From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?B?Q2hyaXN0aWFuIEvDtm5pZw==?= Subject: Re: [PATCH] drm/radeon: fix DRM_IOCTL_RADEON_CS oops Date: Tue, 03 Mar 2015 10:10:47 +0100 Message-ID: <54F57A97.9040204@vodafone.de> References: <1425324967-7427-1-git-send-email-tt.rantala@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8"; Format="flowed" Content-Transfer-Encoding: base64 Return-path: Received: from pegasos-out.vodafone.de (pegasos-out.vodafone.de [80.84.1.38]) by gabe.freedesktop.org (Postfix) with ESMTP id B4FBD6E55A for ; Tue, 3 Mar 2015 01:11:48 -0800 (PST) In-Reply-To: <1425324967-7427-1-git-send-email-tt.rantala@gmail.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: Tommi Rantala , Alex Deucher , =?UTF-8?B?Q2hyaXN0aWFuIEvDtm5pZw==?= , David Airlie Cc: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org List-Id: dri-devel@lists.freedesktop.org R29vZCBjYXRjaC4KClBhdGNoIGlzIFJldmlld2VkLWJ5OiBDaHJpc3RpYW4gS8O2bmlnIDxjaHJp c3RpYW4ua29lbmlnQGFtZC5jb20+CgpSZWdhcmRzLApDaHJpc3RpYW4uCgpPbiAwMi4wMy4yMDE1 IDIwOjM2LCBUb21taSBSYW50YWxhIHdyb3RlOgo+IFBhc3NpbmcgemVyb2VkIGRybV9yYWRlb25f Y3Mgc3RydWN0IHRvIERSTV9JT0NUTF9SQURFT05fQ1MgcHJvZHVjZXMgdGhlCj4gZm9sbG93aW5n IG9vcHMuCj4KPiBGaXggYnkgYWx3YXlzIGNhbGxpbmcgSU5JVF9MSVNUX0hFQUQoKSB0byBhdm9p ZCB0aGUgY3Jhc2ggaW4gbGlzdF9zb3J0KCkuCj4KPiAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tCj4KPiAgICNpbmNsdWRlIDxzdGRpbnQuaD4KPiAgICNpbmNsdWRlIDxmY250bC5o Pgo+ICAgI2luY2x1ZGUgPHVuaXN0ZC5oPgo+ICAgI2luY2x1ZGUgPHN5cy9pb2N0bC5oPgo+ICAg I2luY2x1ZGUgPGRybS9yYWRlb25fZHJtLmg+Cj4KPiAgIHN0YXRpYyBjb25zdCBzdHJ1Y3QgZHJt X3JhZGVvbl9jcyBjczsKPgo+ICAgaW50IG1haW4oaW50IGFyZ2MsIGNoYXIgKiphcmd2KQo+ICAg ewo+ICAgICAgICAgICByZXR1cm4gaW9jdGwob3Blbihhcmd2WzFdLCBPX1JEV1IpLCBEUk1fSU9D VExfUkFERU9OX0NTLCAmY3MpOwo+ICAgfQo+Cj4gLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLQo+Cj4gW3R0cmFudGFsQHRlc3QyIH5dJCAuL21haW4gL2Rldi9kcmkvY2FyZDAKPiBb ICAgNDYuOTA0NjUwXSBCVUc6IHVuYWJsZSB0byBoYW5kbGUga2VybmVsIE5VTEwgcG9pbnRlciBk ZXJlZmVyZW5jZSBhdCAgICAgICAgICAgKG51bGwpCj4gWyAgIDQ2LjkwNTAyMl0gSVA6IFs8ZmZm ZmZmZmY4MTRkNmRmMj5dIGxpc3Rfc29ydCsweDQyLzB4MjQwCj4gWyAgIDQ2LjkwNTAyMl0gUEdE IDY4ZjI5MDY3IFBVRCA2ODhiNTA2NyBQTUQgMAo+IFsgICA0Ni45MDUwMjJdIE9vcHM6IDAwMDIg WyMxXSBTTVAKPiBbICAgNDYuOTA1MDIyXSBDUFU6IDAgUElEOiAyNDEzIENvbW06IG1haW4gTm90 IHRhaW50ZWQgNC4wLjAtcmMxKyAjNTgKPiBbICAgNDYuOTA1MDIyXSBIYXJkd2FyZSBuYW1lOiBI