linux_dsm_epyc7002/drivers
Chris Wilson 23e873389d drm/i915: Hold rcu_read_lock when iterating over the radixtree (objects)
Kasan spotted

    [IGT] gem_tiled_pread_pwrite: exiting, ret=0
    ==================================================================
    BUG: KASAN: use-after-free in __i915_gem_object_reset_page_iter+0x15c/0x170 [i915]
    Read of size 8 at addr ffff8801359da310 by task kworker/3:2/182

    CPU: 3 PID: 182 Comm: kworker/3:2 Tainted: G     U          4.14.0-rc6-CI-Custom_3340+ #1
    Hardware name: Intel Corp. Geminilake/GLK RVP1 DDR4 (05), BIOS GELKRVPA.X64.0062.B30.1708222146 08/22/2017
    Workqueue: events __i915_gem_free_work [i915]
    Call Trace:
     dump_stack+0x68/0xa0
     print_address_description+0x78/0x290
     ? __i915_gem_object_reset_page_iter+0x15c/0x170 [i915]
     kasan_report+0x23d/0x350
     __asan_report_load8_noabort+0x19/0x20
     __i915_gem_object_reset_page_iter+0x15c/0x170 [i915]
     ? i915_gem_object_truncate+0x100/0x100 [i915]
     ? lock_acquire+0x380/0x380
     __i915_gem_object_put_pages+0x30d/0x530 [i915]
     __i915_gem_free_objects+0x551/0xbd0 [i915]
     ? lock_acquire+0x13e/0x380
     __i915_gem_free_work+0x4e/0x70 [i915]
     process_one_work+0x6f6/0x1590
     ? pwq_dec_nr_in_flight+0x2b0/0x2b0
     worker_thread+0xe6/0xe90
     ? pci_mmcfg_check_reserved+0x110/0x110
     kthread+0x309/0x410
     ? process_one_work+0x1590/0x1590
     ? kthread_create_on_node+0xb0/0xb0
     ret_from_fork+0x27/0x40

    Allocated by task 1801:
     save_stack_trace+0x1b/0x20
     kasan_kmalloc+0xee/0x190
     kasan_slab_alloc+0x12/0x20
     kmem_cache_alloc+0xdc/0x2e0
     radix_tree_node_alloc.constprop.12+0x48/0x330
     __radix_tree_create+0x274/0x480
     __radix_tree_insert+0xa2/0x610
     i915_gem_object_get_sg+0x224/0x670 [i915]
     i915_gem_object_get_page+0xb5/0x1c0 [i915]
     i915_gem_pread_ioctl+0x822/0xf60 [i915]
     drm_ioctl_kernel+0x13f/0x1c0
     drm_ioctl+0x6cf/0x980
     do_vfs_ioctl+0x184/0xf30
     SyS_ioctl+0x41/0x70
     entry_SYSCALL_64_fastpath+0x1c/0xb1

    Freed by task 37:
     save_stack_trace+0x1b/0x20
     kasan_slab_free+0xaf/0x190
     kmem_cache_free+0xbf/0x340
     radix_tree_node_rcu_free+0x79/0x90
     rcu_process_callbacks+0x46d/0xf40
     __do_softirq+0x21c/0x8d3

    The buggy address belongs to the object at ffff8801359da0f0
    which belongs to the cache radix_tree_node of size 576
    The buggy address is located 544 bytes inside of
    576-byte region [ffff8801359da0f0, ffff8801359da330)
    The buggy address belongs to the page:
    page:ffffea0004d67600 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
    flags: 0x8000000000008100(slab|head)
    raw: 8000000000008100 0000000000000000 0000000000000000 0000000100110011
    raw: ffffea0004b52920 ffffea0004b38020 ffff88015b416a80 0000000000000000
    page dumped because: kasan: bad access detected

    Memory state around the buggy address:
     ffff8801359da200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff8801359da280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    >ffff8801359da300: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
			     ^
     ffff8801359da380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     ffff8801359da400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    ==================================================================
    Disabling lock debugging due to kernel taint

which looks like the slab containing the radixtree iter was freed as we
traversed the tree, taking the rcu read lock across the loop should
prevent that (deferring all the frees until the end).

