From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrey Ryabinin <aryabinin@virtuozzo.com>,
Chris Wilson <chris@chris-wilson.co.uk>,
Daniel Vetter <daniel.vetter@ffwll.ch>,
Jani Nikula <jani.nikula@intel.com>
Subject: [PATCH 4.4 20/20] drm/i915: fix use-after-free in page_flip_completed()
Date: Mon, 13 Feb 2017 05:05:05 -0800 [thread overview]
Message-ID: <20170213130404.414634237@linuxfoundation.org> (raw)
In-Reply-To: <20170213130403.531813333@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Ryabinin <aryabinin@virtuozzo.com>
commit 5351fbb1bf1413f6024892093528280769ca852f upstream.
page_flip_completed() dereferences 'work' variable after executing
queue_work(). This is not safe as the 'work' item might be already freed
by queued work:
BUG: KASAN: use-after-free in page_flip_completed+0x3ff/0x490 at addr ffff8803dc010f90
Call Trace:
__asan_report_load8_noabort+0x59/0x80
page_flip_completed+0x3ff/0x490
intel_finish_page_flip_mmio+0xe3/0x130
intel_pipe_handle_vblank+0x2d/0x40
gen8_irq_handler+0x4a7/0xed0
__handle_irq_event_percpu+0xf6/0x860
handle_irq_event_percpu+0x6b/0x160
handle_irq_event+0xc7/0x1b0
handle_edge_irq+0x1f4/0xa50
handle_irq+0x41/0x70
do_IRQ+0x9a/0x200
common_interrupt+0x89/0x89
Freed:
kfree+0x113/0x4d0
intel_unpin_work_fn+0x29a/0x3b0
process_one_work+0x79e/0x1b70
worker_thread+0x611/0x1460
kthread+0x241/0x3a0
ret_from_fork+0x27/0x40
Move queue_work() after trace_i915_flip_complete() to fix this.
Fixes: e5510fac98a7 ("drm/i915: add tracepoints for flip requests & completions")
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/20170126143211.24013-1-aryabinin@virtuozzo.com
(cherry picked from commit 05c41f926fcc7ef838c80a6a99d84f67b4e0b824)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/intel_display.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -3948,10 +3948,10 @@ static void page_flip_completed(struct i
drm_crtc_vblank_put(&intel_crtc->base);
wake_up_all(&dev_priv->pending_flip_queue);
- queue_work(dev_priv->wq, &work->work);
-
trace_i915_flip_complete(intel_crtc->plane,
work->pending_flip_obj);
+
+ queue_work(dev_priv->wq, &work->work);
}
void intel_crtc_wait_for_pending_flips(struct drm_crtc *crtc)
next prev parent reply other threads:[~2017-02-13 13:08 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-13 13:04 [PATCH 4.4 00/20] 4.4.49-stable review Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 01/20] ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup Greg Kroah-Hartman
2017-02-13 13:04 ` Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 02/20] selinux: fix off-by-one in setprocattr Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 03/20] Revert "x86/ioapic: Restore IO-APIC irq_chip retrigger callback" Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 04/20] cpumask: use nr_cpumask_bits for parsing functions Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 05/20] hns: avoid stack overflow with CONFIG_KASAN Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 06/20] ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 07/20] target: Dont BUG_ON during NodeACL dynamic -> explicit conversion Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 08/20] target: Use correct SCSI status during EXTENDED_COPY exception Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 09/20] target: Fix early transport_generic_handle_tmr abort scenario Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 10/20] target: Fix COMPARE_AND_WRITE ref leak for non GOOD status Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 11/20] ARM: 8642/1: LPAE: catch pending imprecise abort on unmask Greg Kroah-Hartman
2017-02-13 13:04 ` Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 12/20] mac80211: Fix adding of mesh vendor IEs Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 13/20] [PATCH] netvsc: Set maximum GSO size in the right place Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 14/20] scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send Greg Kroah-Hartman
2017-02-13 13:05 ` [PATCH 4.4 15/20] scsi: aacraid: Fix INTx/MSI-x issue with older controllers Greg Kroah-Hartman
2017-02-13 13:05 ` [PATCH 4.4 16/20] scsi: mpt3sas: disable ASPM for MPI2 controllers Greg Kroah-Hartman
2017-02-13 13:05 ` [PATCH 4.4 17/20] xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend() Greg Kroah-Hartman
2017-02-13 13:05 ` [PATCH 4.4 18/20] ALSA: seq: Fix race at creating a queue Greg Kroah-Hartman
2017-02-13 13:05 ` [PATCH 4.4 19/20] ALSA: seq: Dont handle loop timeout at snd_seq_pool_done() Greg Kroah-Hartman
2017-02-13 13:05 ` Greg Kroah-Hartman [this message]
2017-02-13 17:09 ` [PATCH 4.4 00/20] 4.4.49-stable review Shuah Khan
2017-02-13 20:04 ` Guenter Roeck
2017-02-15 11:41 ` Sudip Mukherjee
2017-02-15 16:36 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170213130404.414634237@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aryabinin@virtuozzo.com \
--cc=chris@chris-wilson.co.uk \
--cc=daniel.vetter@ffwll.ch \
--cc=jani.nikula@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.