666721dc6 100644
> --- a/drivers/gpu/drm/ttm/ttm_range_manager.c
> +++ b/drivers/gpu/drm/ttm/ttm_range_manager.c
> @@ -89,7 +89,7 @@ static int ttm_range_man_alloc(struct ttm_resource_manager *man,
>   	spin_unlock(&rman->lock);
>   
>   	if (unlikely(ret)) {
> -		ttm_resource_fini(man, *res);
> +		ttm_resource_fini(man, &node->base);
>   		kfree(node);
>   		return ret;
>   	}

Patch

diff --git a/drivers/gpu/drm/ttm/ttm_range_manager.c b/drivers/gpu/drm/ttm/ttm_range_manager.c
index 8cd4f3fb9f79..d91666721dc6 100644
--- a/drivers/gpu/drm/ttm/ttm_range_manager.c
+++ b/drivers/gpu/drm/ttm/ttm_range_manager.c
@@ -89,7 +89,7 @@  static int ttm_range_man_alloc(struct ttm_resource_manager *man,
 	spin_unlock(&rman->lock);
 
 	if (unlikely(ret)) {
-		ttm_resource_fini(man, *res);
+		ttm_resource_fini(man, &node->base);
 		kfree(node);
 		return ret;
 	}