Reported-by: Tomi Sarvela <tomi.p.sarvela@intel.com>
Fixes: 96d7763452 ("drm/i915: Use a radixtree for random access to the object's backing storage")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20171026130032.10677-1-chris@chris-wilson.co.uk
Reviewed-by: Matthew Auld <matthew.william.auld@gmail.com>
(cherry picked from commit bea6e987c1)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
2017-10-30 10:17:46 -07:00
..
accessibility
acpi ACPI: properties: Fix __acpi_node_get_property_reference() return codes 2017-10-11 21:16:37 +02:00
amba
android android: binder: Fix null ptr dereference in debug msg 2017-10-21 10:14:20 +02:00
ata ahci: don't ignore result code of ahci_reset_controller() 2017-10-02 12:21:30 -07:00
atm
auxdisplay auxdisplay: charlcd: properly restore atomic counter on error path 2017-09-18 16:06:00 +02:00
base PM / QoS: Fix device resume latency PM QoS 2017-10-24 15:20:45 +02:00
bcma
block nbd: handle interrupted sendmsg with a sndtimeo set 2017-10-24 18:50:59 -06:00
bluetooth
bus bus: mbus: fix window size calculation for 4GB windows 2017-10-12 15:01:30 +02:00
cdrom
char Merge branch 'next-tpm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2017-09-24 11:34:28 -07:00
clk clk: samsung: exynos4: Enable VPLL and EPLL clocks for suspend/resume cycle 2017-10-04 09:19:13 -07:00
clocksource clockevents/drivers/cs5535: Improve resilience to spurious interrupts 2017-10-20 13:41:52 +02:00
connector
cpufreq cpufreq: dt: Fix sysfs duplicate filename creation for platform-device 2017-09-26 01:10:08 +02:00
cpuidle PM / QoS: Fix device resume latency PM QoS 2017-10-24 15:20:45 +02:00
crypto crypto: stm32 - Try to fix hash padding 2017-10-07 12:04:31 +08:00
dax - Some request-based DM core and DM multipath fixes and cleanups 2017-09-14 13:43:16 -07:00
dca
devfreq PM / devfreq: Fix memory leak when fail to register device 2017-08-28 10:31:08 +09:00
dio
dma dmaengine: altera: Use IRQ-safe spinlock calls in the error paths as well 2017-10-20 11:51:10 +05:30
dma-buf sync_file: Return consistent status in SYNC_IOC_FILE_INFO 2017-10-09 13:09:19 -03:00
edac
eisa
extcon extcon: max77693: Allow MHL attach notifier 2017-08-25 09:32:27 +09:00
firewire
firmware efi/libstub/arm: Don't randomize runtime regions when CONFIG_HIBERNATION=y 2017-10-25 12:10:59 +02:00
fmc drivers/fmc: carrier can program FPGA on registration 2017-08-28 16:24:22 +02:00
fpga fpga: altera-cvp: remove DRIVER_ATTR() usage 2017-09-19 09:20:33 +02:00
fsi drivers/fsi/scom: Remove reset before every putscom 2017-08-28 17:15:16 +02:00
gpio gpio: omap: Fix lost edge interrupts 2017-10-07 13:17:07 +02:00
gpu drm/i915: Hold rcu_read_lock when iterating over the radixtree (objects) 2017-10-30 10:17:46 -07:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2017-10-12 09:08:56 -07:00
hsi
hv vmbus: hvsock: add proper sync for vmbus_hvsock_device_unregister() 2017-10-20 14:56:25 +02:00
hwmon hwmon: (tmp102) Fix first temperature reading 2017-10-24 06:17:14 -07:00
hwspinlock
hwtracing intel_th: pci: Add Lewisburg PCH support 2017-09-22 10:28:00 +02:00
i2c i2c: omap: Fix error handling for clk_get() 2017-10-18 00:19:26 +02:00
ide ide: fix IRQ assignment for PCI bus order probing 2017-10-03 14:03:31 -05:00
idle Power management updates for v4.14-rc1 2017-09-05 12:19:08 -07:00
iio iio: adc: at91-sama5d2_adc: fix probe error on missing trigger property 2017-10-14 19:52:07 +01:00
infiniband RDMA/netlink: OOPs in rdma_nl_rcv_msg() from misinterpreted flag 2017-10-25 14:54:43 -04:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2017-10-28 10:56:13 -07:00
iommu iommu/amd: Finish TLB flush in amd_iommu_unmap() 2017-10-13 17:32:19 +02:00
ipack
irqchip irqchip/tango: Use irq_gc_mask_disable_and_ack_set 2017-10-13 16:31:05 +01:00
isdn isdn/i4l: fetch the ppp_write buffer in one shot 2017-09-20 16:01:36 -07:00
leds as3645a: Unregister indicator LED on device unbind 2017-09-23 21:17:43 +02:00
lightnvm
macintosh powerpc/macintosh: constify wf_sensor_ops structures 2017-09-01 16:42:54 +10:00
mailbox Just behavorial changes to a controller driver: 2017-09-07 13:23:37 -07:00
mcb Char/Misc drivers for 4.14-rc1 2017-09-05 11:08:17 -07:00
md Merge branch 'for-linus' of git://git.kernel.dk/linux-block 2017-10-06 12:13:50 -07:00
media media fixes for v4.14-rc6 2017-10-17 06:23:09 -04:00
memory ARM: SoC driver updates for v4.14 2017-09-10 20:40:00 -07:00
memstick
