AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2025-02-10 19:46:08 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
8637b407cf
linux_dsm_epyc7002/drivers/gpu/drm
History
Ben Widawsky 8637b407cf drm/i915/vma: Correct use after free in eviction 
The vma will [possibly] be destroyed during unbind in eviction.
Immediately after this, we try to delete the list entry.

Chris and Ville did the debug on this before I woke up, I just get to
take credit for the fix :p

For future reference the Oops that Mika reported:

[  403.472448] BUG: unable to handle kernel paging request at 6b6b6b6b
[  403.472473] IP: [<c12c1500>] __list_del_entry+0x20/0xe0
[  403.472514] *pdpt = 000000002e89c001 *pde = 0000000000000000
[  403.472556] Oops: 0000 [#1] SMP
[  403.472582] Modules linked in: mxm_wmi snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_seq_midi snd_rawmidi psmouse snd_seq_midi_event snd_seq serio_raw snd_timer snd_seq_device snd soundcore snd_page_alloc wmi bnep rfcomm bluetooth mac_hid parport_pc ppdev lp parport usbhid dm_crypt firewire_ohci firewire_core crc_itu_t i915 drm_kms_helper e1000e ptp drm i2c_algo_bit pps_core xhci_hcd video
[  403.472895] CPU: 2 PID: 1940 Comm: Xorg Not tainted 3.11.0-rc2+ #827
[  403.472938] Hardware name:                  /DZ77BH-55K, BIOS BHZ7710H.86A.0070.2012.0416.2117 04/16/2012
[  403.473002] task: ec866c00 ti: ee6a2000 task.ti: ee6a2000
[  403.473039] EIP: 0060:[<c12c1500>] EFLAGS: 00013202 CPU: 2
[  403.473078] EIP is at __list_del_entry+0x20/0xe0
[  403.473109] EAX: f016d9bc EBX: f016d9bc ECX: 6b6b6b6b EDX: 6b6b6b6b
[  403.473151] ESI: 00000000 EDI: ee6a3c90 EBP: ee6a3c60 ESP: ee6a3c48
[  403.473193]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[  403.473230] CR0: 80050033 CR2: 6b6b6b6b CR3: 2ec43000 CR4: 001407f0
[  403.473271] Stack:
[  403.473285]  f63b2ff0 f61f98c0 f61f8000 f016d9bc 00000000 f016d9bc ee6a3cac f8519a4a
[  403.473347]  00000000 00000000 10000000 f61f8000 0100a000 10000000 00000001 008ca000
[  403.473410]  f64ee840 f61f98c0 f016d9bc f016dcec ee6a3c98 ee6a3c98 f61f98c0 dcc58f00
[  403.473472] Call Trace:
[  403.473509]  [<f8519a4a>] i915_gem_evict_something+0x17a/0x2d0 [i915]
[  403.473567]  [<f8516ed1>] i915_gem_object_pin+0x271/0x660 [i915]
[  403.473622]  [<f851c740>] ? i915_ggtt_clear_range+0x20/0x20 [i915]
[  403.473676]  [<f8517afa>] i915_gem_object_pin_to_display_plane+0xda/0x190 [i915]
[  403.473742]  [<f852d9fa>] intel_pin_and_fence_fb_obj+0xba/0x140 [i915]
[  403.473800]  [<f852db40>] intel_gen7_queue_flip+0x30/0x1c0 [i915]
[  403.473856]  [<f85337b0>] intel_crtc_page_flip+0x1a0/0x320 [i915]
[  403.473911]  [<f847b549>] ? drm_framebuffer_reference+0x39/0x80 [drm]
[  403.473965]  [<f847f9fb>] drm_mode_page_flip_ioctl+0x28b/0x320 [drm]
[  403.474018]  [<f846fec8>] drm_ioctl+0x4b8/0x560 [drm]
[  403.474064]  [<f847f770>] ? drm_mode_gamma_get_ioctl+0xd0/0xd0 [drm]
[  403.474113]  [<c1140f8a>] ? do_sync_read+0x6a/0xa0
[  403.474154]  [<f846fa10>] ? drm_copy_field+0x80/0x80 [drm]
[  403.474193]  [<c115134c>] do_vfs_ioctl+0x7c/0x5b0
[  403.474228]  [<c1141d2f>] ? vfs_read+0xef/0x160
[  403.474263]  [<c108dcbb>] ? ktime_get_ts+0x4b/0x120
[  403.474298]  [<c1151917>] SyS_ioctl+0x97/0xa0
[  403.474330]  [<c1590bc1>] sysenter_do_call+0x12/0x22
[  403.474364] Code: 55 f4 8b 45 f8 e9 75 ff ff ff 90 55 89 e5 53 83 ec 14 8b 08 8b 50 04 81 f9 00 01 10 00 74 24 81 fa 00 02 20 00 0f 84 8e 00 00 00 <8b> 1a 39 d8 75 62 8b 59 04 39 d8 75 35 89 51 04 89 0a 83 c4 14
[  403.474566] EIP: [<c12c1500>] __list_del_entry+0x20/0xe0 SS:ESP 0068:ee6a3c48
[  403.476513] CR2: 000000006b6b6b6b

