| Message ID | 20170126143211.24013-1-aryabinin@virtuozzo.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show
Return-Path: <intel-gfx-bounces@lists.freedesktop.org> Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3006E601D7 for <patchwork-intel-gfx@patchwork.kernel.org>; Fri, 27 Jan 2017 15:58:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1F99F26E98 for <patchwork-intel-gfx@patchwork.kernel.org>; Fri, 27 Jan 2017 15:58:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1431B27FBB; Fri, 27 Jan 2017 15:58:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAD_ENC_HEADER,BAYES_00, DKIM_SIGNED,RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id A4D8826E98 for <patchwork-intel-gfx@patchwork.kernel.org>; Fri, 27 Jan 2017 15:58:47 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id B5AF46EDB5; Fri, 27 Jan 2017 15:58:45 +0000 (UTC) X-Original-To: intel-gfx@lists.freedesktop.org Delivered-To: intel-gfx@lists.freedesktop.org X-Greylist: delayed 30827 seconds by postgrey-1.35 at gabe; Thu, 26 Jan 2017 23:07:16 UTC Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0119.outbound.protection.outlook.com [104.47.2.119]) by gabe.freedesktop.org (Postfix) with ESMTPS id 712956EC81; Thu, 26 Jan 2017 23:07:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtuozzo.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=U+7Naor3MFSSg1pAXny27VIxIfnDFAgNLczq9AhMsD8=; b=gNS3IUVeu5Tc+Y1jDk7zamChZqZ7L+EyAVNlvtTg+AkCxcw1nU7r+BD3xNUGxSLgYOGfwNNYKePmuzy/1vdQwRmGuBIVDZC5MsrC1eU+mEIrFYrnVuKsy/iF09eBoXxE3uuxw/CKsj4nDchpnXduCW2CxnmFRcp8mXX5AXCW1zk= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=aryabinin@virtuozzo.com; Received: from localhost.sw.ru (195.214.232.6) by DB6PR0801MB2053.eurprd08.prod.outlook.com (10.168.86.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.860.13; Thu, 26 Jan 2017 14:33:25 +0000 From: Andrey Ryabinin <aryabinin@virtuozzo.com> To: Daniel Vetter <daniel.vetter@intel.com>, Jani Nikula <jani.nikula@linux.intel.com>, David Airlie <airlied@linux.ie> Date: Thu, 26 Jan 2017 17:32:11 +0300 Message-ID: <20170126143211.24013-1-aryabinin@virtuozzo.com> X-Mailer: git-send-email 2.10.2 MIME-Version: 1.0 X-Originating-IP: [195.214.232.6] X-ClientProxiedBy: AM5PR0101CA0023.eurprd01.prod.exchangelabs.com (10.169.240.33) To DB6PR0801MB2053.eurprd08.prod.outlook.com (10.168.86.22) X-MS-Office365-Filtering-Correlation-Id: 95f4cf65-c89d-45d7-19eb-08d445f84a4e X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:DB6PR0801MB2053; X-Microsoft-Exchange-Diagnostics: 1; DB6PR0801MB2053; 3:mi/1qFOKAN8vsrBwRBNd0i/0nKojrujpuHnETs4VdCHTNPV0oubGHa+UaLtr0UD1WaYvaM4M3tL7PfCMOjXB1vEwzxRReq5FVLfZ01jeb7H3r1RMfJaoZm963tIqP/JfTOMinzT5lVkwdXfe1x3S3wEWV+v2WdoYjGHkAGZdRCDR1DMl8tHilE5wUgxuaFSKe33TQYrLV7B9m3DwNABChlFV4kNsNxQcJxYX1blHiqoXkAX9wxEYOJSIgX2h0gdM/0WY8yid613TQ9m2T171MA==; 