From: "Christian König" <deathsimple@vodafone.de>
To: "Tommi Rantala" <tt.rantala@gmail.com>,
"Alex Deucher" <alexander.deucher@amd.com>,
"Christian König" <christian.koenig@amd.com>,
"David Airlie" <airlied@linux.ie>
Cc: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] drm/radeon: fix DRM_IOCTL_RADEON_CS oops
Date: Tue, 03 Mar 2015 10:10:47 +0100 [thread overview]
Message-ID: <54F57A97.9040204@vodafone.de> (raw)
In-Reply-To: <1425324967-7427-1-git-send-email-tt.rantala@gmail.com>
Good catch.
Patch is Reviewed-by: Christian König <christian.koenig@amd.com>
Regards,
Christian.
On 02.03.2015 20:36, Tommi Rantala wrote:
> Passing zeroed drm_radeon_cs struct to DRM_IOCTL_RADEON_CS produces the
> following oops.
>
> Fix by always calling INIT_LIST_HEAD() to avoid the crash in list_sort().
>
> ----------------------------------
>
> #include <stdint.h>
> #include <fcntl.h>
> #include <unistd.h>
> #include <sys/ioctl.h>
> #include <drm/radeon_drm.h>
>
> static const struct drm_radeon_cs cs;
>
> int main(int argc, char **argv)
> {
> return ioctl(open(argv[1], O_RDWR), DRM_IOCTL_RADEON_CS, &cs);
> }
>
> ----------------------------------
>
> [ttrantal@test2 ~]$ ./main /dev/dri/card0
> [ 46.904650] BUG: unable to handle kernel NULL pointer dereference at (null)
> [ 46.905022] IP: [<ffffffff814d6df2>] list_sort+0x42/0x240
> [ 46.905022] PGD 68f29067 PUD 688b5067 PMD 0
> [ 46.905022] Oops: 0002 [#1] SMP
> [ 46.905022] CPU: 0 PID: 2413 Comm: main Not tainted 4.0.0-rc1+ #58
> [ 46.905022] Hardware name: Hewlett-Packard HP Compaq dc5750 Small Form Factor/0A64h, BIOS 786E3 v02.10 01/25/2007
> [ 46.905022] task: ffff880058e2bcc0 ti: ffff880058e64000 task.ti: ffff880058e64000
> [ 46.905022] RIP: 0010:[<ffffffff814d6df2>] [<ffffffff814d6df2>] list_sort+0x42/0x240
> [ 46.905022] RSP: 0018:ffff880058e67998 EFLAGS: 00010246
> [ 46.905022] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
> [ 46.905022] RDX: ffffffff81644410 RSI: ffff880058e67b40 RDI: ffff880058e67a58
> [ 46.905022] RBP: ffff880058e67a88 R08: 0000000000000000 R09: 0000000000000000
> [ 46.905022] R10: ffff880058e2bcc0 R11: ffffffff828e6ca0 R12: ffffffff81644410
> [ 46.905022] R13: ffff8800694b8018 R14: 0000000000000000 R15: ffff880058e679b0
> [ 46.905022] FS: 00007fdc65a65700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000
> [ 46.905022] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 46.905022] CR2: 0000000000000000 CR3: 0000000058dd9000 CR4: 00000000000006f0
> [ 46.905022] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 46.905022] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
> [ 46.905022] Stack:
> [ 46.905022] ffff880058e67b40 ffff880058e2bcc0 ffff880058e67a78 0000000000000000
> [ 46.905022] 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> [ 46.905022] 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> [ 46.905022] Call Trace:
> [ 46.905022] [<ffffffff81644a65>] radeon_cs_parser_fini+0x195/0x220
> [ 46.905022] [<ffffffff81645069>] radeon_cs_ioctl+0xa9/0x960
> [ 46.905022] [<ffffffff815e1f7c>] drm_ioctl+0x19c/0x640
> [ 46.905022] [<ffffffff810f8fdd>] ? trace_hardirqs_on_caller+0xfd/0x1c0
> [ 46.905022] [<ffffffff810f90ad>] ? trace_hardirqs_on+0xd/0x10
> [ 46.905022] [<ffffffff8160c066>] radeon_drm_ioctl+0x46/0x80