v2: Missed the drm_object_unreference use after free (Ville)
Daniel Vetter <daniel@ffwll.ch> writes:

Reported-by: Mika Kuoppala <mika.kuoppala@intel.com>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Ben Widawsky <ben@bwidawsk.net>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
[danvet: Add the Oops from Mika to the commit message.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2013-08-23 14:52:21 +02:00
..
ast drm/ast: inline reservations 2013-06-28 12:04:04 +10:00
cirrus drm/cirrus: inline reservations 2013-06-28 12:04:05 +10:00
exynos drm/exynos: remove duplicated error routine and unnecessary assign 2013-07-04 15:55:37 +09:00
gma500 Merge branch 'gma500-fixes' of git://github.com/patjak/drm-gma500 into drm-fixes 2013-06-11 08:16:10 +10:00
i2c
i810 i810: VM_IO is set by io_remap_pfn_range() 2013-06-29 12:46:40 +04:00
i915 drm/i915/vma: Correct use after free in eviction 2013-08-23 14:52:21 +02:00
mga
mgag200 drm/mgag200: inline reservations 2013-06-28 12:04:06 +10:00
nouveau drm/nouveau: do not allow negative sizes for now 2013-07-10 10:48:07 +10:00
omapdrm Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2013-07-09 16:04:31 -07:00
qxl Linux 3.10 2013-07-18 12:03:29 +02:00
r128
radeon drm/radeon/dpm: add debugfs support for RS780/RS880 (v3) 2013-07-17 16:47:52 -04:00
rcar-du drm/rcar-du: Use the GEM PRIME helpers 2013-07-17 15:44:01 +02:00
savage drm (ast, cirrus, mgag200, nouveau, savage, vmwgfx): Remove drm_mtrr_{add, del} 2013-05-31 13:02:54 +10:00
shmobile drm/shmobile: Use the GEM PRIME helpers 2013-07-17 15:43:55 +02:00
sis
tdfx
tilcdc drm/tilcdc: Clear bits of register we're going to set. 2013-06-28 09:13:00 +10:00
ttm drm: make drm_mm_init() return void 2013-07-02 13:34:41 +10:00
udl drm: Drop all the stub gamma_get, gamma_set, load_lut functions from drivers 2013-06-17 19:42:47 +10:00
via
vmwgfx drm/vmwgfx: get rid of ttm_bo_is_reserved usage 2013-06-28 12:04:14 +10:00
ati_pcigart.c
drm_agpsupport.c
drm_auth.c
drm_buffer.c
drm_bufs.c drm: Don't leak phys_wc "handles" to userspace 2013-05-31 13:37:39 +10:00
drm_cache.c
drm_context.c
drm_crtc_helper.c drm/crtc-helper: explicit DPMS on after modeset 2013-07-22 09:55:17 +10:00
drm_crtc.c drm: add hotspot support for cursors. 2013-06-28 09:13:39 +10:00
drm_debugfs.c
drm_dma.c
drm_dp_helper.c
drm_drv.c drm: add hotspot support for cursors. 2013-06-28 09:13:39 +10:00
drm_edid_load.c drm: avoid warning in drm_load_edid_firmware() 2013-07-10 14:21:46 -07:00
drm_edid.c drm: Set aspect ratio fields in the AVI infoframe even for non CEA modes 2013-08-08 14:04:51 +02:00
drm_encoder_slave.c
drm_fb_cma_helper.c treewide: Fix typo in printk 2013-05-28 12:02:13 +02:00
drm_fb_helper.c drm/fb-helper: Make load_lut and gamma_set/gamma_get hooks optional 2013-06-17 19:42:47 +10:00
drm_fops.c drm: fix error routines in drm_open_helper 2013-07-04 10:53:37 +10:00
drm_gem_cma_helper.c drm/cma: remove GEM CMA specific dma_buf functionality 2013-07-05 15:44:54 +10:00
drm_gem.c drm: make drm_mm_init() return void 2013-07-02 13:34:41 +10:00
drm_global.c
drm_hashtab.c
drm_info.c
drm_ioc32.c
drm_ioctl.c drm: Don't leak phys_wc "handles" to userspace 2013-05-31 13:37:39 +10:00
drm_irq.c drm: fix a use-after-free when GPU acceleration disabled 2013-06-03 19:12:04 +10:00
drm_lock.c
drm_memory.c
drm_mm.c drm: WARN when removing unallocated node 2013-08-22 13:31:46 +02:00
drm_modes.c drm: Sort connector modes based on vrefresh 2013-06-11 08:35:51 +10:00
drm_pci.c drm, agpgart: Use pgprot_writecombine for AGP maps and make the MTRR optional 2013-05-31 13:37:31 +10:00
drm_platform.c
drm_prime.c drm: add mmap function to prime helpers 2013-07-05 15:44:44 +10:00
drm_proc.c
drm_rect.c
drm_scatter.c
drm_stub.c drm: drm_stub: Fixing return value if driver master_set call failed 2013-06-27 21:03:16 +10:00
drm_sysfs.c drm: Convert drm class driver from legacy pm ops to dev_pm_ops 2013-07-04 10:50:26 +10:00
drm_trace_points.c
drm_trace.h drm: fix print format of sequence in trace point 2013-07-04 10:55:27 +10:00
drm_usb.c
drm_vm.c drm: io_remap_pfn_range() sets VM_IO... 2013-06-29 12:46:39 +04:00
Kconfig i915: Add a Kconfig option to turn on i915.preliminary_hw_support by default 2013-08-22 13:31:51 +02:00
Makefile drm: Renesas R-Car Display Unit DRM driver 2013-06-27 10:08:04 +10:00
README.drm

