mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2025-03-11 08:32:56 +07:00
2759e39535
The hwsp_cacheline pointer from i915_request is very, very flimsy. The
i915_request.timeline (and the hwsp_cacheline) are lost upon retiring
(after an RCU grace). Therefore we need to confirm that once we have the
right pointer for the cacheline, it is not in the process of being
retired and disposed of before we attempt to acquire a reference to the
cacheline.
<3>[ 547.208237] BUG: KASAN: use-after-free in active_debug_hint+0x6a/0x70 [i915]
<3>[ 547.208366] Read of size 8 at addr ffff88822a0d2710 by task gem_exec_parall/2536
<4>[ 547.208547] CPU: 3 PID: 2536 Comm: gem_exec_parall Tainted: G U 5.7.0-rc2-ged7a286b5d02d-kasan_117+ #1
<4>[ 547.208556] Hardware name: Dell Inc. XPS 13 9350/, BIOS 1.4.12 11/30/2016
<4>[ 547.208564] Call Trace:
<4>[ 547.208579] dump_stack+0x96/0xdb
<4>[ 547.208707] ? active_debug_hint+0x6a/0x70 [i915]
<4>[ 547.208719] print_address_description.constprop.6+0x16/0x310
<4>[ 547.208841] ? active_debug_hint+0x6a/0x70 [i915]
<4>[ 547.208963] ? active_debug_hint+0x6a/0x70 [i915]
<4>[ 547.208975] __kasan_report+0x137/0x190
<4>[ 547.209106] ? active_debug_hint+0x6a/0x70 [i915]
<4>[ 547.209127] kasan_report+0x32/0x50
<4>[ 547.209257] ? i915_gemfs_fini+0x40/0x40 [i915]
<4>[ 547.209376] active_debug_hint+0x6a/0x70 [i915]
<4>[ 547.209389] debug_print_object+0xa7/0x220
<4>[ 547.209405] ? lockdep_hardirqs_on+0x348/0x5f0
<4>[ 547.209426] debug_object_assert_init+0x297/0x430
<4>[ 547.209449] ? debug_object_free+0x360/0x360
<4>[ 547.209472] ? lock_acquire+0x1ac/0x8a0
<4>[ 547.209592] ? intel_timeline_read_hwsp+0x4f/0x840 [i915]
<4>[ 547.209737] ? i915_active_acquire_if_busy+0x66/0x120 [i915]
<4>[ 547.209861] i915_active_acquire_if_busy+0x66/0x120 [i915]
<4>[ 547.209990] ? __live_alloc.isra.15+0xc0/0xc0 [i915]
<4>[ 547.210005] ? rcu_read_lock_sched_held+0xd0/0xd0
<4>[ 547.210017] ? print_usage_bug+0x580/0x580
<4>[ 547.210153] intel_timeline_read_hwsp+0xbc/0x840 [i915]
<4>[ 547.210284] __emit_semaphore_wait+0xd5/0x480 [i915]
<4>[ 547.210415] ? i915_fence_get_timeline_name+0x110/0x110 [i915]
<4>[ 547.210428] ? lockdep_hardirqs_on+0x348/0x5f0
<4>[ 547.210442] ? _raw_spin_unlock_irq+0x2a/0x40
<4>[ 547.210567] ? __await_execution.constprop.51+0x2e0/0x570 [i915]
<4>[ 547.210706] i915_request_await_dma_fence+0x8f7/0xc70 [i915]
Fixes:
|
||
|---|---|---|
| .. | ||
| amd | ||
| arc | ||
| arm | ||
| armada | ||
| aspeed | ||
| ast | ||
| atmel-hlcdc | ||
| bochs | ||
| bridge | ||
| cirrus | ||
| etnaviv | ||
| exynos | ||
| fsl-dcu | ||
| gma500 | ||
| hisilicon | ||
| i2c | ||
| i810 | ||
| i915 | ||
| imx | ||
| ingenic | ||
| lib | ||
| lima | ||
| mcde | ||
| mediatek | ||
| meson | ||
| mga | ||
