From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tommi Rantala Subject: [PATCH] drm/radeon: fix DRM_IOCTL_RADEON_CS oops Date: Mon, 2 Mar 2015 21:36:07 +0200 Message-ID: <1425324967-7427-1-git-send-email-tt.rantala@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from mail-lb0-f177.google.com (mail-lb0-f177.google.com [209.85.217.177]) by gabe.freedesktop.org (Postfix) with ESMTP id D3A4D6E4BA for ; Mon, 2 Mar 2015 11:39:41 -0800 (PST) Received: by lbvn10 with SMTP id n10so32409683lbv.6 for ; Mon, 02 Mar 2015 11:39:40 -0800 (PST) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: Alex Deucher , =?UTF-8?q?Christian=20K=C3=B6nig?= , David Airlie Cc: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org List-Id: dri-devel@lists.freedesktop.org UGFzc2luZyB6ZXJvZWQgZHJtX3JhZGVvbl9jcyBzdHJ1Y3QgdG8gRFJNX0lPQ1RMX1JBREVPTl9D UyBwcm9kdWNlcyB0aGUKZm9sbG93aW5nIG9vcHMuCgpGaXggYnkgYWx3YXlzIGNhbGxpbmcgSU5J VF9MSVNUX0hFQUQoKSB0byBhdm9pZCB0aGUgY3Jhc2ggaW4gbGlzdF9zb3J0KCkuCgotLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCgogI2luY2x1ZGUgPHN0ZGludC5oPgogI2luY2x1 ZGUgPGZjbnRsLmg+CiAjaW5jbHVkZSA8dW5pc3RkLmg+CiAjaW5jbHVkZSA8c3lzL2lvY3RsLmg+ CiAjaW5jbHVkZSA8ZHJtL3JhZGVvbl9kcm0uaD4KCiBzdGF0aWMgY29uc3Qgc3RydWN0IGRybV9y YWRlb25fY3MgY3M7CgogaW50IG1haW4oaW50IGFyZ2MsIGNoYXIgKiphcmd2KQogewogICAgICAg ICByZXR1cm4gaW9jdGwob3Blbihhcmd2WzFdLCBPX1JEV1IpLCBEUk1fSU9DVExfUkFERU9OX0NT LCAmY3MpOwogfQoKLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQoKW3R0cmFudGFs QHRlc3QyIH5dJCAuL21haW4gL2Rldi9kcmkvY2FyZDAKWyAgIDQ2LjkwNDY1MF0gQlVHOiB1bmFi bGUgdG8gaGFuZGxlIGtlcm5lbCBOVUxMIHBvaW50ZXIgZGVyZWZlcmVuY2UgYXQgICAgICAgICAg IChudWxsKQpbICAgNDYuOTA1MDIyXSBJUDogWzxmZmZmZmZmZjgxNGQ2ZGYyPl0gbGlzdF9zb3J0 KzB4NDIvMHgyNDAKWyAgIDQ2LjkwNTAyMl0gUEdEIDY4ZjI5MDY3IFBVRCA2ODhiNTA2NyBQTUQg MApbICAgNDYuOTA1MDIyXSBPb3BzOiAwMDAyIFsjMV0gU01QClsgICA0Ni45MDUwMjJdIENQVTog MCBQSUQ6IDI0MTMgQ29tbTogbWFpbiBOb3QgdGFpbnRlZCA0LjAuMC1yYzErICM1OApbICAgNDYu OTA1MDIyXSBIYXJkd2FyZSBuYW1lOiBIZXdsZXR0LVBhY2thcmQgSFAgQ29tcGFxIGRjNTc1MCBT bWFsbCBGb3JtIEZhY3Rvci8wQTY0aCwgQklPUyA3ODZFMyB2MDIuMTAgMDEvMjUvMjAwNwpbICAg