AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-12-28 11:18:45 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
547da76b57
linux_dsm_epyc7002/drivers/gpu/drm
History
Chris Wilson 547da76b57 drm/i915: Hold rcu_read_lock when iterating over the radixtree (vma idr) 
Kasan spotted

    [IGT] gem_tiled_pread_pwrite: exiting, ret=0
    ==================================================================
    BUG: KASAN: use-after-free in __i915_gem_object_reset_page_iter+0x15c/0x170 [i915]
    Read of size 8 at addr ffff8801359da310 by task kworker/3:2/182

    CPU: 3 PID: 182 Comm: kworker/3:2 Tainted: G     U          4.14.0-rc6-CI-Custom_3340+ #1
    Hardware name: Intel Corp. Geminilake/GLK RVP1 DDR4 (05), BIOS GELKRVPA.X64.0062.B30.1708222146 08/22/2017
    Workqueue: events __i915_gem_free_work [i915]
    Call Trace:
     dump_stack+0x68/0xa0
     print_address_description+0x78/0x290
     ? __i915_gem_object_reset_page_iter+0x15c/0x170 [i915]
     kasan_report+0x23d/0x350
     __asan_report_load8_noabort+0x19/0x20
     __i915_gem_object_reset_page_iter+0x15c/0x170 [i915]
     ? i915_gem_object_truncate+0x100/0x100 [i915]
     ? lock_acquire+0x380/0x380
     __i915_gem_object_put_pages+0x30d/0x530 [i915]
     __i915_gem_free_objects+0x551/0xbd0 [i915]
     ? lock_acquire+0x13e/0x380
     __i915_gem_free_work+0x4e/0x70 [i915]
     process_one_work+0x6f6/0x1590
     ? pwq_dec_nr_in_flight+0x2b0/0x2b0
     worker_thread+0xe6/0xe90
     ? pci_mmcfg_check_reserved+0x110/0x110
     kthread+0x309/0x410
     ? process_one_work+0x1590/0x1590
     ? kthread_create_on_node+0xb0/0xb0
     ret_from_fork+0x27/0x40

    Allocated by task 1801:
     save_stack_trace+0x1b/0x20
     kasan_kmalloc+0xee/0x190
     kasan_slab_alloc+0x12/0x20
     kmem_cache_alloc+0xdc/0x2e0
     radix_tree_node_alloc.constprop.12+0x48/0x330
     __radix_tree_create+0x274/0x480
     __radix_tree_insert+0xa2/0x610
     i915_gem_object_get_sg+0x224/0x670 [i915]
     i915_gem_object_get_page+0xb5/0x1c0 [i915]
     i915_gem_pread_ioctl+0x822/0xf60 [i915]
     drm_ioctl_kernel+0x13f/0x1c0
     drm_ioctl+0x6cf/0x980
     do_vfs_ioctl+0x184/0xf30
     SyS_ioctl+0x41/0x70
     entry_SYSCALL_64_fastpath+0x1c/0xb1

    Freed by task 37:
     save_stack_trace+0x1b/0x20
     kasan_slab_free+0xaf/0x190
     kmem_cache_free+0xbf/0x340
     radix_tree_node_rcu_free+0x79/0x90
     rcu_process_callbacks+0x46d/0xf40
     __do_softirq+0x21c/0x8d3

    The buggy address belongs to the object at ffff8801359da0f0
    which belongs to the cache radix_tree_node of size 576
    The buggy address is located 544 bytes inside of
    576-byte region [ffff8801359da0f0, ffff8801359da330)
    The buggy address belongs to the page:
    page:ffffea0004d67600 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
    flags: 0x8000000000008100(slab|head)
    raw: 8000000000008100 0000000000000000 0000000000000000 0000000100110011
    raw: ffffea0004b52920 ffffea0004b38020 ffff88015b416a80 0000000000000000
    page dumped because: kasan: bad access detected

    Memory state around the buggy address:
     ffff8801359da200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff8801359da280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    >ffff8801359da300: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
			     ^
     ffff8801359da380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     ffff8801359da400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    ==================================================================
    Disabling lock debugging due to kernel taint

which looks like the slab containing the radixtree iter was freed as we
traversed the tree, taking the rcu read lock across the loop should
prevent that (deferring all the frees until the end).