25:rkowBuJOlia5HKtdzEQjsviGZcxL0+PhWGih2R9RAT7ouVUeX6hnPZaWcz3pTVjbVwHtXgO9U7fSU7XNcsp9YvqkFzzgiKjytHHs2SoYooAZ3tiTPZrXeQuzGlF1LbrutBVn7dS4+J+umjDPG4iBtltaFp8dhMHZA0zzxxfATAjYBXl9grOQ4eSoi/IQspXonRzY+P6Xn47S5ztFpF5+67xTofokgxdfuCwQzTbNjpkYcvJwlAvIuAtz6FQf103ko6u4sS1JlkWRyaHv3++SF/NHBwyIPsdfUeukF98i5lb+T6/bBE9mMhqUMTZv62LgvDt9eHC843BMjPymJejwtfmamR7cx8aH545ofVpJ+n6ePMA3y4TceYQngsaEZjHeZyeUuccR5zDxMp3aAK30IWT8j4kSFTMQhiw6PrioufNQqJzGRZIyHfqj/DXCVn/oGZXbZBwjRSlzY5oQfMoIKQ== X-Microsoft-Exchange-Diagnostics: 1; DB6PR0801MB2053; 31:djQu5odMEBBxTN2KWXQaK85VhKI1c5rl5R7eHMXt7fWCGlChjIcegpzb16gUcJI2a0pE6hlaULO6oLUPChT1u04GlmdPfWIdGec556Cu7iyr3dNLzNwJvQR6zvVwQstFMFP9wlwReN3RNER1qSlLp6tz737VaDTaE38niq59SfSfyB0AdasIp5ZDPvX6r7ECQld4RnU/NEE/IGN6M58xCovfE3AnTFr/Lm57aGEJOxEX/1J+bJKCWEMiP3dMgFQyzW7lhvtuX+T/uv1MMKtDGQ==; 20:/Dpys0RmjDzbFAA68b6fdHggc0UX8+NIxvrk/c3lWnw8SmpcU0dYgV8W6MWZCRig+gbnL7Ynf8p92aVuALB32TNapV2IBruP7YzjyOE4P08FiveQtVYrSKYFnuCZGjgefPcPrnpZqowTmztndaPL0eiDAMWZMFhKH7nDLdY9BvT6otM1PArseN+Zjm+v/FPgwzN+CyzluJ8ApjOTYSfUZgw8K6s7pGh/PFOcfiFbNYZ9oQR8IDR8KFm98JVsi6Fo X-Microsoft-Antispam-PRVS: <DB6PR0801MB20533A00A3DBEC0A93D49F5EB0770@DB6PR0801MB2053.eurprd08.prod.outlook.com> X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6041248)(20161123555025)(20161123564025)(20161123562025)(20161123560025)(6072148); SRVR:DB6PR0801MB2053; BCL:0; PCL:0; RULEID:; SRVR:DB6PR0801MB2053; X-Microsoft-Exchange-Diagnostics: 1; DB6PR0801MB2053; 4:bb+Vytd39qogs1oKOXQFW8PxkEvtIyfXARAGfamaHuHhODFXe0g/YPJ7MaLn4gB9PsomqVRS6In6gki1BgiOZt4oiX9+nYbqp57Bpog1LFxz0opUZBzDduFML8mEkQ5KyB93xtty4dOuoVJldNpKi055xUF51kD4aUmKHjRaIFKvwLskA9xGfQd18JzcOJ0WA2hgPfCk6E4qi7hNyW4AiJ6XdlnTjrf/b3ajPSj8fke6oAxPd58XYWGBF35YdAsNxFNcJLnZigfCHgrJJqKMMxNCSXAnzbAKVsJGjaE7zOULY1zrNWfgD8lEKpRfT0xnN51A3toKP1bu2aW0pK8jkWEbSbU6xFeZ6CJkGnhk8wWqpJ6qAkwotJMO5urAl7b6eKHrmgLqM9xBNvkkStxg1Xk4t9/7NrM2sZ+gt+9+9+LZpuQTrShW0EJ2A7IFgkX1gZVAd3c90GPzZ3TeubWj+3BrJ+dfsuxL++quQn/CDc4PgTsMiiA/2G9VUdAeli2MZgAprlKaljKzeAdy/AkVC+CK3AUEYgTPn+2R68DWVGhdzyKnz+YbLKvIPLiEnMek X-Forefront-PRVS: 019919A9E4 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(4630300001)(6009001)(6069001)(7916002)(39450400003)(199003)(189002)(38730400001)(5003940100001)(6486002)(68736007)(50226002)(92566002)(53416004)(81166006)(42186005)(76506005)(105586002)(7736002)(2906002)(8676002)(305945005)(81156014)(101416001)(4326007)(3846002)(6116002)(25786008)(5660300001)(33646002)(6506006)(106356001)(1076002)(50466002)(4001430100002)(54906002)(6512007)(97736004)(230783001)(48376002)(36756003)(5001770100001)(66066001)(189998001)(107886002)(53936002)(6666003)(47776003)(69596002)(86362001)(50986999); DIR:OUT; SFP:1102; SCL:1; SRVR:DB6PR0801MB2053; H:localhost.sw.ru; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; Received-SPF: None (protection.outlook.com: virtuozzo.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; DB6PR0801MB2053; 23:thvKUjGfTiwiuMD/tY1UnAMe8kA9ScCZmK8jA1G?