mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-12 13:55:32 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/gpu/drm/exynos/exynos_drm_crtc.c
Andrzej Hajda fc173ae6dd drm/exynos: fix cancel page flip code 
Driver code did not remove event from the list of pending events before destroy.
As a result drm core later tried to inspect invalid memory location.
The patch replaces removal code with call to core helper.

The bug was detected using KASAN:

[   10.107249] ==================================================================
[   10.107518] BUG: KASAN: use-after-free in drm_release+0xe9c/0x1000 at addr ffffffc089154a18
[   10.107784] Read of size 8 by task modetest/103
[   10.107931] =============================================================================
[   10.113191] BUG kmalloc-128 (Not tainted): kasan: bad access detected
[   10.119608] -----------------------------------------------------------------------------
[   10.119608]
[   10.129243] Disabling lock debugging due to kernel taint
[   10.134551] INFO: Allocated in drm_mode_page_flip_ioctl+0x500/0xa98 age=4 cpu=0 pid=103
[   10.142532] 	alloc_debug_processing+0x18c/0x198
[   10.147043] 	___slab_alloc.constprop.28+0x360/0x380
[   10.151906] 	__slab_alloc.isra.25.constprop.27+0x54/0xa0
[   10.157197] 	kmem_cache_alloc_trace+0x370/0x3b0
[   10.161709] 	drm_mode_page_flip_ioctl+0x500/0xa98
[   10.166400] 	drm_ioctl+0x4c4/0xb68
[   10.169787] 	do_vfs_ioctl+0x16c/0xeb8
[   10.173429] 	SyS_ioctl+0x8c/0xa0
[   10.176642] 	el0_svc_naked+0x24/0x28
[   10.180204] INFO: Freed in exynos_drm_crtc_cancel_page_flip+0xe0/0x160 age=0 cpu=0 pid=103
[   10.188447] 	free_debug_processing+0x174/0x388
[   10.192871] 	__slab_free+0x2e8/0x438
[   10.196431] 	kfree+0x350/0x360
[   10.199469] 	exynos_drm_crtc_cancel_page_flip+0xe0/0x160
[   10.204762] 	exynos_drm_preclose+0x58/0xa0
[   10.208844] 	drm_release+0x1f0/0x1000
[   10.212491] 	__fput+0x1c4/0x5b8
[   10.215613] 	____fput+0xc/0x18
[   10.218654] 	task_work_run+0x130/0x198
[   10.222385] 	do_exit+0x700/0x2278
[   10.225681] 	do_group_exit+0xe4/0x2c8
[   10.229327] 	SyS_exit_group+0x1c/0x20
[   10.232973] 	el0_svc_naked+0x24/0x28
[   10.236532] INFO: Slab 0xffffffbdc2a45500 objects=32 used=10 fp=0xffffffc089154a00 flags=0x4080
[   10.245210] INFO: Object 0xffffffc089154a00 @offset=2560 fp=0xffffffc089157600
[   10.245210]
...
[   10.384532] CPU: 0 PID: 103 Comm: modetest Tainted: G    B           4.5.0-rc3-00748-gd5e2881 #271
[   10.398325] Call trace:
[   10.400764] [<ffffffc000091428>] dump_backtrace+0x0/0x328
[   10.406141] [<ffffffc000091764>] show_stack+0x14/0x20
[   10.411176] [<ffffffc00089c550>] dump_stack+0xb0/0xe8
[   10.416210] [<ffffffc000395778>] print_trailer+0xf8/0x160
[   10.421592] [<ffffffc00039b5cc>] object_err+0x3c/0x50
[   10.426626] [<ffffffc00039d630>] kasan_report_error+0x248/0x550
[   10.432527] [<ffffffc00039da50>] __asan_report_load8_noabort+0x40/0x48
[   10.439039] [<ffffffc000b5b724>] drm_release+0xe9c/0x1000
[   10.444419] [<ffffffc0003d340c>] __fput+0x1c4/0x5b8
[   10.449280] [<ffffffc0003d3884>] ____fput+0xc/0x18
[   10.454055] [<ffffffc000101aa8>] task_work_run+0x130/0x198
[   10.459522] [<ffffffc0000bc058>] do_exit+0x700/0x2278
[   10.464557] [<ffffffc0000bdcfc>] do_group_exit+0xe4/0x2c8
[   10.469939] [<ffffffc0000bdefc>] SyS_exit_group+0x1c/0x20
[   10.475320] [<ffffffc000087530>] el0_svc_naked+0x24/0x28

Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
2016-05-10 23:11:41 +09:00

247 lines
6.4 KiB
C
Raw Blame History

/* exynos_drm_crtc.c
*
* Copyright (c) 2011 Samsung Electronics Co., Ltd.
* Authors:
* Inki Dae <inki.dae@samsung.com>
* Joonyoung Shim <jy0922.shim@samsung.com>
* Seung-Woo Kim <sw0312.kim@samsung.com>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*/
#include <drm/drmP.h>
#include <drm/drm_crtc_helper.h>
#include <drm/drm_atomic.h>
#include <drm/drm_atomic_helper.h>
#include "exynos_drm_crtc.h"
#include "exynos_drm_drv.h"
#include "exynos_drm_plane.h"
static void exynos_drm_crtc_enable(struct drm_crtc *crtc)
{
struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc);
if (exynos_crtc->ops->enable)
exynos_crtc->ops->enable(exynos_crtc);
drm_crtc_vblank_on(crtc);
}
static void exynos_drm_crtc_disable(struct drm_crtc *crtc)
{
struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc);
drm_crtc_vblank_off(crtc);
if (exynos_crtc->ops->disable)
exynos_crtc->ops->disable(exynos_crtc);
}
static void
exynos_drm_crtc_mode_set_nofb(struct drm_crtc *crtc)
{
struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc);
if (exynos_crtc->ops->commit)
exynos_crtc->ops->commit(exynos_crtc);
}
static int exynos_crtc_atomic_check(struct drm_crtc *crtc,
struct drm_crtc_state *state)
{
struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc);
if (!state->enable)
return 0;
if (exynos_crtc->ops->atomic_check)
return exynos_crtc->ops->atomic_check(exynos_crtc, state);
return 0;
}
static void exynos_crtc_atomic_begin(struct drm_crtc *crtc,
struct drm_crtc_state *old_crtc_state)
{
struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc);
exynos_crtc->event = crtc->state->event;
if (exynos_crtc->ops->atomic_begin)
exynos_crtc->ops->atomic_begin(exynos_crtc);
}
static void exynos_crtc_atomic_flush(struct drm_crtc *crtc,
struct drm_crtc_state *old_crtc_state)
{
struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc);
if (exynos_crtc->ops->atomic_flush)
exynos_crtc->ops->atomic_flush(exynos_crtc);
}
static const struct drm_crtc_helper_funcs exynos_crtc_helper_funcs = {
.enable = exynos_drm_crtc_enable,
.disable = exynos_drm_crtc_disable,
.mode_set_nofb = exynos_drm_crtc_mode_set_nofb,
.atomic_check = exynos_crtc_atomic_check,
.atomic_begin = exynos_crtc_atomic_begin,
.atomic_flush = exynos_crtc_atomic_flush,
};
static void exynos_drm_crtc_destroy(struct drm_crtc *crtc)
{
struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc);
struct exynos_drm_private *private = crtc->dev->dev_private;
private->crtc[exynos_crtc->pipe] = NULL;
drm_crtc_cleanup(crtc);
kfree(exynos_crtc);
}
static const struct drm_crtc_funcs exynos_crtc_funcs = {
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.destroy = exynos_drm_crtc_destroy,
.reset = drm_atomic_helper_crtc_reset,
.atomic_duplicate_state = drm_atomic_helper_crtc_duplicate_state,
.atomic_destroy_state = drm_atomic_helper_crtc_destroy_state,
};
struct exynos_drm_crtc *exynos_drm_crtc_create(struct drm_device *drm_dev,
struct drm_plane *plane,
int pipe,
enum exynos_drm_output_type type,