> [ 46.905022] [<ffffffff81211868>] do_vfs_ioctl+0x318/0x570
> [ 46.905022] [<ffffffff81462ef6>] ? selinux_file_ioctl+0x56/0x110
> [ 46.905022] [<ffffffff81211b41>] SyS_ioctl+0x81/0xa0
> [ 46.905022] [<ffffffff81dc6312>] system_call_fastpath+0x12/0x17
> [ 46.905022] Code: 48 89 b5 10 ff ff ff 0f 84 03 01 00 00 4c 8d bd 28 ff ff
> ff 31 c0 48 89 fb b9 15 00 00 00 49 89 d4 4c 89 ff f3 48 ab 48 8b 46 08 <48> c7
> 00 00 00 00 00 48 8b 0e 48 85 c9 0f 84 7d 00 00 00 c7 85
> [ 46.905022] RIP [<ffffffff814d6df2>] list_sort+0x42/0x240
> [ 46.905022] RSP <ffff880058e67998>
> [ 46.905022] CR2: 0000000000000000
> [ 47.149253] ---[ end trace 09576b4e8b2c20b8 ]---
>
> Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
> ---
> drivers/gpu/drm/radeon/radeon_cs.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c
> index a579ed3..4d0f96c 100644
> --- a/drivers/gpu/drm/radeon/radeon_cs.c
> +++ b/drivers/gpu/drm/radeon/radeon_cs.c
> @@ -256,11 +256,13 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data)
> u32 ring = RADEON_CS_RING_GFX;
> s32 priority = 0;
>
> + INIT_LIST_HEAD(&p->validated);
> +
> if (!cs->num_chunks) {
> return 0;
> }
> +
> /* get chunks */
> - INIT_LIST_HEAD(&p->validated);
> p->idx = 0;
> p->ib.sa_bo = NULL;
> p->const_ib.sa_bo = NULL;
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: "Christian König" <deathsimple@vodafone.de>
To: "Tommi Rantala" <tt.rantala@gmail.com>,
"Alex Deucher" <alexander.deucher@amd.com>,
"Christian König" <christian.koenig@amd.com>,
"David Airlie" <airlied@linux.ie>
Cc: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] drm/radeon: fix DRM_IOCTL_RADEON_CS oops
Date: Tue, 03 Mar 2015 10:10:47 +0100 [thread overview]
Message-ID: <54F57A97.9040204@vodafone.de> (raw)
In-Reply-To: <1425324967-7427-1-git-send-email-tt.rantala@gmail.com>
Good catch.
Patch is Reviewed-by: Christian König <christian.koenig@amd.com>
Regards,
Christian.
On 02.03.2015 20:36, Tommi Rantala wrote:
> Passing zeroed drm_radeon_cs struct to DRM_IOCTL_RADEON_CS produces the
> following oops.
>
> Fix by always calling INIT_LIST_HEAD() to avoid the crash in list_sort().
>
> ----------------------------------
>
> #include <stdint.h>
> #include <fcntl.h>
> #include <unistd.h>
> #include <sys/ioctl.h>
> #include <drm/radeon_drm.h>
>
> static const struct drm_radeon_cs cs;
>
> int main(int argc, char **argv)
> {
> return ioctl(open(argv[1], O_RDWR), DRM_IOCTL_RADEON_CS, &cs);
> }
>
> ----------------------------------
>
> [ttrantal@test2 ~]$ ./main /dev/dri/card0
> [ 46.904650] BUG: unable to handle kernel NULL pointer dereference at (null)
> [ 46.905022] IP: [<ffffffff814d6df2>] list_sort+0x42/0x240
> [ 46.905022] PGD 68f29067 PUD 688b5067 PMD 0
> [ 46.905022] Oops: 0002 [#1] SMP
> [ 46.905022] CPU: 0 PID: 2413 Comm: main Not tainted 4.0.0-rc1+ #58
> [ 46.905022] Hardware name: Hewlett-Packard HP Compaq dc5750 Small Form Factor/0A64h, BIOS 786E3 v02.10 01/25/2007
> [ 46.905022] task: ffff880058e2bcc0 ti: ffff880058e64000 task.ti: ffff880058e64000
> [ 46.905022] RIP: 0010:[<ffffffff814d6df2>] [<ffffffff814d6df2>] list_sort+0x42/0x240
> [ 46.905022] RSP: 0018:ffff880058e67998 EFLAGS: 00010246
> [ 46.905022] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
