From patchwork Thu Mar 24 10:52:38 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrzej Hajda <a.hajda@samsung.com>
X-Patchwork-Id: 8659761
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
X-Original-To: patchwork-dri-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 78667C0553
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Thu, 24 Mar 2016 10:53:02 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 6439B203A0
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Thu, 24 Mar 2016 10:53:01 +0000 (UTC)
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	by mail.kernel.org (Postfix) with ESMTP id 65DE82038A
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Thu, 24 Mar 2016 10:53:00 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 310D36E029;
	Thu, 24 Mar 2016 10:52:56 +0000 (UTC)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from mailout3.w1.samsung.com (mailout3.w1.samsung.com
	[210.118.77.13])
	by gabe.freedesktop.org (Postfix) with ESMTPS id 657B36E029
	for <dri-devel@lists.freedesktop.org>;
	Thu, 24 Mar 2016 10:52:53 +0000 (UTC)
Received: from eucpsbgm2.samsung.com (unknown [203.254.199.245])
	by mailout3.w1.samsung.com
	(Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5
	2014)) with ESMTP id <0O4J00MGCI80XJ40@mailout3.w1.samsung.com> for
	dri-devel@lists.freedesktop.org; Thu, 24 Mar 2016 10:52:48 +0000 (GMT)
X-AuditID: cbfec7f5-f792a6d000001302-6d-56f3c70088ea
Received: from eusync4.samsung.com ( [203.254.199.214])
	by eucpsbgm2.samsung.com (EUCPMTA) with SMTP id CB.C1.04866.007C3F65;
	Thu, 24 Mar 2016 10:52:48 +0000 (GMT)
Received: from amdc1061.digital.local ([106.116.147.88])
	by eusync4.samsung.com (Oracle Communications Messaging Server
	7.0.5.31.0 64bit (built May  5 2014))
	with ESMTPA id <0O4J003CGI807Y10@eusync4.samsung.com>; Thu,
	24 Mar 2016 10:52:48 +0000 (GMT)
From: Andrzej Hajda <a.hajda@samsung.com>
To: Inki Dae <inki.dae@samsung.com>, dri-devel@lists.freedesktop.org
Subject: [PATCH] drm/exynos: fix cancel page flip code
Date: Thu, 24 Mar 2016 11:52:38 +0100
Message-id: <1458816758-5172-1-git-send-email-a.hajda@samsung.com>
X-Mailer: git-send-email 1.9.1
X-Brightmail-Tracker: 
 H4sIAAAAAAAAA+NgFnrHJMWRmVeSWpSXmKPExsVy+t/xa7oMxz+HGdz+aG5xa905VouNM9az
	Wlz5+p7NYtL9CSwWM87vY7JYe+QuuwObx/3u40wefVtWMXp83iQXwBzFZZOSmpNZllqkb5fA
	lbH+ViNrQZ9qxd7vx9kaGA/LdzFyckgImEh8OXmGCcIWk7hwbz1bFyMXh5DAUkaJla3NrBBO
	E5NE56v5rCBVbAKaEn8332QDsUUEXCS+z1jMDFLELLCRUeLYx7fsIAlhATOJ3o2nwWwWAVWJ
	k3O+sIDYvAJOEsc+TIJaJydx8thk1gmM3AsYGVYxiqaWJhcUJ6XnGukVJ+YWl+al6yXn525i
	hITC1x2MS49ZHWIU4GBU4uG9wfU5TIg1say4MvcQowQHs5IIr/gmoBBvSmJlVWpRfnxRaU5q
	8SFGaQ4WJXHembvehwgJpCeWpGanphakFsFkmTg4pRoYIztmNCx7ICirNUFr/5Oq/AqJvgl9
	im6Brn/PzFjj8bzZ+Xf81ymnT3ue/KGW9z7sVfK1V5cNRFX4EgUTXr79KGVesyREgmn36Vjt
	kzY7Xsbvz9HwzmnKeK2oEsH48WhIZU+s2l3z/ezzS3ur9xtzsSj+/bEq1v1PrEzputmc2+33
	8u09KxClxFKckWioxVxUnAgA7R3vywECAAA=
Cc: Andrzej Hajda <a.hajda@samsung.com>,
	Marek Szyprowski <m.szyprowski@samsung.com>,
	linux-samsung-soc@vger.kernel.org,
	Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Driver code did not remove event from the list of pending events before destroy.
As a result drm core tried later to inspect invalid memory location.
The patch replaces removal code with call to core helper.