NDYuOTA1MDIyXSB0YXNrOiBmZmZmODgwMDU4ZTJiY2MwIHRpOiBmZmZmODgwMDU4ZTY0MDAwIHRh c2sudGk6IGZmZmY4ODAwNThlNjQwMDAKWyAgIDQ2LjkwNTAyMl0gUklQOiAwMDEwOls8ZmZmZmZm ZmY4MTRkNmRmMj5dICBbPGZmZmZmZmZmODE0ZDZkZjI+XSBsaXN0X3NvcnQrMHg0Mi8weDI0MApb ICAgNDYuOTA1MDIyXSBSU1A6IDAwMTg6ZmZmZjg4MDA1OGU2Nzk5OCAgRUZMQUdTOiAwMDAxMDI0 NgpbICAgNDYuOTA1MDIyXSBSQVg6IDAwMDAwMDAwMDAwMDAwMDAgUkJYOiAwMDAwMDAwMDAwMDAw MDAwIFJDWDogMDAwMDAwMDAwMDAwMDAwMApbICAgNDYuOTA1MDIyXSBSRFg6IGZmZmZmZmZmODE2 NDQ0MTAgUlNJOiBmZmZmODgwMDU4ZTY3YjQwIFJESTogZmZmZjg4MDA1OGU2N2E1OApbICAgNDYu OTA1MDIyXSBSQlA6IGZmZmY4ODAwNThlNjdhODggUjA4OiAwMDAwMDAwMDAwMDAwMDAwIFIwOTog MDAwMDAwMDAwMDAwMDAwMApbICAgNDYuOTA1MDIyXSBSMTA6IGZmZmY4ODAwNThlMmJjYzAgUjEx OiBmZmZmZmZmZjgyOGU2Y2EwIFIxMjogZmZmZmZmZmY4MTY0NDQxMApbICAgNDYuOTA1MDIyXSBS MTM6IGZmZmY4ODAwNjk0YjgwMTggUjE0OiAwMDAwMDAwMDAwMDAwMDAwIFIxNTogZmZmZjg4MDA1 OGU2NzliMApbICAgNDYuOTA1MDIyXSBGUzogIDAwMDA3ZmRjNjVhNjU3MDAoMDAwMCkgR1M6ZmZm Zjg4MDA2ZDYwMDAwMCgwMDAwKSBrbmxHUzowMDAwMDAwMDAwMDAwMDAwClsgICA0Ni45MDUwMjJd IENTOiAgMDAxMCBEUzogMDAwMCBFUzogMDAwMCBDUjA6IDAwMDAwMDAwODAwNTAwMzMKWyAgIDQ2 LjkwNTAyMl0gQ1IyOiAwMDAwMDAwMDAwMDAwMDAwIENSMzogMDAwMDAwMDA1OGRkOTAwMCBDUjQ6 IDAwMDAwMDAwMDAwMDA2ZjAKWyAgIDQ2LjkwNTAyMl0gRFIwOiAwMDAwMDAwMDAwMDAwMDAwIERS MTogMDAwMDAwMDAwMDAwMDAwMCBEUjI6IDAwMDAwMDAwMDAwMDAwMDAKWyAgIDQ2LjkwNTAyMl0g RFIzOiAwMDAwMDAwMDAwMDAwMDAwIERSNjogMDAwMDAwMDBmZmZmNGZmMCBEUjc6IDAwMDAwMDAw MDAwMDA0MDAKWyAgIDQ2LjkwNTAyMl0gU3RhY2s6ClsgICA0Ni45MDUwMjJdICBmZmZmODgwMDU4 ZTY3YjQwIGZmZmY4ODAwNThlMmJjYzAgZmZmZjg4MDA1OGU2N2E3OCAwMDAwMDAwMDAwMDAwMDAw ClsgICA0Ni45MDUwMjJdICAwMDAwMDAwMDAwMDAwMDAwIDAwMDAwMDAwMDAwMDAwMDAgMDAwMDAw MDAwMDAwMDAwMCAwMDAwMDAwMDAwMDAwMDAwClsgICA0Ni45MDUwMjJdICAwMDAwMDAwMDAwMDAw MDAwIDAwMDAwMDAwMDAwMDAwMDAgMDAwMDAwMDAwMDAwMDAwMCAwMDAwMDAwMDAwMDAwMDAwClsg ICA0Ni45MDUwMjJdIENhbGwgVHJhY2U6ClsgICA0Ni45MDUwMjJdICBbPGZmZmZmZmZmODE2NDRh NjU+XSByYWRlb25fY3NfcGFyc2VyX2ZpbmkrMHgxOTUvMHgyMjAKWyAgIDQ2LjkwNTAyMl0gIFs8 ZmZmZmZmZmY4MTY0NTA2OT5dIHJhZGVvbl9jc19pb2N0bCsweGE5LzB4OTYwClsgICA0Ni45MDUw MjJdICBbPGZmZmZmZmZmODE1ZTFmN2M+XSBkcm1faW9jdGwrMHgxOWMvMHg2NDAKWyAgIDQ2Ljkw NTAyMl0gIFs8ZmZmZmZmZmY4MTBmOGZkZD5dID8gdHJhY2VfaGFyZGlycXNfb25fY2FsbGVyKzB4 