> [ 46.905022] RDX: ffffffff81644410 RSI: ffff880058e67b40 RDI: ffff880058e67a58
> [ 46.905022] RBP: ffff880058e67a88 R08: 0000000000000000 R09: 0000000000000000
> [ 46.905022] R10: ffff880058e2bcc0 R11: ffffffff828e6ca0 R12: ffffffff81644410
> [ 46.905022] R13: ffff8800694b8018 R14: 0000000000000000 R15: ffff880058e679b0
> [ 46.905022] FS: 00007fdc65a65700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000
> [ 46.905022] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 46.905022] CR2: 0000000000000000 CR3: 0000000058dd9000 CR4: 00000000000006f0
> [ 46.905022] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 46.905022] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
> [ 46.905022] Stack:
> [ 46.905022] ffff880058e67b40 ffff880058e2bcc0 ffff880058e67a78 0000000000000000
> [ 46.905022] 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> [ 46.905022] 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> [ 46.905022] Call Trace:
> [ 46.905022] [<ffffffff81644a65>] radeon_cs_parser_fini+0x195/0x220
> [ 46.905022] [<ffffffff81645069>] radeon_cs_ioctl+0xa9/0x960
> [ 46.905022] [<ffffffff815e1f7c>] drm_ioctl+0x19c/0x640
> [ 46.905022] [<ffffffff810f8fdd>] ? trace_hardirqs_on_caller+0xfd/0x1c0
> [ 46.905022] [<ffffffff810f90ad>] ? trace_hardirqs_on+0xd/0x10
> [ 46.905022] [<ffffffff8160c066>] radeon_drm_ioctl+0x46/0x80
> [ 46.905022] [<ffffffff81211868>] do_vfs_ioctl+0x318/0x570
> [ 46.905022] [<ffffffff81462ef6>] ? selinux_file_ioctl+0x56/0x110
> [ 46.905022] [<ffffffff81211b41>] SyS_ioctl+0x81/0xa0
> [ 46.905022] [<ffffffff81dc6312>] system_call_fastpath+0x12/0x17
> [ 46.905022] Code: 48 89 b5 10 ff ff ff 0f 84 03 01 00 00 4c 8d bd 28 ff ff
> ff 31 c0 48 89 fb b9 15 00 00 00 49 89 d4 4c 89 ff f3 48 ab 48 8b 46 08 <48> c7
> 00 00 00 00 00 48 8b 0e 48 85 c9 0f 84 7d 00 00 00 c7 85
> [ 46.905022] RIP [<ffffffff814d6df2>] list_sort+0x42/0x240
> [ 46.905022] RSP <ffff880058e67998>
> [ 46.905022] CR2: 0000000000000000
> [ 47.149253] ---[ end trace 09576b4e8b2c20b8 ]---
>
> Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
> ---
> drivers/gpu/drm/radeon/radeon_cs.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c
> index a579ed3..4d0f96c 100644
> --- a/drivers/gpu/drm/radeon/radeon_cs.c
> +++ b/drivers/gpu/drm/radeon/radeon_cs.c
> @@ -256,11 +256,13 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data)
> u32 ring = RADEON_CS_RING_GFX;
> s32 priority = 0;
>
> + INIT_LIST_HEAD(&p->validated);
> +
> if (!cs->num_chunks) {
> return 0;
> }
> +
> /* get chunks */
> - INIT_LIST_HEAD(&p->validated);
> p->idx = 0;
> p->ib.sa_bo = NULL;
> p->const_ib.sa_bo = NULL;
next prev parent reply other threads:[~2015-03-03 9:11 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-02 19:36 [PATCH] drm/radeon: fix DRM_IOCTL_RADEON_CS oops Tommi Rantala
2015-03-02 19:36 ` Tommi Rantala
2015-03-03 9:10 ` Christian König [this message]
2015-03-03 9:10 ` Christian König
2015-03-03 13:28 ` Alex Deucher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54F57A97.9040204@vodafone.de \
--to=deathsimple@vodafone.de \
--cc=airlied@linux.ie \
--cc=alexander.deucher@amd.com \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tt.rantala@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.