const struct exynos_drm_crtc_ops *ops,
void *ctx)
{
struct exynos_drm_crtc *exynos_crtc;
struct exynos_drm_private *private = drm_dev->dev_private;
struct drm_crtc *crtc;
int ret;
exynos_crtc = kzalloc(sizeof(*exynos_crtc), GFP_KERNEL);
if (!exynos_crtc)
return ERR_PTR(-ENOMEM);
exynos_crtc->pipe = pipe;
exynos_crtc->type = type;
exynos_crtc->ops = ops;
exynos_crtc->ctx = ctx;
init_waitqueue_head(&exynos_crtc->wait_update);
crtc = &exynos_crtc->base;
private->crtc[pipe] = crtc;
ret = drm_crtc_init_with_planes(drm_dev, crtc, plane, NULL,
&exynos_crtc_funcs, NULL);
if (ret < 0)
goto err_crtc;
drm_crtc_helper_add(crtc, &exynos_crtc_helper_funcs);
return exynos_crtc;
err_crtc:
plane->funcs->destroy(plane);
kfree(exynos_crtc);
return ERR_PTR(ret);
}
int exynos_drm_crtc_enable_vblank(struct drm_device *dev, unsigned int pipe)
{
struct exynos_drm_crtc *exynos_crtc = exynos_drm_crtc_from_pipe(dev,
pipe);
if (exynos_crtc->ops->enable_vblank)
return exynos_crtc->ops->enable_vblank(exynos_crtc);
return 0;
}
void exynos_drm_crtc_disable_vblank(struct drm_device *dev, unsigned int pipe)
{
struct exynos_drm_crtc *exynos_crtc = exynos_drm_crtc_from_pipe(dev,
pipe);
if (exynos_crtc->ops->disable_vblank)
exynos_crtc->ops->disable_vblank(exynos_crtc);
}
void exynos_drm_crtc_wait_pending_update(struct exynos_drm_crtc *exynos_crtc)
{
wait_event_timeout(exynos_crtc->wait_update,
(atomic_read(&exynos_crtc->pending_update) == 0),
msecs_to_jiffies(50));
}
void exynos_drm_crtc_finish_update(struct exynos_drm_crtc *exynos_crtc,
struct exynos_drm_plane *exynos_plane)
{
struct drm_crtc *crtc = &exynos_crtc->base;
unsigned long flags;
exynos_plane->pending_fb = NULL;
if (atomic_dec_and_test(&exynos_crtc->pending_update))
wake_up(&exynos_crtc->wait_update);
spin_lock_irqsave(&crtc->dev->event_lock, flags);
if (exynos_crtc->event)
drm_crtc_send_vblank_event(crtc, exynos_crtc->event);
exynos_crtc->event = NULL;
spin_unlock_irqrestore(&crtc->dev->event_lock, flags);
}
int exynos_drm_crtc_get_pipe_from_type(struct drm_device *drm_dev,
enum exynos_drm_output_type out_type)
{
struct drm_crtc *crtc;
list_for_each_entry(crtc, &drm_dev->mode_config.crtc_list, head) {
struct exynos_drm_crtc *exynos_crtc;
exynos_crtc = to_exynos_crtc(crtc);
if (exynos_crtc->type == out_type)
return exynos_crtc->pipe;
}
return -EPERM;
}
void exynos_drm_crtc_te_handler(struct drm_crtc *crtc)
{
struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc);
if (exynos_crtc->ops->te_handler)
exynos_crtc->ops->te_handler(exynos_crtc);
}
void exynos_drm_crtc_cancel_page_flip(struct drm_crtc *crtc,
struct drm_file *file)
{
struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc);
struct drm_pending_vblank_event *e;
unsigned long flags;
spin_lock_irqsave(&crtc->dev->event_lock, flags);
e = exynos_crtc->event;
if (e && e->base.file_priv == file) {
exynos_crtc->event = NULL;
atomic_dec(&exynos_crtc->pending_update);
}
spin_unlock_irqrestore(&crtc->dev->event_lock, flags);
if (e && e->base.file_priv == file)
drm_event_cancel_free(crtc->dev, &e->base);
}
Reference in a new issue View git blame Copy permalink