* [PATCH] drm: use atomic helper function to get crtc_state of crtc
@ 2018-06-19 14:45 mikita.lipski
2018-06-19 14:58 ` Michel Dänzer
2018-06-19 15:27 ` Daniel Vetter
0 siblings, 2 replies; 4+ messages in thread
From: mikita.lipski @ 2018-06-19 14:45 UTC (permalink / raw)
To: boris.brezillon, daniel.vetter, dri-devel
Cc: alexander.deucher, Mikita Lipski
From: Mikita Lipski <mikita.lipski@amd.com>
Use drm_atomic_get_crtc_state to get the crtc state in case
it has been previously freed, that might prevent use-after-free issue.
This patch fixes the bugzilla bug:
Bug 199425 - BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x247/0x260
Signed-off-by: Mikita Lipski <mikita.lipski@amd.com>
---
drivers/gpu/drm/drm_atomic_helper.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
index e8c2493..e083f85 100644
--- a/drivers/gpu/drm/drm_atomic_helper.c
+++ b/drivers/gpu/drm/drm_atomic_helper.c
@@ -1276,9 +1276,11 @@ void drm_atomic_helper_wait_for_flip_done(struct drm_device *dev,
int i;
for_each_new_crtc_in_state(old_state, crtc, new_crtc_state, i) {
- struct drm_crtc_commit *commit = new_crtc_state->commit;
+ struct drm_crtc_commit *commit;
int ret;
+ new_crtc_state = drm_atomic_get_crtc_state(old_state, crtc);
+ commit = new_crtc_state->commit;
if (!commit)
continue;
--
2.7.4
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] drm: use atomic helper function to get crtc_state of crtc
2018-06-19 14:45 [PATCH] drm: use atomic helper function to get crtc_state of crtc mikita.lipski
@ 2018-06-19 14:58 ` Michel Dänzer
2018-06-19 15:27 ` Daniel Vetter
1 sibling, 0 replies; 4+ messages in thread
From: Michel Dänzer @ 2018-06-19 14:58 UTC (permalink / raw)
To: mikita.lipski, boris.brezillon, daniel.vetter
Cc: alexander.deucher, dri-devel
Hi Mikita,
thanks for sending this out. I have to defer review of the actual change
to others more familiar with this code, but I have some feedback for the
commit log.
On 2018-06-19 04:45 PM, mikita.lipski@amd.com wrote:
> From: Mikita Lipski <mikita.lipski@amd.com>
>
> Use drm_atomic_get_crtc_state to get the crtc state in case
> it has been previously freed, that might prevent use-after-free issue.
>
> This patch fixes the bugzilla bug:
> Bug 199425 - BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x247/0x260
Bug reports are referenced like this:
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199425
Also, as the issue exists since at least 4.17, this should have
Cc: stable@vger.kernel.org
in order for the fix to be backported to stable branches.
--
Earthling Michel Dänzer | http://www.amd.com
Libre software enthusiast | Mesa and X developer
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] drm: use atomic helper function to get crtc_state of crtc
2018-06-19 14:45 [PATCH] drm: use atomic helper function to get crtc_state of crtc mikita.lipski
2018-06-19 14:58 ` Michel Dänzer
@ 2018-06-19 15:27 ` Daniel Vetter
2018-06-19 15:48 ` Ville Syrjälä
1 sibling, 1 reply; 4+ messages in thread
From: Daniel Vetter @ 2018-06-19 15:27 UTC (permalink / raw)
To: mikita.lipski
Cc: alexander.deucher, boris.brezillon, dri-devel, daniel.vetter
On Tue, Jun 19, 2018 at 10:45:31AM -0400, mikita.lipski@amd.com wrote:
> From: Mikita Lipski <mikita.lipski@amd.com>
>
> Use drm_atomic_get_crtc_state to get the crtc state in case
> it has been previously freed, that might prevent use-after-free issue.