Reported-by: Tomi Sarvela <tomi.p.sarvela@intel.com>
Fixes: d1b48c1e71 ("drm/i915: Replace execbuf vma ht with an idr")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20171026130032.10677-2-chris@chris-wilson.co.uk
Reviewed-by: Matthew Auld <matthew.william.auld@gmail.com>
2017-10-27 12:39:10 +01:00
..
amd drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
arc drm/arc: Use drm_gem_fb_create() 2017-09-02 14:23:06 +02:00
arm drm/arm/mali: Use drm_gem_fb_create() 2017-08-27 19:29:46 +02:00
armada drm/armada: Remove unused #include <drmP.h> 2017-09-29 09:35:36 +02:00
ast drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
atmel-hlcdc drm/atmel-hlcdc: Use drm_gem_fb_create() 2017-08-27 19:30:15 +02:00
bochs drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
bridge drm/bridge/sii8620: add remote control support 2017-10-11 13:14:25 +02:00
cirrus drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
etnaviv Merge branch 'etnaviv/next' of https://git.pengutronix.de/git/lst/linux into drm-next 2017-10-14 09:39:56 +10:00
exynos Merge tag 'drm-misc-next-2017-09-20' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-09-28 05:46:15 +10:00
fsl-dcu drm/fsl-dcu: Use drm_gem_fb_create() 2017-10-01 17:00:20 +02:00
gma500 drm/gma500: use ARRAY_SIZE 2017-10-16 11:29:05 +02:00
hisilicon Merge tag 'drm-misc-next-2017-10-16' of git://anongit.freedesktop.org/drm/drm-misc into drm-next 2017-10-17 10:10:17 +10:00
i2c drm: i2c: tda998x: constify i2c_device_id 2017-08-22 08:33:44 +02:00
i810
i915 drm/i915: Hold rcu_read_lock when iterating over the radixtree (vma idr) 2017-10-27 12:39:10 +01:00
imx Merge tag 'drm-misc-next-2017-09-20' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-09-28 05:46:15 +10:00
lib mm: treewide: remove GFP_TEMPORARY allocation flag 2017-09-13 18:53:16 -07:00
mediatek drm/mediatek: hdmi: clean up drm_bridge_add call 2017-08-21 08:49:24 +05:30
meson drm/meson: Use drm_gem_fb_create() 2017-10-01 17:01:39 +02:00
mga
mgag200 drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
msm drm/msm/mdp5: remove less than 0 comparison for unsigned value 2017-10-11 13:17:52 +02:00
mxsfb drm/mxsfb: Use drm_gem_fb_create() and drm_gem_fb_prepare_fb() 2017-10-01 17:02:20 +02:00
nouveau drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
omapdrm omapdrm: omapdss_hdmi_ops: add lost_hotplug op 2017-10-12 10:49:14 +03:00
panel drm/panel: Add support for the Raspberry Pi 7" Touchscreen. 2017-10-06 12:10:16 -07:00
pl111 drm/pl111: Add handling of Versatile platforms 2017-09-10 23:58:42 +02:00
qxl qxl: fix framebuffer unpinning 2017-09-25 08:35:53 +02:00
r128
radeon drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
rcar-du drm/rcar-du: Use drm_gem_fb_create() 2017-10-01 17:02:53 +02:00
rockchip drm/rockchip: add PINCTRL dependency for LVDS 2017-10-13 09:43:16 +08:00
savage
selftests mm: treewide: remove GFP_TEMPORARY allocation flag 2017-09-13 18:53:16 -07:00
shmobile drm/shmobile: Use drm_gem_fb_create() 2017-10-01 17:03:22 +02:00
sis
sti drm/sti: Use drm_gem_fb_create() 2017-08-27 19:30:49 +02:00
