From: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
To: Takashi Iwai <tiwai@suse.de>
Cc: Jani Nikula <jani.nikula@intel.com>, intel-gfx@lists.freedesktop.org
Subject: Re: [PATCH v2] drm/i915: Fix use after free in lpe_audio_platdev_destroy()
Date: Wed, 12 Apr 2017 22:19:01 +0300 [thread overview]
Message-ID: <20170412191901.GU30290@intel.com> (raw)
In-Reply-To: <s5h1ssxua1f.wl-tiwai@suse.de>
On Wed, Apr 12, 2017 at 01:42:36PM +0200, Takashi Iwai wrote:
> On Wed, 12 Apr 2017 10:02:51 +0200,
> Chris Wilson wrote:
> >
> > [31908.547136] BUG: KASAN: use-after-free in intel_lpe_audio_teardown+0x78/0xb0 [i915] at addr ffff8801f7788358
> > [31908.547297] Read of size 8 by task drv_selftest/3781
> > [31908.547405] CPU: 0 PID: 3781 Comm: drv_selftest Tainted: G BU W 4.10.0+ #451
> > [31908.547553] Hardware name: / , BIOS PYBSWCEL.86A.0027.2015.0507.1758 05/07/2015
> > [31908.547682] Call Trace:
> > [31908.547772] dump_stack+0x68/0x9f
> > [31908.547857] kasan_object_err+0x1c/0x70
> > [31908.547947] kasan_report_error+0x1f1/0x4f0
> > [31908.548038] ? kfree+0xaa/0x170
> > [31908.548121] kasan_report+0x34/0x40
> > [31908.548211] ? klist_children_get+0x20/0x30
> > [31908.548472] ? intel_lpe_audio_teardown+0x78/0xb0 [i915]
> > [31908.548567] __asan_load8+0x5e/0x70
> > [31908.548824] intel_lpe_audio_teardown+0x78/0xb0 [i915]
> > [31908.549080] intel_audio_deinit+0x28/0x80 [i915]
> > [31908.549315] i915_driver_unload+0xe4/0x360 [i915]
> > [31908.549551] ? i915_driver_load+0x1d70/0x1d70 [i915]
> > [31908.549651] ? trace_hardirqs_on+0xd/0x10
> > [31908.549885] i915_pci_remove+0x23/0x30 [i915]
> > [31908.549978] pci_device_remove+0x5c/0x100
> > [31908.550069] device_release_driver_internal+0x1db/0x2e0
> > [31908.550165] driver_detach+0x68/0xc0
> > [31908.550256] bus_remove_driver+0x8b/0x150
> > [31908.550346] driver_unregister+0x3e/0x60
> > [31908.550439] pci_unregister_driver+0x1d/0x110
> > [31908.550531] ? find_module_all+0x7a/0xa0
> > [31908.550791] i915_exit+0x1a/0x87 [i915]
> > [31908.550881] SyS_delete_module+0x264/0x2c0
> > [31908.550971] ? free_module+0x430/0x430
> > [31908.551064] ? trace_hardirqs_off_caller+0x16/0x110
> > [31908.551159] ? trace_hardirqs_on_caller+0x16/0x280
> > [31908.551256] ? trace_hardirqs_on_thunk+0x1a/0x1c
> > [31908.551350] entry_SYSCALL_64_fastpath+0x1c/0xb1
> > [31908.551440] RIP: 0033:0x7f1d67312ec7
> > [31908.551520] RSP: 002b:00007ffebe34e888 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
> > [31908.551650] RAX: ffffffffffffffda RBX: ffffffff811123f6 RCX: 00007f1d67312ec7
> > [31908.551743] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000560d0af476b8
> > [31908.551837] RBP: ffff880233d87f98 R08: 0000000000000000 R09: 00007ffebe34e8b8
> > [31908.551930] R10: 00007f1d68adf8c0 R11: 0000000000000206 R12: 0000000000000000
> > [31908.552023] R13: 0000560d0af46440 R14: 0000000000000034 R15: 00007ffebe34d860
> > [31908.552121] ? trace_hardirqs_off_caller+0x16/0x110
