From: Russell King - ARM Linux <linux@armlinux.org.uk>
To: Thierry Reding <thierry.reding@gmail.com>
Cc: dri-devel@lists.freedesktop.org, Dan MacDonald <allcoms@gmail.com>
Subject: Re: imxdrm issue on SABRE Lite
Date: Mon, 13 Feb 2017 09:20:12 +0000 [thread overview]
Message-ID: <20170213092011.GU27312@n2100.armlinux.org.uk> (raw)
In-Reply-To: <20170213080533.GC13451@ulmo.ba.sec>
On Mon, Feb 13, 2017 at 09:05:33AM +0100, Thierry Reding wrote:
> On Sun, Feb 12, 2017 at 12:15:46AM +0000, Russell King - ARM Linux wrote:
> > diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
> > index 21f992605541..46668d071d6a 100644
> > --- a/drivers/gpu/drm/drm_atomic_helper.c
> > +++ b/drivers/gpu/drm/drm_atomic_helper.c
> > @@ -1201,9 +1201,8 @@ static void commit_tail(struct drm_atomic_state *state)
> > else
> > drm_atomic_helper_commit_tail(state);
> >
> > - drm_atomic_helper_commit_cleanup_done(state);
> > -
> > - drm_atomic_state_free(state);
> > + if (drm_atomic_helper_commit_cleanup_done(state) == 0)
> > + drm_atomic_state_free(state);
>
> Chris (Cc'ed) added reference counting to atomic state for v4.10, maybe
> that already fixes the issue?
No. It's not the atomic state that's referenced, it's only a completion
within the drm_crtc_commit structure, which is completely separate from
the atomic state. Moreover, the event code has no knowledge of commits,
so it can't "put" a reference count on it. See:
void drm_send_event_locked(struct drm_device *dev, struct drm_pending_event *e)
{
assert_spin_locked(&dev->event_lock);
if (e->completion) {
/* ->completion might disappear as soon as it signalled. */
complete_all(e->completion);
e->completion = NULL;
}
vs the setup of the event done in drm_atomic_helper_setup_commit():
if (!crtc_state->event) {
commit->event = kzalloc(sizeof(*commit->event),
GFP_KERNEL);
if (!commit->event)
return -ENOMEM;
crtc_state->event = commit->event;
}
crtc_state->event->base.completion = &commit->flip_done;
"commit" gets freed before drm_send_event_locked() is called (hence
the timeout message) and when drm_send_event_locked() is eventually
called via drm_vblank_off(), this causes a use-after-free bug.
--
RMK's Patch system: http://www.armlinux.org.uk/developer/patches/
FTTC broadband for 0.8mile line: currently at 9.6Mbps down 400kbps up
according to speedtest.net.
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2017-02-13 9:20 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-11 21:09 imxdrm issue on SABRE Lite Dan MacDonald
2017-02-12 0:15 ` Russell King - ARM Linux
2017-02-13 8:05 ` Thierry Reding
2017-02-13 8:55 ` Chris Wilson
2017-02-13 9:38 ` Russell King - ARM Linux
2017-02-18 8:14 ` Dan MacDonald
2017-02-13 9:20 ` Russell King - ARM Linux [this message]
2017-02-20 15:42 ` Philipp Zabel
2017-02-20 16:25 ` Dan MacDonald
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170213092011.GU27312@n2100.armlinux.org.uk \
--to=linux@armlinux.org.uk \
--cc=allcoms@gmail.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=thierry.reding@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.