stm drm/stm: ltdc: remove bridge from driver internal structure 2017-10-10 11:32:48 +02:00
sun4i drm/sun4i: hdmi: Move PAD_CTRL1 setting to mode_set function 2017-10-16 09:54:46 +02:00
tdfx
tegra drm/tegra: trace: Fix path to include 2017-09-26 11:08:17 +02:00
tilcdc tilcdc changes for v4.15 2017-10-17 10:13:47 +10:00
tinydrm drm/tinydrm: Remove explicit .best_encoder assignment 2017-10-13 17:34:51 +02:00
ttm Merge branch 'drm-next-4.15' of git://people.freedesktop.org/~agd5f/linux into drm-next 2017-10-09 11:00:16 +10:00
tve200 drm/tve200: Use drm_gem_fb_create() and drm_gem_fb_prepare_fb() 2017-10-01 17:04:36 +02:00
udl drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
vc4 drm/vc4: Fix pitch setup for T-format scanout. 2017-10-13 16:40:24 -07:00
vgem drm/vgem: switch to drm_*_get(), drm_*_put() helpers 2017-08-11 11:41:43 -04:00
via drm/via: use ARRAY_SIZE 2017-10-16 11:29:28 +02:00
virtio Merge airlied/drm-next into drm-misc-next 2017-10-03 11:09:16 +02:00
vmwgfx drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
zte drm/zte: Use drm_gem_fb_create() 2017-08-27 19:31:06 +02:00
ati_pcigart.c
drm_agpsupport.c drm/agpsupport: Remove extra blank line 2017-09-20 09:54:19 -07:00
drm_atomic_helper.c Merge tag 'drm-misc-next-2017-10-16' of git://anongit.freedesktop.org/drm/drm-misc into drm-next 2017-10-17 10:10:17 +10:00
drm_atomic.c Merge tag 'drm-misc-next-2017-10-12' of git://anongit.freedesktop.org/drm/drm-misc into drm-next 2017-10-13 16:24:59 +10:00
drm_auth.c
drm_blend.c mm: treewide: remove GFP_TEMPORARY allocation flag 2017-09-13 18:53:16 -07:00
drm_bridge.c drm/bridge: change return type of drm_bridge_add function 2017-08-21 08:51:53 +05:30
drm_bufs.c
drm_cache.c
drm_color_mgmt.c drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_connector.c drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_context.c
drm_crtc_helper_internal.h
drm_crtc_helper.c drm: Replace kzalloc with kcalloc 2017-10-13 15:49:03 -04:00
drm_crtc_internal.h drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_crtc.c drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_debugfs_crc.c drm/atomic: Prepare drm_modeset_lock infrastructure for interruptible waiting, v2. 2017-09-13 09:50:52 +02:00
drm_debugfs.c
drm_dma.c
drm_dp_aux_dev.c
drm_dp_dual_mode_helper.c drm: Add retries for lspcon mode detection 2017-10-13 12:13:54 +03:00
drm_dp_helper.c drm/dp: WARN about invalid/unknown link rates and bw codes 2017-10-11 18:41:44 +03:00
drm_dp_mst_topology.c drm/dp/mst: Sideband message transaction to power up/down nodes 2017-09-11 16:03:57 +03:00
drm_drv.c drm: introduce drm_dev_{get/put} functions 2017-09-26 13:12:15 +02:00
drm_dumb_buffers.c
drm_edid_load.c drm: add backwards compatibility support for drm_kms_helper.edid_firmware 2017-09-19 18:11:45 +03:00
drm_edid.c drm: handle override and firmware EDID at drm_do_get_edid() level 2017-09-19 17:49:25 +03:00
drm_encoder_slave.c
drm_encoder.c drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_fb_cma_helper.c drm/fb-cma-helper: Remove unused functions 2017-10-01 17:05:39 +02:00