ZXdsZXR0LVBhY2thcmQgSFAgQ29tcGFxIGRjNTc1MCBTbWFsbCBGb3JtIEZhY3Rvci8wQTY0aCwg QklPUyA3ODZFMyB2MDIuMTAgMDEvMjUvMjAwNwo+IFsgICA0Ni45MDUwMjJdIHRhc2s6IGZmZmY4 ODAwNThlMmJjYzAgdGk6IGZmZmY4ODAwNThlNjQwMDAgdGFzay50aTogZmZmZjg4MDA1OGU2NDAw MAo+IFsgICA0Ni45MDUwMjJdIFJJUDogMDAxMDpbPGZmZmZmZmZmODE0ZDZkZjI+XSAgWzxmZmZm ZmZmZjgxNGQ2ZGYyPl0gbGlzdF9zb3J0KzB4NDIvMHgyNDAKPiBbICAgNDYuOTA1MDIyXSBSU1A6 IDAwMTg6ZmZmZjg4MDA1OGU2Nzk5OCAgRUZMQUdTOiAwMDAxMDI0Ngo+IFsgICA0Ni45MDUwMjJd IFJBWDogMDAwMDAwMDAwMDAwMDAwMCBSQlg6IDAwMDAwMDAwMDAwMDAwMDAgUkNYOiAwMDAwMDAw MDAwMDAwMDAwCj4gWyAgIDQ2LjkwNTAyMl0gUkRYOiBmZmZmZmZmZjgxNjQ0NDEwIFJTSTogZmZm Zjg4MDA1OGU2N2I0MCBSREk6IGZmZmY4ODAwNThlNjdhNTgKPiBbICAgNDYuOTA1MDIyXSBSQlA6 IGZmZmY4ODAwNThlNjdhODggUjA4OiAwMDAwMDAwMDAwMDAwMDAwIFIwOTogMDAwMDAwMDAwMDAw MDAwMAo+IFsgICA0Ni45MDUwMjJdIFIxMDogZmZmZjg4MDA1OGUyYmNjMCBSMTE6IGZmZmZmZmZm ODI4ZTZjYTAgUjEyOiBmZmZmZmZmZjgxNjQ0NDEwCj4gWyAgIDQ2LjkwNTAyMl0gUjEzOiBmZmZm ODgwMDY5NGI4MDE4IFIxNDogMDAwMDAwMDAwMDAwMDAwMCBSMTU6IGZmZmY4ODAwNThlNjc5YjAK PiBbICAgNDYuOTA1MDIyXSBGUzogIDAwMDA3ZmRjNjVhNjU3MDAoMDAwMCkgR1M6ZmZmZjg4MDA2 ZDYwMDAwMCgwMDAwKSBrbmxHUzowMDAwMDAwMDAwMDAwMDAwCj4gWyAgIDQ2LjkwNTAyMl0gQ1M6 ICAwMDEwIERTOiAwMDAwIEVTOiAwMDAwIENSMDogMDAwMDAwMDA4MDA1MDAzMwo+IFsgICA0Ni45 MDUwMjJdIENSMjogMDAwMDAwMDAwMDAwMDAwMCBDUjM6IDAwMDAwMDAwNThkZDkwMDAgQ1I0OiAw MDAwMDAwMDAwMDAwNmYwCj4gWyAgIDQ2LjkwNTAyMl0gRFIwOiAwMDAwMDAwMDAwMDAwMDAwIERS MTogMDAwMDAwMDAwMDAwMDAwMCBEUjI6IDAwMDAwMDAwMDAwMDAwMDAKPiBbICAgNDYuOTA1MDIy XSBEUjM6IDAwMDAwMDAwMDAwMDAwMDAgRFI2OiAwMDAwMDAwMGZmZmY0ZmYwIERSNzogMDAwMDAw MDAwMDAwMDQwMAo+IFsgICA0Ni45MDUwMjJdIFN0YWNrOgo+IFsgICA0Ni45MDUwMjJdICBmZmZm ODgwMDU4ZTY3YjQwIGZmZmY4ODAwNThlMmJjYzAgZmZmZjg4MDA1OGU2N2E3OCAwMDAwMDAwMDAw MDAwMDAwCj4gWyAgIDQ2LjkwNTAyMl0gIDAwMDAwMDAwMDAwMDAwMDAgMDAwMDAwMDAwMDAwMDAw MCAwMDAwMDAwMDAwMDAwMDAwIDAwMDAwMDAwMDAwMDAwMDAKPiBbICAgNDYuOTA1MDIyXSAgMDAw MDAwMDAwMDAwMDAwMCAwMDAwMDAwMDAwMDAwMDAwIDAwMDAwMDAwMDAwMDAwMDAgMDAwMDAwMDAw MDAwMDAwMAo+IFsgICA0Ni45MDUwMjJdIENhbGwgVHJhY2U6Cj4gWyAgIDQ2LjkwNTAyMl0gIFs8 ZmZmZmZmZmY4MTY0NGE2NT5dIHJhZGVvbl9jc19wYXJzZXJfZmluaSsweDE5NS8weDIyMAo+IFsg ICA0Ni45MDUwMjJdICBbPGZmZmZmZmZmODE2NDUwNjk+XSByYWRlb25fY3NfaW9jdGwrMHhhOS8w eDk2MAo+IFsgICA0Ni45MDUwMjJdICBbPGZmZmZmZmZmODE1ZTFmN2M+XSBkcm1faW9jdGwrMHgx OWMvMHg2NDAKPiBbICAgNDYuOTA1MDIyXSAgWzxmZmZmZmZmZjgxMGY4ZmRkPl0gPyB0cmFjZV9o