From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Huacai Chen" <chenhc@lemote.com>,
"Binbin Zhou" <zhoubb@lemote.com>,
"Michel Dänzer" <michel.daenzer@amd.com>,
"Paul Menzel" <paulepanter@users.sourceforge.net>,
"Dave Airlie" <airlied@gmail.com>
Subject: [ 16/21] drm: fix a use-after-free when GPU acceleration disabled
Date: Tue, 11 Jun 2013 13:03:10 -0700 [thread overview]
Message-ID: <20130611195521.899406257@linuxfoundation.org> (raw)
In-Reply-To: <20130611195520.003233586@linuxfoundation.org>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhc@lemote.com>
commit b7ea85a4fed37835eec78a7be3039c8dc22b8178 upstream.
When GPU acceleration is disabled, drm_vblank_cleanup() will free the
vblank-related data, such as vblank_refcount, vblank_inmodeset, etc.
But we found that drm_vblank_post_modeset() may be called after the
cleanup, which use vblank_refcount and vblank_inmodeset. And this will
cause a kernel panic.
Fix this by return immediately if dev->num_crtcs is zero. This is the
same thing that drm_vblank_pre_modeset() does.
Call trace of a drm_vblank_post_modeset() after drm_vblank_cleanup():
[ 62.628906] [<ffffffff804868d0>] drm_vblank_post_modeset+0x34/0xb4
[ 62.628906] [<ffffffff804c7008>] atombios_crtc_dpms+0xb4/0x174
[ 62.628906] [<ffffffff804c70e0>] atombios_crtc_commit+0x18/0x38
[ 62.628906] [<ffffffff8047f038>] drm_crtc_helper_set_mode+0x304/0x3cc
[ 62.628906] [<ffffffff8047f92c>] drm_crtc_helper_set_config+0x6d8/0x988
[ 62.628906] [<ffffffff8047dd40>] drm_fb_helper_set_par+0x94/0x104
[ 62.628906] [<ffffffff80439d14>] fbcon_init+0x424/0x57c
[ 62.628906] [<ffffffff8046a638>] visual_init+0xb8/0x118
[ 62.628906] [<ffffffff8046b9f8>] take_over_console+0x238/0x384
[ 62.628906] [<ffffffff80436df8>] fbcon_takeover+0x7c/0xdc
[ 62.628906] [<ffffffff8024fa20>] notifier_call_chain+0x44/0x94
[ 62.628906] [<ffffffff8024fcbc>] __blocking_notifier_call_chain+0x48/0x68
[ 62.628906] [<ffffffff8042d990>] register_framebuffer+0x228/0x260
[ 62.628906] [<ffffffff8047e010>] drm_fb_helper_single_fb_probe+0x260/0x314
[ 62.628906] [<ffffffff8047e2c4>] drm_fb_helper_initial_config+0x200/0x234
[ 62.628906] [<ffffffff804e5560>] radeon_fbdev_init+0xd4/0xf4
[ 62.628906] [<ffffffff804e0e08>] radeon_modeset_init+0x9bc/0xa18
[ 62.628906] [<ffffffff804bfc14>] radeon_driver_load_kms+0xdc/0x12c
[ 62.628906] [<ffffffff8048b548>] drm_get_pci_dev+0x148/0x238
[ 62.628906] [<ffffffff80423564>] local_pci_probe+0x5c/0xd0
[ 62.628906] [<ffffffff80241ac4>] work_for_cpu_fn+0x1c/0x30
[ 62.628906] [<ffffffff802427c8>] process_one_work+0x274/0x3bc
[ 62.628906] [<ffffffff80242934>] process_scheduled_works+0x24/0x44
[ 62.628906] [<ffffffff8024515c>] worker_thread+0x31c/0x3f4
[ 62.628906] [<ffffffff802497a8>] kthread+0x88/0x90
[ 62.628906] [<ffffffff80206794>] kernel_thread_helper+0x10/0x18
Signed-off-by: Huacai Chen <chenhc@lemote.com>
Signed-off-by: Binbin Zhou <zhoubb@lemote.com>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Acked-by: Paul Menzel <paulepanter@users.sourceforge.net>
Signed-off-by: Dave Airlie <airlied@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_irq.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/drm_irq.c
+++ b/drivers/gpu/drm/drm_irq.c
@@ -976,7 +976,7 @@ EXPORT_SYMBOL(drm_vblank_off);
