linux_dsm_epyc7002/drivers
Andrey Ryabinin 5351fbb1bf drm/i915: fix use-after-free in page_flip_completed()
page_flip_completed() dereferences 'work' variable after executing
queue_work(). This is not safe as the 'work' item might be already freed
by queued work:

    BUG: KASAN: use-after-free in page_flip_completed+0x3ff/0x490 at addr ffff8803dc010f90
    Call Trace:
     __asan_report_load8_noabort+0x59/0x80
     page_flip_completed+0x3ff/0x490
     intel_finish_page_flip_mmio+0xe3/0x130
     intel_pipe_handle_vblank+0x2d/0x40
     gen8_irq_handler+0x4a7/0xed0
     __handle_irq_event_percpu+0xf6/0x860
     handle_irq_event_percpu+0x6b/0x160
     handle_irq_event+0xc7/0x1b0
     handle_edge_irq+0x1f4/0xa50
     handle_irq+0x41/0x70
     do_IRQ+0x9a/0x200
     common_interrupt+0x89/0x89

    Freed:
     kfree+0x113/0x4d0
     intel_unpin_work_fn+0x29a/0x3b0
     process_one_work+0x79e/0x1b70
     worker_thread+0x611/0x1460
     kthread+0x241/0x3a0
     ret_from_fork+0x27/0x40

Move queue_work() after	trace_i915_flip_complete() to fix this.