README.drm 

************************************************************
* For the very latest on DRI development, please see:      *
*     http://dri.freedesktop.org/                          *
************************************************************

The Direct Rendering Manager (drm) is a device-independent kernel-level
device driver that provides support for the XFree86 Direct Rendering
Infrastructure (DRI).

The DRM supports the Direct Rendering Infrastructure (DRI) in four major
ways:

    1. The DRM provides synchronized access to the graphics hardware via
       the use of an optimized two-tiered lock.

    2. The DRM enforces the DRI security policy for access to the graphics
       hardware by only allowing authenticated X11 clients access to
       restricted regions of memory.

    3. The DRM provides a generic DMA engine, complete with multiple
       queues and the ability to detect the need for an OpenGL context
       switch.

    4. The DRM is extensible via the use of small device-specific modules
       that rely extensively on the API exported by the DRM module.


Documentation on the DRI is available from:
    http://dri.freedesktop.org/wiki/Documentation
    http://sourceforge.net/project/showfiles.php?group_id=387
    http://dri.sourceforge.net/doc/

For specific information about kernel-level support, see:

    The Direct Rendering Manager, Kernel Support for the Direct Rendering
    Infrastructure
    http://dri.sourceforge.net/doc/drm_low_level.html

    Hardware Locking for the Direct Rendering Infrastructure
    http://dri.sourceforge.net/doc/hardware_locking_low_level.html

    A Security Analysis of the Direct Rendering Infrastructure
    http://dri.sourceforge.net/doc/security_low_level.html