> > [31908.552217] Object at ffff8801f7788000, in cache kmalloc-2048 size: 2048
> > [31908.552306] Allocated:
> > [31908.552377] PID = 3781
> > [31908.552456] save_stack_trace+0x16/0x20
> > [31908.552539] kasan_kmalloc+0xee/0x190
> > [31908.552627] __kmalloc+0xdb/0x1b0
> > [31908.552713] platform_device_alloc+0x27/0x90
> > [31908.552804] platform_device_register_full+0x36/0x220
> > [31908.553066] intel_lpe_audio_init+0x41e/0x570 [i915]
> > [31908.553320] intel_audio_init+0xd/0x40 [i915]
> > [31908.553552] i915_driver_load+0x13f5/0x1d70 [i915]
> > [31908.553788] i915_pci_probe+0x65/0xe0 [i915]
> > [31908.553881] pci_device_probe+0xda/0x140
> > [31908.553969] driver_probe_device+0x400/0x660
> > [31908.554058] __driver_attach+0x11c/0x120
> > [31908.554147] bus_for_each_dev+0xe6/0x150
> > [31908.554237] driver_attach+0x26/0x30
> > [31908.554325] bus_add_driver+0x26b/0x3b0
> > [31908.554412] driver_register+0xce/0x190
> > [31908.554502] __pci_register_driver+0xaf/0xc0
> > [31908.554589] 0xffffffffa0550063
> > [31908.554675] do_one_initcall+0x8b/0x1e0
> > [31908.554764] do_init_module+0x102/0x325
> > [31908.554852] load_module+0x3aad/0x45e0
> > [31908.554944] SyS_finit_module+0x169/0x1a0
> > [31908.555033] entry_SYSCALL_64_fastpath+0x1c/0xb1
> > [31908.555119] Freed:
> > [31908.555188] PID = 3781
> > [31908.555266] save_stack_trace+0x16/0x20
> > [31908.555349] kasan_slab_free+0xb0/0x180
> > [31908.555436] kfree+0xaa/0x170
> > [31908.555520] platform_device_release+0x76/0x80
> > [31908.555610] device_release+0x45/0xe0
> > [31908.555698] kobject_put+0x11f/0x260
> > [31908.555785] put_device+0x12/0x20
> > [31908.555871] platform_device_unregister+0x1b/0x20
> > [31908.556135] intel_lpe_audio_teardown+0x5c/0xb0 [i915]
> > [31908.556390] intel_audio_deinit+0x28/0x80 [i915]
> > [31908.556622] i915_driver_unload+0xe4/0x360 [i915]
> > [31908.556858] i915_pci_remove+0x23/0x30 [i915]
> > [31908.556948] pci_device_remove+0x5c/0x100
> > [31908.557037] device_release_driver_internal+0x1db/0x2e0
> > [31908.557129] driver_detach+0x68/0xc0
> > [31908.557217] bus_remove_driver+0x8b/0x150
> > [31908.557304] driver_unregister+0x3e/0x60
> > [31908.557394] pci_unregister_driver+0x1d/0x110
> > [31908.557653] i915_exit+0x1a/0x87 [i915]
> > [31908.557741] SyS_delete_module+0x264/0x2c0
> > [31908.557834] entry_SYSCALL_64_fastpath+0x1c/0xb1
> > [31908.557919] Memory state around the buggy address:
> > [31908.558005] ffff8801f7788200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > [31908.558127] ffff8801f7788280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > [31908.558255] >ffff8801f7788300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > [31908.558374] ^
> > [31908.558467] ffff8801f7788380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > [31908.558595] ffff8801f7788400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >
> > v2: Just leak the memory (8 bytes) as freeing it ourselves is not safe,
> > and we need to coordinate a proper fix in platform_device itself.