drm_fb_helper.c drm: Replace kzalloc with kcalloc 2017-10-13 15:49:03 -04:00
drm_file.c drm: Document device unplug infrastructure 2017-08-11 10:48:03 +02:00
drm_flip_work.c
drm_fourcc.c
drm_framebuffer.c drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_gem_cma_helper.c drm/gem-cma-helper: Remove drm_gem_cma_dumb_map_offset() 2017-08-16 20:21:24 +02:00
drm_gem_framebuffer_helper.c drm/gem-fb-helper: Improve documentation 2017-10-08 15:02:51 +02:00
drm_gem.c drm: fix typo in drm_gem_get_pages() comment 2017-10-04 18:04:28 +02:00
drm_global.c
drm_hashtab.c
drm_info.c
drm_internal.h drm: vblank: remove drm_timestamp_monotonic parameter 2017-10-13 08:34:50 +10:00
drm_ioc32.c
drm_ioctl.c drm: vblank: remove drm_timestamp_monotonic parameter 2017-10-13 08:34:50 +10:00
drm_irq.c
drm_kms_helper_common.c drm: add backwards compatibility support for drm_kms_helper.edid_firmware 2017-09-19 18:11:45 +03:00
drm_legacy.h
drm_lock.c
drm_memory.c
drm_mipi_dsi.c
drm_mm.c lib/interval_tree: fast overlap detection 2017-09-08 18:26:49 -07:00
drm_mode_config.c drm/plane: drop num_overlay_planes (v3) 2017-10-17 11:32:29 +10:00
drm_mode_object.c drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_modes.c
drm_modeset_helper.c drm: Plumb modifiers through plane init 2017-08-01 17:50:06 +01:00
drm_modeset_lock.c drm/atomic: Prepare drm_modeset_lock infrastructure for interruptible waiting, v2. 2017-09-13 09:50:52 +02:00
drm_of.c drm/drm_of: Move drm_of_panel_bridge_remove_function into header. 2017-10-13 16:59:36 +02:00
drm_panel.c
drm_pci.c drm/core: clean up references to drm_dev_unref() 2017-09-27 10:53:12 +02:00
drm_plane_helper.c drm: Replace kzalloc with kcalloc 2017-10-13 15:49:03 -04:00
drm_plane.c drm/plane: drop num_overlay_planes (v3) 2017-10-17 11:32:29 +10:00
drm_prime.c drm/core: clean up references to drm_dev_unref() 2017-09-27 10:53:12 +02:00
drm_print.c
drm_probe_helper.c drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_property.c drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_rect.c
drm_scatter.c
drm_scdc_helper.c Merge tag 'drm-misc-next-2017-09-20' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-09-28 05:46:15 +10:00
drm_simple_kms_helper.c drm: Plumb modifiers through plane init 2017-08-01 17:50:06 +01:00
drm_syncobj.c Merge tag 'drm-misc-next-2017-10-16' of git://anongit.freedesktop.org/drm/drm-misc into drm-next 2017-10-17 10:10:17 +10:00
drm_sysfs.c
drm_trace_points.c
drm_trace.h drm: Use correct path to trace include 2017-09-05 11:11:18 +02:00
drm_vblank.c Merge tag 'drm-misc-next-2017-10-16' of git://anongit.freedesktop.org/drm/drm-misc into drm-next 2017-10-17 10:10:17 +10:00
drm_vm.c Merge branch 'x86-mm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-04 12:21:28 -07:00
drm_vma_manager.c lib/interval_tree: fast overlap detection 2017-09-08 18:26:49 -07:00
Kconfig Merge branch 'drm-next-4.15' of git://people.freedesktop.org/~agd5f/linux into drm-next 2017-09-28 08:37:02 +10:00
Makefile Merge branch 'drm-next-4.15' of git://people.freedesktop.org/~agd5f/linux into drm-next 2017-09-28 08:37:02 +10:00