>
> This patch fixes the bugzilla bug:
> Bug 199425 - BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x247/0x260
>
> Signed-off-by: Mikita Lipski <mikita.lipski@amd.com>
> ---
> drivers/gpu/drm/drm_atomic_helper.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
> index e8c2493..e083f85 100644
> --- a/drivers/gpu/drm/drm_atomic_helper.c
> +++ b/drivers/gpu/drm/drm_atomic_helper.c
> @@ -1276,9 +1276,11 @@ void drm_atomic_helper_wait_for_flip_done(struct drm_device *dev,
> int i;
>
> for_each_new_crtc_in_state(old_state, crtc, new_crtc_state, i) {
> - struct drm_crtc_commit *commit = new_crtc_state->commit;
> + struct drm_crtc_commit *commit;
> int ret;
>
> + new_crtc_state = drm_atomic_get_crtc_state(old_state, crtc);
> + commit = new_crtc_state->commit;
Uh no. wait_for_flip done is supposed to be called from the
->atomic_commit hook, and duplicating state objects (as is done by the
various get_foo_state functions) is only allowed from the ->atomic_check
hook. What that blows up for you, this isn't the fix you're looking for.
Aside: get_foo_state can fail, the __must_check annotation should have
been a hint for that.
For starters it would be useful if you include the full details of what's
going boom in the amdgpu driver for you.
-Daniel
> if (!commit)
> continue;
>
> --
> 2.7.4
>
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] drm: use atomic helper function to get crtc_state of crtc
2018-06-19 15:27 ` Daniel Vetter
@ 2018-06-19 15:48 ` Ville Syrjälä
0 siblings, 0 replies; 4+ messages in thread
From: Ville Syrjälä @ 2018-06-19 15:48 UTC (permalink / raw)
To: Daniel Vetter
Cc: alexander.deucher, boris.brezillon, mikita.lipski, dri-devel,
daniel.vetter
On Tue, Jun 19, 2018 at 05:27:57PM +0200, Daniel Vetter wrote:
> On Tue, Jun 19, 2018 at 10:45:31AM -0400, mikita.lipski@amd.com wrote:
> > From: Mikita Lipski <mikita.lipski@amd.com>
> >
> > Use drm_atomic_get_crtc_state to get the crtc state in case
> > it has been previously freed, that might prevent use-after-free issue.
> >
> > This patch fixes the bugzilla bug:
> > Bug 199425 - BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x247/0x260
> >
> > Signed-off-by: Mikita Lipski <mikita.lipski@amd.com>
> > ---
> > drivers/gpu/drm/drm_atomic_helper.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
> > index e8c2493..e083f85 100644
> > --- a/drivers/gpu/drm/drm_atomic_helper.c
> > +++ b/drivers/gpu/drm/drm_atomic_helper.c
> > @@ -1276,9 +1276,11 @@ void drm_atomic_helper_wait_for_flip_done(struct drm_device *dev,
> > int i;
> >
> > for_each_new_crtc_in_state(old_state, crtc, new_crtc_state, i) {
> > - struct drm_crtc_commit *commit = new_crtc_state->commit;
> > + struct drm_crtc_commit *commit;
> > int ret;
> >
> > + new_crtc_state = drm_atomic_get_crtc_state(old_state, crtc);
> > + commit = new_crtc_state->commit;
>
> Uh no. wait_for_flip done is supposed to be called from the
> ->atomic_commit hook, and duplicating state objects (as is done by the
> various get_foo_state functions) is only allowed from the ->atomic_check
> hook. What that blows up for you, this isn't the fix you're looking for.
> Aside: get_foo_state can fail, the __must_check annotation should have
> been a hint for that.
>
> For starters it would be useful if you include the full details of what's
> going boom in the amdgpu driver for you.
From a quick glance at the bug report it looks like a cursor update
getting ahead of a page flip.
Actually I'm not even sure how this manages to work on i915. On i915
we allow the cursor update to go through as soon as hw_done is
completed. That would seem to mean that all the cleanup work
commit_tail does afterwards is at risk of using a freed plane state.
Well, maybe. The way this is all implemented doesn't really agree
with my brain so I can't be 100% sure.
Whacking a big sleep just after drm_atomic_helper_commit_hw_done()
should be able to confirm that I suppose.
--
Ville Syrjälä
Intel
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-06-19 15:48 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-06-19 14:45 [PATCH] drm: use atomic helper function to get crtc_state of crtc mikita.lipski
2018-06-19 14:58 ` Michel Dänzer
2018-06-19 15:27 ` Daniel Vetter
2018-06-19 15:48 ` Ville Syrjälä
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.