ZmQvMHgxYzAKWyAgIDQ2LjkwNTAyMl0gIFs8ZmZmZmZmZmY4MTBmOTBhZD5dID8gdHJhY2VfaGFy ZGlycXNfb24rMHhkLzB4MTAKWyAgIDQ2LjkwNTAyMl0gIFs8ZmZmZmZmZmY4MTYwYzA2Nj5dIHJh ZGVvbl9kcm1faW9jdGwrMHg0Ni8weDgwClsgICA0Ni45MDUwMjJdICBbPGZmZmZmZmZmODEyMTE4 Njg+XSBkb192ZnNfaW9jdGwrMHgzMTgvMHg1NzAKWyAgIDQ2LjkwNTAyMl0gIFs8ZmZmZmZmZmY4 MTQ2MmVmNj5dID8gc2VsaW51eF9maWxlX2lvY3RsKzB4NTYvMHgxMTAKWyAgIDQ2LjkwNTAyMl0g IFs8ZmZmZmZmZmY4MTIxMWI0MT5dIFN5U19pb2N0bCsweDgxLzB4YTAKWyAgIDQ2LjkwNTAyMl0g IFs8ZmZmZmZmZmY4MWRjNjMxMj5dIHN5c3RlbV9jYWxsX2Zhc3RwYXRoKzB4MTIvMHgxNwpbICAg NDYuOTA1MDIyXSBDb2RlOiA0OCA4OSBiNSAxMCBmZiBmZiBmZiAwZiA4NCAwMyAwMSAwMCAwMCA0 YyA4ZCBiZCAyOCBmZiBmZgpmZiAzMSBjMCA0OCA4OSBmYiBiOSAxNSAwMCAwMCAwMCA0OSA4OSBk NCA0YyA4OSBmZiBmMyA0OCBhYiA0OCA4YiA0NiAwOCA8NDg+IGM3CjAwIDAwIDAwIDAwIDAwIDQ4 IDhiIDBlIDQ4IDg1IGM5IDBmIDg0IDdkIDAwIDAwIDAwIGM3IDg1ClsgICA0Ni45MDUwMjJdIFJJ UCAgWzxmZmZmZmZmZjgxNGQ2ZGYyPl0gbGlzdF9zb3J0KzB4NDIvMHgyNDAKWyAgIDQ2LjkwNTAy Ml0gIFJTUCA8ZmZmZjg4MDA1OGU2Nzk5OD4KWyAgIDQ2LjkwNTAyMl0gQ1IyOiAwMDAwMDAwMDAw MDAwMDAwClsgICA0Ny4xNDkyNTNdIC0tLVsgZW5kIHRyYWNlIDA5NTc2YjRlOGIyYzIwYjggXS0t LQoKU2lnbmVkLW9mZi1ieTogVG9tbWkgUmFudGFsYSA8dHQucmFudGFsYUBnbWFpbC5jb20+Ci0t LQogZHJpdmVycy9ncHUvZHJtL3JhZGVvbi9yYWRlb25fY3MuYyB8IDQgKysrLQogMSBmaWxlIGNo YW5nZWQsIDMgaW5zZXJ0aW9ucygrKSwgMSBkZWxldGlvbigtKQoKZGlmZiAtLWdpdCBhL2RyaXZl cnMvZ3B1L2RybS9yYWRlb24vcmFkZW9uX2NzLmMgYi9kcml2ZXJzL2dwdS9kcm0vcmFkZW9uL3Jh ZGVvbl9jcy5jCmluZGV4IGE1NzllZDMuLjRkMGY5NmMgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvZ3B1 L2RybS9yYWRlb24vcmFkZW9uX2NzLmMKKysrIGIvZHJpdmVycy9ncHUvZHJtL3JhZGVvbi9yYWRl b25fY3MuYwpAQCAtMjU2LDExICsyNTYsMTMgQEAgaW50IHJhZGVvbl9jc19wYXJzZXJfaW5pdChz dHJ1Y3QgcmFkZW9uX2NzX3BhcnNlciAqcCwgdm9pZCAqZGF0YSkKIAl1MzIgcmluZyA9IFJBREVP Tl9DU19SSU5HX0dGWDsKIAlzMzIgcHJpb3JpdHkgPSAwOwogCisJSU5JVF9MSVNUX0hFQUQoJnAt PnZhbGlkYXRlZCk7CisKIAlpZiAoIWNzLT5udW1fY2h1bmtzKSB7CiAJCXJldHVybiAwOwogCX0K KwogCS8qIGdldCBjaHVua3MgKi8KLQlJTklUX0xJU1RfSEVBRCgmcC0+dmFsaWRhdGVkKTsKIAlw LT5pZHggPSAwOwogCXAtPmliLnNhX2JvID0gTlVMTDsKIAlwLT5jb25zdF9pYi5zYV9ibyA9IE5V