YXJkaXJxc19vbl9jYWxsZXIrMHhmZC8weDFjMAo+IFsgICA0Ni45MDUwMjJdICBbPGZmZmZmZmZm ODEwZjkwYWQ+XSA/IHRyYWNlX2hhcmRpcnFzX29uKzB4ZC8weDEwCj4gWyAgIDQ2LjkwNTAyMl0g IFs8ZmZmZmZmZmY4MTYwYzA2Nj5dIHJhZGVvbl9kcm1faW9jdGwrMHg0Ni8weDgwCj4gWyAgIDQ2 LjkwNTAyMl0gIFs8ZmZmZmZmZmY4MTIxMTg2OD5dIGRvX3Zmc19pb2N0bCsweDMxOC8weDU3MAo+ IFsgICA0Ni45MDUwMjJdICBbPGZmZmZmZmZmODE0NjJlZjY+XSA/IHNlbGludXhfZmlsZV9pb2N0 bCsweDU2LzB4MTEwCj4gWyAgIDQ2LjkwNTAyMl0gIFs8ZmZmZmZmZmY4MTIxMWI0MT5dIFN5U19p b2N0bCsweDgxLzB4YTAKPiBbICAgNDYuOTA1MDIyXSAgWzxmZmZmZmZmZjgxZGM2MzEyPl0gc3lz dGVtX2NhbGxfZmFzdHBhdGgrMHgxMi8weDE3Cj4gWyAgIDQ2LjkwNTAyMl0gQ29kZTogNDggODkg YjUgMTAgZmYgZmYgZmYgMGYgODQgMDMgMDEgMDAgMDAgNGMgOGQgYmQgMjggZmYgZmYKPiBmZiAz MSBjMCA0OCA4OSBmYiBiOSAxNSAwMCAwMCAwMCA0OSA4OSBkNCA0YyA4OSBmZiBmMyA0OCBhYiA0 OCA4YiA0NiAwOCA8NDg+IGM3Cj4gMDAgMDAgMDAgMDAgMDAgNDggOGIgMGUgNDggODUgYzkgMGYg ODQgN2QgMDAgMDAgMDAgYzcgODUKPiBbICAgNDYuOTA1MDIyXSBSSVAgIFs8ZmZmZmZmZmY4MTRk NmRmMj5dIGxpc3Rfc29ydCsweDQyLzB4MjQwCj4gWyAgIDQ2LjkwNTAyMl0gIFJTUCA8ZmZmZjg4 MDA1OGU2Nzk5OD4KPiBbICAgNDYuOTA1MDIyXSBDUjI6IDAwMDAwMDAwMDAwMDAwMDAKPiBbICAg NDcuMTQ5MjUzXSAtLS1bIGVuZCB0cmFjZSAwOTU3NmI0ZThiMmMyMGI4IF0tLS0KPgo+IFNpZ25l ZC1vZmYtYnk6IFRvbW1pIFJhbnRhbGEgPHR0LnJhbnRhbGFAZ21haWwuY29tPgo+IC0tLQo+ICAg ZHJpdmVycy9ncHUvZHJtL3JhZGVvbi9yYWRlb25fY3MuYyB8IDQgKysrLQo+ICAgMSBmaWxlIGNo YW5nZWQsIDMgaW5zZXJ0aW9ucygrKSwgMSBkZWxldGlvbigtKQo+Cj4gZGlmZiAtLWdpdCBhL2Ry aXZlcnMvZ3B1L2RybS9yYWRlb24vcmFkZW9uX2NzLmMgYi9kcml2ZXJzL2dwdS9kcm0vcmFkZW9u L3JhZGVvbl9jcy5jCj4gaW5kZXggYTU3OWVkMy4uNGQwZjk2YyAxMDA2NDQKPiAtLS0gYS9kcml2 ZXJzL2dwdS9kcm0vcmFkZW9uL3JhZGVvbl9jcy5jCj4gKysrIGIvZHJpdmVycy9ncHUvZHJtL3Jh ZGVvbi9yYWRlb25fY3MuYwo+IEBAIC0yNTYsMTEgKzI1NiwxMyBAQCBpbnQgcmFkZW9uX2NzX3Bh cnNlcl9pbml0KHN0cnVjdCByYWRlb25fY3NfcGFyc2VyICpwLCB2b2lkICpkYXRhKQo+ICAgCXUz MiByaW5nID0gUkFERU9OX0NTX1JJTkdfR0ZYOwo+ICAgCXMzMiBwcmlvcml0eSA9IDA7Cj4gICAK PiArCUlOSVRfTElTVF9IRUFEKCZwLT52YWxpZGF0ZWQpOwo+ICsKPiAgIAlpZiAoIWNzLT5udW1f Y2h1bmtzKSB7Cj4gICAJCXJldHVybiAwOwo+ICAgCX0KPiArCj4gICAJLyogZ2V0IGNodW5rcyAq Lwo+IC0JSU5JVF9MSVNUX0hFQUQoJnAtPnZhbGlkYXRlZCk7Cj4gICAJcC0+aWR4ID0gMDsKPiAg IAlwLT5pYi5zYV9ibyA9IE5VTEw7Cj4gICAJcC0+Y29uc3RfaWIuc2FfYm8gPSBOVUxMOwoKX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KZHJpLWRldmVsIG1h aWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHA6Ly9saXN0cy5m cmVlZGVza3RvcC5vcmcvbWFpbG1hbi9saXN0aW5mby9kcmktZGV2ZWwK