message scsi: scsi_transport_sas: switch to bsg-lib for SMP passthrough 2017-08-29 21:51:45 -04:00
mfd dmi: Mark all struct dmi_system_id instances const 2017-09-14 11:59:30 +02:00
misc Char/Misc driver fixes for 4.14-rc5 2017-10-15 07:50:38 -04:00
mmc mmc: sdhci-pci: Fix default d3_retune for Intel host controllers 2017-10-10 08:40:04 +02:00
mtd mtd: nand: atmel: fix buffer overflow in atmel_pmecc_user 2017-09-27 17:33:28 +02:00
mux mux: make device_type const 2017-08-29 13:46:35 +02:00
net tap: reference to KVA of an unloaded module causes kernel panic 2017-10-28 19:17:21 +09:00
nfc
ntb
nubus
nvdimm libnvdimm, namespace: fix btt claim class crash 2017-09-18 17:29:01 -07:00
nvme nvme-rdma: Fix error status return in tagset allocation failure 2017-10-19 17:13:51 +02:00
nvmem nvmem: add missing of_node_put() in of_nvmem_cell_get() 2017-09-18 16:12:26 +02:00
of Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-10-21 22:44:48 -04:00
oprofile
parisc parisc: Fix up devices below a PCI-PCI MegaRAID controller bridge 2017-08-24 18:46:44 +02:00
parport Char/Misc drivers for 4.14-rc1 2017-09-05 11:08:17 -07:00
pci PCI: aardvark: Move to struct pci_host_bridge IRQ mapping functions 2017-10-10 21:17:43 -05:00
pcmcia MIPS: Alchemy: Threaded carddetect irqs for devboards 2017-08-29 15:21:53 +02:00
perf drivers/perf: arm_pmu_acpi: Release memory obtained by kasprintf 2017-09-22 15:11:46 +01:00
phy phy: rockchip-typec: Check for errors from tcphy_phy_init() 2017-10-03 15:18:41 +05:30
pinctrl pinctrl: mcp23s08: fix interrupt handling regression 2017-10-19 10:20:03 +02:00
platform platform/x86: intel_pmc_ipc: Use spin_lock to protect GCR updates 2017-10-23 20:16:36 +03:00
pnp dmi: Mark all struct dmi_system_id instances const 2017-09-14 11:59:30 +02:00
power power supply and reset changes for the v4.14 series 2017-09-09 14:44:39 -07:00
powercap
pps drivers/pps: use surrounding "if PPS" to remove numerous dependency checks 2017-09-08 18:26:51 -07:00
ps3
ptp
pwm pwm: Changes for v4.14-rc1 2017-09-11 13:04:32 -07:00
rapidio rapidio: remove global irq spinlocks from the subsystem 2017-10-03 17:54:24 -07:00
ras RAS/CEC: Use the right length for "cec_disable" 2017-10-05 14:23:06 +02:00
regulator Merge remote-tracking branches 'regulator/fix/axp20x' and 'regulator/fix/rn5t618' into regulator-linus 2017-10-23 11:46:30 +02:00
remoteproc remoteproc: imx_rproc: fix return value check in imx_rproc_addr_init() 2017-10-11 10:47:47 -07:00
reset reset: socfpga: fix for 64-bit compilation 2017-10-04 10:29:44 +02:00
rpmsg rpmsg: glink: Fix memory leak in qcom_glink_alloc_intent() 2017-10-10 11:22:09 -07:00
rtc RTC for 4.14 2017-09-13 10:56:00 -07:00
s390 SCSI fixes on 20171027 2017-10-28 10:46:20 -07:00
sbus
scsi SCSI fixes on 20171027 2017-10-28 10:46:20 -07:00
sfi
sh
sn
soc Merge branch '4.14-features' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2017-09-15 20:43:33 -07:00
spi Merge remote-tracking branches 'spi/fix/armada', 'spi/fix/idr', 'spi/fix/qspi', 'spi/fix/stm32' and 'spi/fix/uapi' into spi-linus 2017-10-25 14:06:34 +02:00
spmi spmi: pmic-arb: Move the ownership check to irq_chip callback 2017-08-28 13:52:22 +02:00
ssb
staging Staging/IIO fixes for 4.14-rc6 2017-10-23 06:37:16 -04:00
target Merge branch 'work.set_fs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-09-14 18:13:32 -07:00
tc
tee
thermal Merge branches 'thermal-core', 'thermal-soc', 'thermal-intel' and 'const-thermal-zone-structure' into next 2017-09-08 11:20:04 +08:00
thunderbolt ACPI updates for v4.14-rc1 2017-09-05 12:45:03 -07:00
tty tty: fall back to N_NULL if switching to N_TTY fails during hangup 2017-10-13 16:18:33 -07:00
uio
usb usb: hub: Allow reset retry for USB2 devices on connect bounce 2017-10-19 09:49:11 +02:00
uwb uwb: properly check kthread_run return value 2017-09-18 11:28:23 +02:00
vfio vfio: platform: constify amba_id 2017-08-30 14:03:42 -06:00
vhost lib/interval_tree: fast overlap detection 2017-09-08 18:26:49 -07:00
video fbdev changes for v4.14: 2017-09-14 13:33:33 -07:00
virt virt: Convert to using %pOF instead of full_name 2017-08-29 08:52:51 -05:00
virtio SCSI misc on 20170907 2017-09-07 21:11:05 -07:00
vlynq
vme
w1 power supply and reset changes for the v4.14 series 2017-09-09 14:44:39 -07:00
watchdog Merge branch '4.14-features' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2017-09-15 20:43:33 -07:00
xen xen: fixes for 4.14-rc7 2017-10-27 20:41:05 -07:00
zorro
Kconfig
Makefile