TEw7Ci0tIAoxLjkuMwoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX18KZHJpLWRldmVsIG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Au b3JnCmh0dHA6Ly9saXN0cy5mcmVlZGVza3RvcC5vcmcvbWFpbG1hbi9saXN0aW5mby9kcmktZGV2 ZWwK From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755141AbbCBTjv (ORCPT ); Mon, 2 Mar 2015 14:39:51 -0500 Received: from mail-lb0-f176.google.com ([209.85.217.176]:40454 "EHLO mail-lb0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755041AbbCBTjm (ORCPT ); Mon, 2 Mar 2015 14:39:42 -0500 From: Tommi Rantala To: Alex Deucher , =?UTF-8?q?Christian=20K=C3=B6nig?= , David Airlie Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Tommi Rantala Subject: [PATCH] drm/radeon: fix DRM_IOCTL_RADEON_CS oops Date: Mon, 2 Mar 2015 21:36:07 +0200 Message-Id: <1425324967-7427-1-git-send-email-tt.rantala@gmail.com> X-Mailer: git-send-email 1.9.3 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Passing zeroed drm_radeon_cs struct to DRM_IOCTL_RADEON_CS produces the following oops. Fix by always calling INIT_LIST_HEAD() to avoid the crash in list_sort(). ---------------------------------- #include #include #include #include #include static const struct drm_radeon_cs cs; int main(int argc, char **argv) { return ioctl(open(argv[1], O_RDWR), DRM_IOCTL_RADEON_CS, &cs); } ---------------------------------- [ttrantal@test2 ~]$ ./main /dev/dri/card0 [ 46.904650] BUG: unable to handle kernel NULL pointer dereference at (null) [ 46.905022] IP: [] list_sort+0x42/0x240 [ 46.905022] PGD 68f29067 PUD 688b5067 PMD 0 [ 46.905022] Oops: 0002 [#1] SMP [ 46.905022] CPU: 0 PID: 2413 Comm: main Not tainted 4.0.0-rc1+ #58 [ 46.905022] Hardware name: Hewlett-Packard HP Compaq dc5750 Small Form Factor/0A64h, BIOS 786E3 v02.10 01/25/2007 [ 46.905022] task: ffff880058e2bcc0 ti: ffff880058e64000 task.ti: ffff880058e64000 [ 46.905022] RIP: 0010:[] [] list_sort+0x42/0x240 [ 46.905022] RSP: 0018:ffff880058e67998 EFLAGS: 00010246 [ 46.905022] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 46.905022] RDX: ffffffff81644410 RSI: ffff880058e67b40 RDI: ffff880058e67a58 [ 46.905022] RBP: ffff880058e67a88 R08: 0000000000000000 R09: 0000000000000000 [ 