From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755670AbbCCJLx (ORCPT ); Tue, 3 Mar 2015 04:11:53 -0500 Received: from pegasos-out.vodafone.de ([80.84.1.38]:33191 "EHLO pegasos-out.vodafone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751535AbbCCJLs (ORCPT ); Tue, 3 Mar 2015 04:11:48 -0500 X-Spam-Flag: NO X-Spam-Score: -0.053 Authentication-Results: rohrpostix2.prod.vfnet.de (amavisd-new); dkim=pass header.i=@vodafone.de X-DKIM: OpenDKIM Filter v2.6.8 pegasos-out.vodafone.de 021AF690223 Message-ID: <54F57A97.9040204@vodafone.de> Date: Tue, 03 Mar 2015 10:10:47 +0100 From: =?UTF-8?B?Q2hyaXN0aWFuIEvDtm5pZw==?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Tommi Rantala , Alex Deucher , =?UTF-8?B?Q2hyaXN0aWFuIEvDtm5pZw==?= , David Airlie CC: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org Subject: Re: [PATCH] drm/radeon: fix DRM_IOCTL_RADEON_CS oops References: <1425324967-7427-1-git-send-email-tt.rantala@gmail.com> In-Reply-To: <1425324967-7427-1-git-send-email-tt.rantala@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Good catch. Patch is Reviewed-by: Christian König Regards, Christian. On 02.03.2015 20:36, Tommi Rantala wrote: > Passing zeroed drm_radeon_cs struct to DRM_IOCTL_RADEON_CS produces the > following oops. > > Fix by always calling INIT_LIST_HEAD() to avoid the crash in list_sort(). > > ---------------------------------- > > #include > #include > #include > #include > #include > > static const struct drm_radeon_cs cs; > > int main(int argc, char **argv) > { > return ioctl(open(argv[1], O_RDWR), DRM_IOCTL_RADEON_CS, &cs); > } > > ---------------------------------- > > [ttrantal@test2 ~]$ ./main /dev/dri/card0 > [ 46.904650] BUG: unable to handle kernel NULL pointer dereference at (null) > [ 46.905022] IP: [] list_sort+0x42/0x240 > [ 46.905022] PGD 68f29067 PUD 688b5067 PMD 0 > [ 46.905022] Oops: 0002 [#1] SMP > [ 46.905022] CPU: 0 PID: 2413 Comm: main Not tainted 4.0.0-rc1+ #58 > [ 46.905022] Hardware name: Hewlett-Packard HP Compaq dc5750 Small Form Factor/0A64h, BIOS 786E3 v02.10 01/25/2007 > [ 46.905022] task: ffff880058e2bcc0 ti: ffff880058e64000 task.ti: ffff880058e64000 > [ 46.905022] RIP: 0010:[] [] list_sort+0x42/0x240 > [ 46.905022] RSP: 0018:ffff880058e67998 EFLAGS: 00010246 > [ 46.905022] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 > [ 46.905022] RDX: ffffffff81644410 