| mgag200 | ||
| msm | ||
| mxsfb | ||
| nouveau | ||
| omapdrm | ||
| panel | ||
| panfrost | ||
| pl111 | ||
| qxl | ||
| r128 | ||
| radeon | ||
| rcar-du | ||
| rockchip | ||
| savage | ||
| scheduler | ||
| selftests | ||
| shmobile | ||
| sis | ||
| sti | ||
| stm | ||
| sun4i | ||
| tdfx | ||
| tegra | ||
| tidss | ||
| tilcdc | ||
| tiny | ||
| ttm | ||
| tve200 | ||
| udl | ||
| v3d | ||
| vboxvideo | ||
| vc4 | ||
| vgem | ||
| via | ||
| virtio | ||
| vkms | ||
| vmwgfx | ||
| xen | ||
| zte | ||
| drm_agpsupport.c | ||
| drm_atomic_helper.c | ||
| drm_atomic_state_helper.c | ||
| drm_atomic_uapi.c | ||
| drm_atomic.c | ||
| drm_auth.c | ||
| drm_blend.c | ||
| drm_bridge_connector.c | ||
| drm_bridge.c | ||
| drm_bufs.c | ||
| drm_cache.c | ||
| drm_client_modeset.c | ||
| drm_client.c | ||
| drm_color_mgmt.c | ||
| drm_connector.c | ||
| drm_context.c | ||
| drm_crtc_helper_internal.h | ||
| drm_crtc_helper.c | ||
| drm_crtc_internal.h | ||
| drm_crtc.c | ||
| drm_damage_helper.c | ||
| drm_debugfs_crc.c | ||
| drm_debugfs.c | ||
| drm_dma.c | ||
| drm_dp_aux_dev.c | ||
| drm_dp_cec.c | ||
| drm_dp_dual_mode_helper.c | ||
| drm_dp_helper.c | ||
| drm_dp_mst_topology_internal.h | ||
| drm_dp_mst_topology.c | ||
| drm_drv.c | ||
| drm_dsc.c | ||
| drm_dumb_buffers.c | ||
| drm_edid_load.c | ||
| drm_edid.c | ||
| drm_encoder_slave.c | ||
| drm_encoder.c | ||
| drm_fb_cma_helper.c | ||
| drm_fb_helper.c | ||
| drm_file.c | ||
| drm_flip_work.c | ||
| drm_format_helper.c | ||
| drm_fourcc.c | ||
| drm_framebuffer.c | ||
| drm_gem_cma_helper.c | ||
| drm_gem_framebuffer_helper.c | ||
| drm_gem_shmem_helper.c | ||
| drm_gem_ttm_helper.c | ||
| drm_gem_vram_helper.c | ||
| drm_gem.c | ||
| drm_hashtab.c | ||
| drm_hdcp.c | ||
| drm_internal.h | ||
| drm_ioc32.c | ||
| drm_ioctl.c | ||
| drm_irq.c | ||
| drm_kms_helper_common.c | ||
| drm_lease.c | ||
| drm_legacy_misc.c | ||
| drm_legacy.h | ||
| drm_lock.c | ||
| drm_memory.c | ||
| drm_mipi_dbi.c | ||
| drm_mipi_dsi.c | ||
| drm_mm.c | ||
| drm_mode_config.c | ||
| drm_mode_object.c | ||
| drm_modes.c | ||
| drm_modeset_helper.c | ||
| drm_modeset_lock.c | ||
| drm_of.c | ||
| drm_panel_orientation_quirks.c | ||
| drm_panel.c | ||
| drm_pci.c | ||
| drm_plane_helper.c | ||
| drm_plane.c | ||
| drm_prime.c | ||
| drm_print.c | ||
| drm_probe_helper.c | ||
| drm_property.c | ||
| drm_rect.c | ||
| drm_scatter.c | ||
| drm_scdc_helper.c | ||
| drm_self_refresh_helper.c | ||
| drm_simple_kms_helper.c | ||
| drm_syncobj.c | ||
| drm_sysfs.c | ||
| drm_trace_points.c | ||
| drm_trace.h | ||
| drm_vblank.c | ||
| drm_vm.c | ||
| drm_vma_manager.c | ||
| drm_vram_helper_common.c | ||
| drm_writeback.c | ||
| Kconfig | ||
| Makefile | ||