46.905022] R10: ffff880058e2bcc0 R11: ffffffff828e6ca0 R12: ffffffff81644410 [ 46.905022] R13: ffff8800694b8018 R14: 0000000000000000 R15: ffff880058e679b0 [ 46.905022] FS: 00007fdc65a65700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000 [ 46.905022] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 46.905022] CR2: 0000000000000000 CR3: 0000000058dd9000 CR4: 00000000000006f0 [ 46.905022] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 46.905022] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400 [ 46.905022] Stack: [ 46.905022] ffff880058e67b40 ffff880058e2bcc0 ffff880058e67a78 0000000000000000 [ 46.905022] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 46.905022] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 46.905022] Call Trace: [ 46.905022] [] radeon_cs_parser_fini+0x195/0x220 [ 46.905022] [] radeon_cs_ioctl+0xa9/0x960 [ 46.905022] [] drm_ioctl+0x19c/0x640 [ 46.905022] [] ? trace_hardirqs_on_caller+0xfd/0x1c0 [ 46.905022] [] ? trace_hardirqs_on+0xd/0x10 [ 46.905022] [] radeon_drm_ioctl+0x46/0x80 [ 46.905022] [] do_vfs_ioctl+0x318/0x570 [ 46.905022] [] ? selinux_file_ioctl+0x56/0x110 [ 46.905022] [] SyS_ioctl+0x81/0xa0 [ 46.905022] [] system_call_fastpath+0x12/0x17 [ 46.905022] Code: 48 89 b5 10 ff ff ff 0f 84 03 01 00 00 4c 8d bd 28 ff ff ff 31 c0 48 89 fb b9 15 00 00 00 49 89 d4 4c 89 ff f3 48 ab 48 8b 46 08 <48> c7 00 00 00 00 00 48 8b 0e 48 85 c9 0f 84 7d 00 00 00 c7 85 [ 46.905022] RIP [] list_sort+0x42/0x240 [ 46.905022] RSP [ 46.905022] CR2: 0000000000000000 [ 47.149253] ---[ end trace 09576b4e8b2c20b8 ]--- Signed-off-by: Tommi Rantala --- drivers/gpu/drm/radeon/radeon_cs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c index a579ed3..4d0f96c 100644 --- a/drivers/gpu/drm/radeon/radeon_cs.c +++ b/drivers/gpu/drm/radeon/radeon_cs.c @@ -256,11 +256,13 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data) u32 ring = RADEON_CS_RING_GFX; s32 priority = 0; + INIT_LIST_HEAD(&p->validated); + if (!cs->num_chunks) { return 0; } + /* get chunks */ - INIT_LIST_HEAD(&p->validated); p->idx = 0; p->ib.sa_bo = NULL; p->const_ib.sa_bo = NULL; -- 1.9.3