RSI: ffff880058e67b40 RDI: ffff880058e67a58 > [ 46.905022] RBP: ffff880058e67a88 R08: 0000000000000000 R09: 0000000000000000 > [ 46.905022] R10: ffff880058e2bcc0 R11: ffffffff828e6ca0 R12: ffffffff81644410 > [ 46.905022] R13: ffff8800694b8018 R14: 0000000000000000 R15: ffff880058e679b0 > [ 46.905022] FS: 00007fdc65a65700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000 > [ 46.905022] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 46.905022] CR2: 0000000000000000 CR3: 0000000058dd9000 CR4: 00000000000006f0 > [ 46.905022] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [ 46.905022] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400 > [ 46.905022] Stack: > [ 46.905022] ffff880058e67b40 ffff880058e2bcc0 ffff880058e67a78 0000000000000000 > [ 46.905022] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 > [ 46.905022] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 > [ 46.905022] Call Trace: > [ 46.905022] [] radeon_cs_parser_fini+0x195/0x220 > [ 46.905022] [] radeon_cs_ioctl+0xa9/0x960 > [ 46.905022] [] drm_ioctl+0x19c/0x640 > [ 46.905022] [] ? trace_hardirqs_on_caller+0xfd/0x1c0 > [ 46.905022] [] ? trace_hardirqs_on+0xd/0x10 > [ 46.905022] [] radeon_drm_ioctl+0x46/0x80 > [ 46.905022] [] do_vfs_ioctl+0x318/0x570 > [ 46.905022] [] ? selinux_file_ioctl+0x56/0x110 > [ 46.905022] [] SyS_ioctl+0x81/0xa0 > [ 46.905022] [] system_call_fastpath+0x12/0x17 > [ 46.905022] Code: 48 89 b5 10 ff ff ff 0f 84 03 01 00 00 4c 8d bd 28 ff ff > ff 31 c0 48 89 fb b9 15 00 00 00 49 89 d4 4c 89 ff f3 48 ab 48 8b 46 08 <48> c7 > 00 00 00 00 00 48 8b 0e 48 85 c9 0f 84 7d 00 00 00 c7 85 > [ 46.905022] RIP [] list_sort+0x42/0x240 > [ 46.905022] RSP > [ 46.905022] CR2: 0000000000000000 > [ 47.149253] ---[ end trace 09576b4e8b2c20b8 ]--- > > Signed-off-by: Tommi Rantala > --- > drivers/gpu/drm/radeon/radeon_cs.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c > index a579ed3..4d0f96c 100644 > --- a/drivers/gpu/drm/radeon/radeon_cs.c > +++ b/drivers/gpu/drm/radeon/radeon_cs.c > @@ -256,11 +256,13 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data) > u32 ring = RADEON_CS_RING_GFX; > s32 priority = 0; > > + INIT_LIST_HEAD(&p->validated); > + > if (!cs->num_chunks) { > return 0; > } > + > /* get chunks */ > - INIT_LIST_HEAD(&p->validated); > p->idx = 0; > p->ib.sa_bo = NULL; > p->const_ib.sa_bo = NULL;