Fixes: e5510fac98 ("drm/i915: add tracepoints for flip requests & completions")
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: <stable@vger.kernel.org> # v2.6.36+
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/20170126143211.24013-1-aryabinin@virtuozzo.com
(cherry picked from commit 05c41f926f)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
2017-02-08 13:09:24 +02:00
..
accessibility
acpi ACPI fixes for v4.10-rc6 2017-01-26 17:27:00 -08:00
amba
android
ata ata: sata_mv:- Handle return value of devm_ioremap. 2017-01-06 15:45:32 -05:00
atm Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
auxdisplay auxdisplay: fix new ht16k33 build errors 2017-01-11 09:27:30 +01:00
base Char/misc driver fixes for 4.10-rc7 2017-02-04 10:44:15 -08:00
bcma Revert "bcma: init serial console directly from ChipCommon code" 2017-01-17 14:23:44 +02:00
block xen-blkfront: correct maximum segment accounting 2017-01-23 13:27:42 -05:00
bluetooth Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-12-16 10:24:44 -08:00
bus cpu/hotplug: Cleanup state names 2016-12-25 10:47:44 +01:00
cdrom Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
char virtio_console: fix a crash in config_work_handler 2017-01-19 23:46:31 +02:00
clk One fix for Samsung Exynos524x SoCs where recent IOMMU patches have 2017-01-21 18:46:45 -08:00
clocksource clocksource/exynos_mct: Clear interrupt when cpu is shut down 2017-01-17 10:08:38 +01:00
connector
cpufreq Merge branches 'pm-sleep' and 'pm-cpufreq' 2017-01-27 00:08:59 +01:00
cpuidle Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2016-12-27 17:51:36 -08:00
dax libnvdimm for 4.10 2016-12-18 15:49:10 -08:00
dca
devfreq PM / devfreq: exynos-bus: Fix the wrong return value 2017-01-03 00:21:45 +01:00
dio Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
dma dmaengine: pl330: fix double lock 2017-01-25 15:35:11 +05:30
dma-buf
edac Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
eisa
extcon extcon: return error code on failure 2017-01-11 09:11:39 +01:00
firewire
firmware efi/fdt: Avoid FDT manipulation after ExitBootServices() 2017-02-01 21:17:49 +01:00
fmc
fpga fpga: Clarify how write_init works streaming modes 2016-11-29 15:51:49 -06:00
gpio gpio: provide lockdep keys for nested/unnested irqchips 2017-01-19 09:57:20 +01:00
gpu drm/i915: fix use-after-free in page_flip_completed() 2017-02-08 13:09:24 +02:00
hid HID: cp2112: fix gpio-callback error handling 2017-01-31 12:59:33 +01:00
hsi
hv Drivers: hv: vmbus: finally fix hv_need_to_signal_on_read() 2017-01-31 10:59:48 +01:00
hwmon hwmon: (lm90) fix temp1_max_alarm attribute 2017-01-02 10:15:28 -08:00
hwspinlock
hwtracing coresight/etm3/4x: Consolidate hotplug state space 2016-12-25 10:47:44 +01:00
i2c i2c: imx-lpi2c: add VLLS mode support 2017-01-26 00:24:23 +01:00
ide Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
idle Power management material for v4.10-rc1 2016-12-13 10:41:53 -08:00
iio iio: dht11: Use usleep_range instead of msleep for start signal 2017-01-22 13:35:40 +00:00
infiniband RDMA/cma: Fix unknown symbol when CONFIG_IPV6 is not enabled 2017-01-27 14:29:04 -05:00
input Input: synaptics-rmi4 - fix reversed conditions in enable/disable_irq_wake 2017-01-31 00:51:06 -08:00
iommu IOMMU Fixes for Linux v4.10-rc2 2017-01-06 10:49:36 -08:00
ipack
irqchip Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2016-12-25 14:30:04 -08:00
isdn ISDN: eicon: silence misleading array-bounds warning 2017-01-27 11:27:34 -05:00
leds cpu/hotplug: Cleanup state names 2016-12-25 10:47:44 +01:00
lguest Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
lightnvm Char/Misc driver patches for 4.10-rc1 2016-12-13 12:11:01 -08:00
macintosh Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
mailbox ktime: Cleanup ktime_set() usage 2016-12-25 17:21:22 +01:00
mcb
md md/r5cache: disable write back for degraded array 2017-01-24 11:26:06 -08:00
media media fixes for v4.10-rc6 2017-01-27 10:29:33 -08:00
memory Fixes for drivers already queued to prevent 2016-11-30 14:58:00 +01:00
memstick drivers/memstick/core/memstick.c: avoid -Wnonnull warning 2017-01-24 16:26:14 -08:00
message Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
mfd - New Device Support 2016-12-19 08:16:26 -08:00
misc mei: bus: enable OS version only for SPT and newer 2017-01-11 07:43:57 +01:00
mmc mmc: sdhci: Ignore unexpected CARD_INT interrupts 2017-01-31 11:26:49 +01:00
mtd mtd: nand: lpc32xx: fix invalid error handling of a requested irq 2017-01-04 20:50:18 +01:00
net Char/misc driver fixes for 4.10-rc7 2017-02-04 10:44:15 -08:00
nfc
ntb ntb_transport: Remove unnecessary call to ntb_peer_spad_read 2016-12-23 16:11:07 -05:00
nubus Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
nvdimm libnvdimm, namespace: fix pmem namespace leak, delete when size set to zero 2017-01-13 09:50:33 -08:00
nvme nvme-fc: use blk_rq_nr_phys_segments 2017-01-26 17:49:14 +02:00
nvmem nvmem: fix nvmem_cell_read() return type doc 2017-01-04 18:22:47 +01:00
of pci-v4.10-changes 2016-12-15 12:46:48 -08:00
oprofile Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
parisc Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
parport parisc, parport_gsc: Fixes for printk continuation lines 2017-01-28 21:54:21 +01:00
pci PCI/ASPM: Handle PCI-to-PCIe bridges as roots of PCIe hierarchies 2017-01-27 15:00:45 -06:00
pcmcia drivers/pcmcia/m32r_pcc.c: check return from add_pcc_socket 2016-12-12 18:55:06 -08:00
perf cpu/hotplug: Cleanup state names 2016-12-25 10:47:44 +01:00
phy SCSI misc on 20161213 2016-12-14 10:49:33 -08:00
pinctrl pinctrl: baytrail: Add missing spinlock usage in byt_gpio_irq_handler 2017-01-30 15:53:57 +01:00
platform platform/x86: ideapad-laptop: handle ACPI event 1 2017-01-22 12:47:06 +02:00
pnp Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
power ktime: Cleanup ktime_set() usage 2016-12-25 17:21:22 +01:00
powercap powercap / RAPL: Add Knights Mill CPUID 2016-11-30 23:41:33 +01:00
pps
ps3
ptp Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2016-12-12 19:56:15 -08:00
pwm pwm: Changes for v4.10-rc1 2016-12-15 11:45:13 -08:00
rapidio
ras
regulator regulator: Fixes for v4.10 2017-02-03 13:46:38 -08:00
remoteproc Revert "remoteproc: Merge table_ptr and cached_table pointers" 2016-12-30 03:26:31 -08:00
reset ARM: SoC driver updates for v4.10 2016-12-15 16:03:25 -08:00
rpmsg rpmsg: virtio_rpmsg_bus: fix channel creation 2016-12-30 03:12:11 -08:00
rtc rtc: jz4740: make the driver buildable as a module again 2017-01-26 23:03:21 +01:00
s390 virtio/s390: virtio: constify virtio_config_ops structures 2017-01-19 23:46:34 +02:00
sbus Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
scsi SCSI fixes on 20170203 2017-02-03 16:18:51 -08:00
sfi
sh lib: radix-tree: check accounting of existing slot replacement users 2016-12-12 18:55:08 -08:00
sn
soc soc: ti: wkup_m3_ipc: Fix error return code in wkup_m3_ipc_probe() 2017-01-12 13:37:49 -08:00
spi spi: Fixes for v4.10 2017-01-20 12:25:11 -08:00
spmi
ssb
staging staging: greybus: timesync: validate platform state callback 2017-01-25 11:36:59 +01:00
target target: support XCOPY requests without parameters 2017-01-10 08:41:30 -08:00
tc
thermal Revert "thermal: thermal_hwmon: Convert to hwmon_device_register_with_info()" 2017-01-25 09:51:08 +08:00
thunderbolt Char/Misc driver patches for 4.10-rc1 2016-12-13 12:11:01 -08:00
tty sysrq: attach sysrq handler correctly for 32-bit kernel 2017-01-11 09:22:54 +01:00
uio uio-hv-generic: store physical addresses instead of virtual 2016-12-10 14:57:58 +01:00
usb USB-serial fixes for v4.10-rc7 2017-02-03 22:19:15 +01:00
uwb
vfio vfio/spapr: Fix missing mutex unlock when creating a window 2017-02-01 09:48:34 -07:00
vhost vhost: fix initialization for vq->is_le 2017-02-03 23:38:57 +02:00
video fbdev: color map copying bounds checking 2017-01-24 16:26:14 -08:00
virt
virtio Revert "vring: Force use of DMA API for ARM-based systems with legacy devices" 2017-02-03 23:38:50 +02:00
vlynq
vme vme: Fix wrong pointer utilization in ca91cx42_slave_get 2017-01-11 10:42:16 +01:00
w1
watchdog Watchdog updates for v4.10 2016-12-24 11:27:45 -08:00
xen Merge branch 'stable/for-linus-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/swiotlb 2017-01-27 12:17:07 -08:00
zorro Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
Kconfig
Makefile