*/
void drm_vblank_pre_modeset(struct drm_device *dev, int crtc)
{
- /* vblank is not initialized (IRQ not installed ?) */
+ /* vblank is not initialized (IRQ not installed ?), or has been freed */
if (!dev->num_crtcs)
return;
/*
@@ -998,6 +998,10 @@ void drm_vblank_post_modeset(struct drm_
{
unsigned long irqflags;
+ /* vblank is not initialized (IRQ not installed ?), or has been freed */
+ if (!dev->num_crtcs)
+ return;
+
if (dev->vblank_inmodeset[crtc]) {
spin_lock_irqsave(&dev->vbl_lock, irqflags);
dev->vblank_disable_allowed = 1;
next prev parent reply other threads:[~2013-06-11 20:03 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-11 20:02 [ 00/21] 3.0.82-stable review Greg Kroah-Hartman
2013-06-11 20:02 ` [ 01/21] USB: option: blacklist network interface on Huawei E1820 Greg Kroah-Hartman
2013-06-11 20:02 ` [ 02/21] ALSA: usb-audio - Apply Logitech QuickCam Pro 9000 quirk only to audio iface Greg Kroah-Hartman
2013-06-11 20:02 ` [ 03/21] USB: iuu_phoenix: fix bulk-message timeout Greg Kroah-Hartman
2013-06-11 20:02 ` [ 04/21] USB: keyspan: fix bogus array index Greg Kroah-Hartman
2013-06-11 20:02 ` [ 05/21] USB: ark3116: fix control-message timeout Greg Kroah-Hartman
2013-06-11 20:03 ` [ 06/21] USB: Serial: cypress_M8: Enable FRWD Dongle hidcom device Greg Kroah-Hartman
2013-06-11 20:03 ` [ 07/21] USB: whiteheat: fix broken port configuration Greg Kroah-Hartman
2013-06-11 20:03 ` [ 08/21] USB: serial: fix Treo/Kyocera interrrupt-in urb context Greg Kroah-Hartman
2013-06-11 20:03 ` [ 09/21] USB: revert periodic scheduling bugfix Greg Kroah-Hartman
2013-06-11 20:03 ` [ 10/21] USB: mos7720: fix DMA to stack Greg Kroah-Hartman
2013-06-11 20:03 ` [ 11/21] USB: mos7720: fix message timeouts Greg Kroah-Hartman
2013-06-11 20:03 ` [ 12/21] USB: mos7720: fix hardware flow control Greg Kroah-Hartman
2013-06-11 20:03 ` [ 13/21] ACPI / video: ignore BIOS initial backlight value for HP m4 Greg Kroah-Hartman
2013-06-11 20:03 ` [ 14/21] ACPI / video: ignore BIOS initial backlight value for HP Pavilion g6 Greg Kroah-Hartman
2013-06-11 20:03 ` [ 15/21] hwmon: (adm1021) Strengthen chip detection for ADM1021, LM84 and MAX1617 Greg Kroah-Hartman
2013-06-11 20:03 ` Greg Kroah-Hartman [this message]
2013-06-11 20:03 ` [ 17/21] drm/i915/sdvo: Use &intel_sdvo->ddc instead of intel_sdvo->i2c for DDC Greg Kroah-Hartman
2013-06-11 20:03 ` [ 18/21] USB: serial: ftdi_sio: Handle the old_termios == 0 case e.g. uart_resume_port() Greg Kroah-Hartman
2013-06-11 20:03 ` [ 19/21] USB: ftdi_sio: Quiet sparse noise about using plain integer was NULL pointer Greg Kroah-Hartman
2013-06-11 20:03 ` [ 20/21] tracing: Fix possible NULL pointer dereferences Greg Kroah-Hartman
2013-06-11 20:03 ` [ 21/21] ftrace: Move ftrace_filter_lseek out of CONFIG_DYNAMIC_FTRACE section Greg Kroah-Hartman
2013-06-12 15:50 ` [ 00/21] 3.0.82-stable review Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130611195521.899406257@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=airlied@gmail.com \
--cc=chenhc@lemote.com \
--cc=linux-kernel@vger.kernel.org \
--cc=michel.daenzer@amd.com \
--cc=paulepanter@users.sourceforge.net \
--cc=stable@vger.kernel.org \
--cc=zhoubb@lemote.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.