= =?us-ascii?Q?xJT/Q2YjRHPgcK9NqV5j7V3EQAnIydZORB3Oai/qEWMmtHjGK7LK4RPKEevG?= =?us-ascii?Q?1CATidu5Q4LqZcoX2P0AjFr97hTF1IOdWBiFhVhn5r64XV4e0mpG3lHmatkn?= =?us-ascii?Q?9s0lZdcJAfjMVrrBupzuFdsSu0ARE8uKU4oyuw67DmzGT4y/FRHrh90NIqnH?= =?us-ascii?Q?V5/X+TFxNt4TyRu2eItovyIWInObs6IceSs9kpkuEzAKm+wGUff487q4QIPY?= =?us-ascii?Q?RBM92j0ljnMGam4OO9k6TeJEtG6RRHbPE0hy23Jh2ueduKSg1s01+yXIN5/Y?= =?us-ascii?Q?jj30ftbRJc8a58pcvq1S7lDwTkDdAbMOgrGRorMueBkLfm8So7S7S7ZjM+zl?= =?us-ascii?Q?4sT2gCsB7kJSwOvK9O7rK3tL7PIZ6oq28LIQEVHTXDjbVfiaO4zq5efRhH4f?= =?us-ascii?Q?FnhppCNIvrDVfyCX2v0Nzu19OOVptxb00159W2HycHqHw4JUgAeG5fEZz0+3?= =?us-ascii?Q?cHQa6ZhxViOUOj6cm1zT/UdGifXCnxiqT7kFEYLHK7XMGvS25+SWAA0sEqvl?= =?us-ascii?Q?GBLqsV79kmrZcL7G7JvmMVEBGcHEHjLABzhR9pq52x3aSVIZcqrKheEvUobh?= =?us-ascii?Q?F6MvHSgHdnalH7FO6tNiAZpHR0TdZzYADbkRICh59pS1gQa6G1nrCt4MBjs3?= =?us-ascii?Q?GKSXZzUfLbSU930Z52vQj+m0TfypolOWIHo0eXvl77bF9izOnCwX3RNJi3bE?= =?us-ascii?Q?as3sxf7Fwqat4vcg3kO/3cvg9pWct+xjeTcjw/KBXoaFXyeK37ysec1EVxbT?= =?us-ascii?Q?zdeVfdU7YFaC+XAjI6Cq2MUnu6ixfT5Cpl545D2NAhH2jhtnPwaGJuOkq4Yp?= =?us-ascii?Q?t//M7q6UDswGebA22HiPBcqr2ntljnE2kPA+Tjss/5WuKKZn24DTt+SwDwfQ?= =?us-ascii?Q?smczRQ49VgxcTM1fVphGrcPZ7esi1AwnoPQpo/8N8bblteSkLM+hKlmuSkDB?= =?us-ascii?Q?R9ZeK9K3kjh7oGegHa4X3+itw021VQ24zCsQ9EAMP0AVPdZsgwQo8OfqSG6I?= =?us-ascii?Q?VBJiPsj6Yr7l5uuvv3YHFo8OxBeDt3euKtjByNoE34mj1tGt3gkg6FQVqQLC?= =?us-ascii?Q?cqXr0uxYuJeCdJyP6ItWvYr+Ljsnt5JCV6pCgkK698iq+kL4OnCj68PJMaJT?= =?us-ascii?Q?teAlKgVaHtFvjpvGMOPWZjSdpusWtkzjHvJDRP/1HQXs3uqc7nbUYQ0H5uHU?= =?us-ascii?Q?7IZ5CoI7cPxJmZgmd5Hk=3D?= X-Microsoft-Exchange-Diagnostics: 1; DB6PR0801MB2053; 6:VDeslnIIegHLETtCVip0ccXPsCMdgf4S4UcNmfaM7djaTiplydSgyEwR/NDu/LVbqAUakr1XysAMRiaukGk0bKN5dpJfM71jhL7hBXPmWlNzEk8dn+7mQajkEWXk7gfdmm0aFBAl6I2Ie/Bc11BKlJ5LJM4f5AigDvXX5g83PRVRJQxnadVp5/3F8ApsnVhFTmL3ByKpaVXPknQ8DwjwHyI8i2Exdk4lFmzvD3lLL2FVT64hE9nOPnra2bbODfs0oIsgNnOYx4RUl/8G2a+HIJ1rciczBYkrmqaJ+ubVWZeqTwJOABI+9xTlDoJwQTRpa9nwJaYnIcEdHT1Aqz09WJGw8iclKhCdOuQjqDFAjWiWQtRP2u7hh2BzRiE5KIt9VGxJE9UUK+Ga2g2WZwUwFoYIP2YROoulMohXUKHP69k=; 5:kyZYUoLQcV/PgqqEm+oQJuWABHdPWbYKiLcphbyPNhQUZWRKpB9TyqpLGXuU/A00AQYfQPZhFX4kuX3hEwT/CseSTcAmCl9AQJ9NtDdtRU8/kCRz1269QjRrGDaNJvO4Q1UHIGEl5S0KzYlTerqvQQ==; 24:1Y+U7um5PiovkT6gZqhrclaZn1phN2b9IvZbddXxGl1yu81hTOA35ovcQl67adSKc+JShiofkweC/bA41K+YQHa8YaX7VT4hzgz6DelnNJQ= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; DB6PR0801MB2053; 7:nZzB1gQSzmTaqyvCQIAqZbhj0CjMZJcwejMm9bNITEo53fCwJ2JEe82gR3uYeufdT/BW+b6KlagEmy+pD7sijIZ4INyYDsRKDifxm9SoK/x1G/At9aM1n7k6jP5e4Xz5fq7S06QKRISAXfb2oNRup4ctxih1OplffsPWYhWlU+dfz0dDhQPbyNJIZ5JiKbIYmNqDj1uOTPRpw9Dl5jANbdh65r+qs8BzYR4nBJUJ8nCgULKmBjR6qQVJQc6A8+4BN6YuvDN8o8+Pj22J7ReqS+oy++JAMjdmreBVDyZuL07mQ43gx+6JHR3mMhXRM0jZc35X5Q2Wr4s5yXD0WgwV1wFy6Txiv3lGuve4k/LHpCgjd187TRM251CBfiThQaqahCDHLVkYFNSNuUlNK6yznvRCLjtfgwptQTJACluXoz+relb1EnYj8HDKrNRrEK5cjEQy+qiqghyedpJ7I/QyLQ==; 20:ov1GOX3sleXzUvprCepNxjJjTJm/aWh4+aQAyouMZ9R/UAJ0DTR6Yadmn20Rcomiit34WeCZyZSrYrWYrYEhSDiNbKEI3wnIjmtbfyuftu/uveyN6O2fg9ofjElSj608vP2HdIuHPt9Kdwt1lrj4WlUe9M1qFh3AuOiS+APivsM= X-OriginatorOrg: virtuozzo.