From patchwork Sat Jun 1 23:36:27 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marek Vasut X-Patchwork-Id: 10971781 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4031C6C5 for ; Sun, 2 Jun 2019 15:01:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 301B928405 for ; Sun, 2 Jun 2019 15:01:07 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2472A28A26; Sun, 2 Jun 2019 15:01:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 47E0928405 for ; Sun, 2 Jun 2019 15:01:06 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id E267789415; Sun, 2 Jun 2019 15:00:56 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-out.m-online.net (mail-out.m-online.net [212.18.0.9]) by gabe.freedesktop.org (Postfix) with ESMTPS id 7DAC7897F0 for ; Sat, 1 Jun 2019 23:37:21 +0000 (UTC) Received: from frontend01.mail.m-online.net (unknown [192.168.8.182]) by mail-out.m-online.net (Postfix) with ESMTP id 45Gd5W6wVpz1r9Vs; Sun, 2 Jun 2019 01:37:19 +0200 (CEST) Received: from localhost (dynscan1.mnet-online.de [192.168.6.70]) by mail.m-online.net (Postfix) with ESMTP id 45Gd5W6bxWz1qqkW; Sun, 2 Jun 2019 01:37:19 +0200 (CEST) X-Virus-Scanned: amavisd-new at mnet-online.de Received: from mail.mnet-online.de ([192.168.8.182]) by localhost (dynscan1.mail.m-online.net [192.168.6.70]) (amavisd-new, port 10024) with ESMTP id Z3-t-zNEiUM7; Sun, 2 Jun 2019 01:37:18 +0200 (CEST) X-Auth-Info: isvgpZLnw2UI4eRtX19CWaTzNqbyZ7gwDWGrddvFH74= Received: from kurokawa.lan (ip-86-49-110-70.net.upcbroadband.cz [86.49.110.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.mnet-online.de (Postfix) with ESMTPSA; Sun, 2 Jun 2019 01:37:18 +0200 (CEST) From: Marek Vasut To: dri-devel@lists.freedesktop.org Subject: [PATCH libdrm] etnaviv: Fix double-free in etna_bo_cache_free() Date: Sun, 2 Jun 2019 01:36:27 +0200 Message-Id: <20190601233627.5092-1-marex@denx.de> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-Mailman-Approved-At: Sun, 02 Jun 2019 15:00:55 +0000 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Marek Vasut Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP The following situation can happen in a multithreaded OpenGL application. A BO is submitted from etna_cmd_stream #1 with flags set for read. A BO is submitted from etna_cmd_stream #2 with flags set for write. This triggers a flush on stream #1 and clears the BO's current_stream pointer. If at this point, stream #2 attempts to queue BO again, which does happen, the BO will be added to the submit list twice. The Linux kernel driver correctly detects this and warns about it with "BO at index %u already on submit list" kernel message. However, when cleaning the BO cache in etna_bo_cache_free(), the BO which was submitted twice will also be free()d twice, this triggering a glibc double free detector. The fix is easy, even if the BO does not have current_stream set, iterate over current streams' list of BOs before adding the BO to it and verify that the BO is not yet there. Signed-off-by: Marek Vasut Cc: Christian Gmeiner Cc: Lucas Stach Reviewed-by: Christian Gmeiner Reviewed-by: Wladimir J. van der Laan --- etnaviv/etnaviv_cmd_stream.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/etnaviv/etnaviv_cmd_stream.c b/etnaviv/etnaviv_cmd_stream.c index 7139c324..261777b0 100644 --- a/etnaviv/etnaviv_cmd_stream.c +++ b/etnaviv/etnaviv_cmd_stream.c @@ -150,11 +150,7 @@ static uint32_t bo2idx(struct etna_cmd_stream *stream, struct etna_bo *bo, pthread_mutex_lock(&idx_lock); - if (!bo->current_stream) { - idx = append_bo(stream, bo); - bo->current_stream = stream; - bo->idx = idx; - } else if (bo->current_stream == stream) { + if (bo->current_stream == stream) { idx = bo->idx; } else { /* slow-path: */ @@ -165,6 +161,8 @@ static uint32_t bo2idx(struct etna_cmd_stream *stream, struct etna_bo *bo, /* not found */ idx = append_bo(stream, bo); } + bo->current_stream = stream; + bo->idx = idx; } pthread_mutex_unlock(&idx_lock);