> >
> > Fixes: eef57324d926 ("drm/i915: setup bridge for HDMI LPE audio driver")
> > Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> > Cc: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
> > Cc: Jerome Anand <jerome.anand@intel.com>
> > Cc: Jani Nikula <jani.nikula@intel.com>
> > Cc: Takashi Iwai <tiwai@suse.de>
> > Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
>
> I'm for v2.
> Reviewed-by: Takashi Iwai <tiwai@suse.de>
I concur
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Dropping the comment is easy if/when the platdev code gets fixed.
>
>
> thanks,
>
> Takashi
>
>
> > ---
> > drivers/gpu/drm/i915/intel_lpe_audio.c | 9 ++++++++-
> > 1 file changed, 8 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/i915/intel_lpe_audio.c b/drivers/gpu/drm/i915/intel_lpe_audio.c
> > index d8ca187ae001..d19053353a2b 100644
> > --- a/drivers/gpu/drm/i915/intel_lpe_audio.c
> > +++ b/drivers/gpu/drm/i915/intel_lpe_audio.c
> > @@ -131,8 +131,15 @@ lpe_audio_platdev_create(struct drm_i915_private *dev_priv)
> >
> > static void lpe_audio_platdev_destroy(struct drm_i915_private *dev_priv)
> > {
> > + /* XXX Note that platform_device_register_full() allocates a dma_mask
> > + * and never frees it. We can't free it here as we cannot guarrantee
> > + * this is the last reference (i.e. that the dma_mask will not be
> > + * used after our unregister). We choose to leak the sizeof(u64)
> > + * allocation - it should be fixed in the platform_device rather
> > + * than us fiddle with its internals.
> > + */
> > +
> > platform_device_unregister(dev_priv->lpe_audio.platdev);
> > - kfree(dev_priv->lpe_audio.platdev->dev.dma_mask);
> > }
> >
> > static void lpe_audio_irq_unmask(struct irq_data *d)
> > --
> > 2.11.0
> >
> _______________________________________________
> Intel-gfx mailing list
> Intel-gfx@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/intel-gfx
--
Ville Syrjälä
Intel OTC
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
next prev parent reply other threads:[~2017-04-12 19:19 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-01 18:59 [PATCH] drm/i915: Fix use after free in lpe_audio_platdev_destroy() Chris Wilson
2017-03-01 20:17 ` ✓ Fi.CI.BAT: success for " Patchwork
2017-04-11 20:41 ` [PATCH] " Chris Wilson
2017-04-11 21:01 ` Takashi Iwai
2017-04-11 21:20 ` Chris Wilson
2017-04-11 21:27 ` Chris Wilson
2017-04-12 4:59 ` Takashi Iwai
2017-04-12 7:46 ` Ville Syrjälä
2017-04-12 8:25 ` Chris Wilson
2017-04-12 8:02 ` [PATCH v2] " Chris Wilson
2017-04-12 11:42 ` Takashi Iwai
2017-04-12 19:19 ` Ville Syrjälä [this message]
2017-04-12 21:55 ` Chris Wilson
2017-04-12 8:22 ` ✓ Fi.CI.BAT: success for drm/i915: Fix use after free in lpe_audio_platdev_destroy() (rev2) Patchwork
2017-04-12 8:31 ` [PATCH v3] drm/i915: Fix use after free in lpe_audio_platdev_destroy() Chris Wilson
2017-04-12 8:52 ` Ville Syrjälä
2017-04-12 9:03 ` Chris Wilson
2017-04-12 11:41 ` Takashi Iwai
2017-04-12 19:17 ` Ville Syrjälä
2017-04-12 8:51 ` ✓ Fi.CI.BAT: success for drm/i915: Fix use after free in lpe_audio_platdev_destroy() (rev4) Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170412191901.GU30290@intel.com \
--to=ville.syrjala@linux.intel.com \
--cc=intel-gfx@lists.freedesktop.org \
--cc=jani.nikula@intel.com \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.