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Jan 2017 14:33:25.9004 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0801MB2053 X-Mailman-Approved-At: Fri, 27 Jan 2017 15:58:44 +0000 Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>, intel-gfx@lists.freedesktop.org, Jesse Barnes <jbarnes@virtuousgeek.org>, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org Subject: [Intel-gfx] [PATCH] drm/i915: fix use-after-free in page_flip_completed() X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Intel graphics driver community testing & development <intel-gfx.lists.freedesktop.org> List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/intel-gfx>, <mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe> List-Archive: <https://lists.freedesktop.org/archives/intel-gfx> List-Post: <mailto:intel-gfx@lists.freedesktop.org> List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help> List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/intel-gfx>, <mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" <intel-gfx-bounces@lists.freedesktop.org> X-Virus-Scanned: ClamAV using ClamSMTP |
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c index 8d702cf..f04a95cd 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c @@ -4268,10 +4268,10 @@ static void page_flip_completed(struct intel_crtc *intel_crtc) drm_crtc_vblank_put(&intel_crtc->base); wake_up_all(&dev_priv->pending_flip_queue); - queue_work(dev_priv->wq, &work->unpin_work); - trace_i915_flip_complete(intel_crtc->plane, work->pending_flip_obj); + + queue_work(dev_priv->wq, &work->unpin_work); } static int intel_crtc_wait_for_pending_flips(struct drm_crtc *crtc)
page_flip_completed() dereferences 'work' variable after executing queue_work(). This is not safe as the 'work' item might be already freed by queued work: BUG: KASAN: use-after-free in page_flip_completed+0x3ff/0x490 at addr ffff8803dc010f90 Call Trace: __asan_report_load8_noabort+0x59/0x80 page_flip_completed+0x3ff/0x490 intel_finish_page_flip_mmio+0xe3/0x130 intel_pipe_handle_vblank+0x2d/0x40 gen8_irq_handler+0x4a7/0xed0 __handle_irq_event_percpu+0xf6/0x860 handle_irq_event_percpu+0x6b/0x160 handle_irq_event+0xc7/0x1b0 handle_edge_irq+0x1f4/0xa50 handle_irq+0x41/0x70 do_IRQ+0x9a/0x200 common_interrupt+0x89/0x89 Freed: kfree+0x113/0x4d0 intel_unpin_work_fn+0x29a/0x3b0 process_one_work+0x79e/0x1b70 worker_thread+0x611/0x1460 kthread+0x241/0x3a0 ret_from_fork+0x27/0x40 Move queue_work() after trace_i915_flip_complete() to fix this. Fixes: e5510fac98a7 ("drm/i915: add tracepoints for flip requests & completions") Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> --- drivers/gpu/drm/i915/intel_display.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)