The bug was detected using KASAN:

[   10.107249] ==================================================================
[   10.107518] BUG: KASAN: use-after-free in drm_release+0xe9c/0x1000 at addr ffffffc089154a18
[   10.107784] Read of size 8 by task modetest/103
[   10.107931] =============================================================================
[   10.113191] BUG kmalloc-128 (Not tainted): kasan: bad access detected
[   10.119608] -----------------------------------------------------------------------------
[   10.119608]
[   10.129243] Disabling lock debugging due to kernel taint
[   10.134551] INFO: Allocated in drm_mode_page_flip_ioctl+0x500/0xa98 age=4 cpu=0 pid=103
[   10.142532] 	alloc_debug_processing+0x18c/0x198
[   10.147043] 	___slab_alloc.constprop.28+0x360/0x380
[   10.151906] 	__slab_alloc.isra.25.constprop.27+0x54/0xa0
[   10.157197] 	kmem_cache_alloc_trace+0x370/0x3b0
[   10.161709] 	drm_mode_page_flip_ioctl+0x500/0xa98
[   10.166400] 	drm_ioctl+0x4c4/0xb68
[   10.169787] 	do_vfs_ioctl+0x16c/0xeb8
[   10.173429] 	SyS_ioctl+0x8c/0xa0
[   10.176642] 	el0_svc_naked+0x24/0x28
[   10.180204] INFO: Freed in exynos_drm_crtc_cancel_page_flip+0xe0/0x160 age=0 cpu=0 pid=103
[   10.188447] 	free_debug_processing+0x174/0x388
[   10.192871] 	__slab_free+0x2e8/0x438
[   10.196431] 	kfree+0x350/0x360
[   10.199469] 	exynos_drm_crtc_cancel_page_flip+0xe0/0x160
[   10.204762] 	exynos_drm_preclose+0x58/0xa0
[   10.208844] 	drm_release+0x1f0/0x1000
[   10.212491] 	__fput+0x1c4/0x5b8
[   10.215613] 	____fput+0xc/0x18
[   10.218654] 	task_work_run+0x130/0x198
[   10.222385] 	do_exit+0x700/0x2278
[   10.225681] 	do_group_exit+0xe4/0x2c8
[   10.229327] 	SyS_exit_group+0x1c/0x20
[   10.232973] 	el0_svc_naked+0x24/0x28
[   10.236532] INFO: Slab 0xffffffbdc2a45500 objects=32 used=10 fp=0xffffffc089154a00 flags=0x4080
[   10.245210] INFO: Object 0xffffffc089154a00 @offset=2560 fp=0xffffffc089157600
[   10.245210]
...
[   10.384532] CPU: 0 PID: 103 Comm: modetest Tainted: G    B           4.5.0-rc3-00748-gd5e2881 #271
[   10.398325] Call trace:
[   10.400764] [<ffffffc000091428>] dump_backtrace+0x0/0x328
[   10.406141] [<ffffffc000091764>] show_stack+0x14/0x20
[   10.411176] [<ffffffc00089c550>] dump_stack+0xb0/0xe8
[   10.416210] [<ffffffc000395778>] print_trailer+0xf8/0x160
[   10.421592] [<ffffffc00039b5cc>] object_err+0x3c/0x50
[   10.426626] [<ffffffc00039d630>] kasan_report_error+0x248/0x550
[   10.432527] [<ffffffc00039da50>] __asan_report_load8_noabort+0x40/0x48
[   10.439039] [<ffffffc000b5b724>] drm_release+0xe9c/0x1000
[   10.444419] [<ffffffc0003d340c>] __fput+0x1c4/0x5b8
[   10.449280] [<ffffffc0003d3884>] ____fput+0xc/0x18
[   10.454055] [<ffffffc000101aa8>] task_work_run+0x130/0x198
[   10.459522] [<ffffffc0000bc058>] do_exit+0x700/0x2278
[   10.464557] [<ffffffc0000bdcfc>] do_group_exit+0xe4/0x2c8
[   10.469939] [<ffffffc0000bdefc>] SyS_exit_group+0x1c/0x20
[   10.475320] [<ffffffc000087530>] el0_svc_naked+0x24/0x28

Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
---
 drivers/gpu/drm/exynos/exynos_drm_crtc.c | 26 +++++++-------------------
 1 file changed, 7 insertions(+), 19 deletions(-)

diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
index 50dd33d..e78c36d 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
@@ -229,24 +229,12 @@ void exynos_drm_crtc_cancel_page_flip(struct drm_crtc *crtc,
 					struct drm_file *file)
 {
 	struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc);
-	struct drm_pending_vblank_event *e;
-	unsigned long flags;
+	struct drm_pending_vblank_event *e = exynos_crtc->event;
 
-	spin_lock_irqsave(&crtc->dev->event_lock, flags);
-	e = exynos_crtc->event;
-	if (e && e->base.file_priv == file) {
-		exynos_crtc->event = NULL;
-		/*
-		 * event will be destroyed by core part
-		 * so below line should be removed later with core changes
-		 */
-		e->base.destroy(&e->base);
-		/*
-		 * event_space will be increased by core part
-		 * so below line should be removed later with core changes.
-		 */
-		file->event_space += sizeof(e->event);
-		atomic_dec(&exynos_crtc->pending_update);
-	}
-	spin_unlock_irqrestore(&crtc->dev->event_lock, flags);
+	if (!e || e->base.file_priv != file)
+		return;
+
+	exynos_crtc->event = NULL;
+	atomic_dec(&exynos_crtc->pending_update);
+	drm_event_cancel_free(crtc->dev, &e->base);
 }