From: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
To: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>,
dri-devel@lists.freedesktop.org,
Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
Subject: Re: [PATCH RESEND] drm: fix crash in drm_minor_alloc_release
Date: Mon, 7 Nov 2022 17:10:48 +0200 [thread overview]
Message-ID: <Y2kf+HLy/Kz5BclF@intel.com> (raw)
In-Reply-To: <20221107144500.3692212-1-stanislaw.gruszka@linux.intel.com>
On Mon, Nov 07, 2022 at 03:45:00PM +0100, Stanislaw Gruszka wrote:
> If drm_sysfs_minor_alloc() fail in drm_minor_alloc() we can end up
> freeing invalid minor->kdev pointer and drm_minor_alloc_release()
> will crash like below:
>
> RIP: 0010:kobject_put+0x19/0x1c0
> RSP: 0018:ffffbc7001637c38 EFLAGS: 00010282
> RAX: ffffffffa8d6deb0 RBX: 00000000ffffffff RCX: ffff9cb5912d4540
> RDX: ffffffffa9c45ec5 RSI: ffff9cb5902f2b68 RDI: fffffffffffffff4
> RBP: fffffffffffffff4 R08: ffffffffa9c40dec R09: 0000000000000008
> R10: ffffffffaa81f7d2 R11: 00000000aa81f7ca R12: ffff9cb5912d4540
> R13: ffff9cb5912d4540 R14: dead000000000122 R15: dead000000000100
> FS: 00007f56b06e6740(0000) GS:ffff9cb728b40000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000030 CR3: 000000011285b004 CR4: 0000000000170ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> drm_minor_alloc_release+0x19/0x50
> drm_managed_release+0xab/0x150
> drm_dev_init+0x21f/0x2f0
> __devm_drm_dev_alloc+0x3c/0xa0
> ivpu_probe+0x59/0x797 [intel_vpu 127058409b05eb2f99dcdecd3330bee28d6b3e76]
> pci_device_probe+0xa4/0x160
> really_probe+0x164/0x340
> __driver_probe_device+0x10d/0x190
> device_driver_attach+0x26/0x50
> bind_store+0x9f/0x120
> kernfs_fop_write_iter+0x12d/0x1c0
> new_sync_write+0x106/0x180
> vfs_write+0x216/0x2a0
> ksys_write+0x65/0xe0
> do_syscall_64+0x35/0x80
> entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> Fix this crash by checking minor->kdev when freeing.
>
> Signed-off-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
> ---
> drivers/gpu/drm/drm_drv.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
> index 8214a0b1ab7f..e3a1243dd2ae 100644
> --- a/drivers/gpu/drm/drm_drv.c
> +++ b/drivers/gpu/drm/drm_drv.c
> @@ -102,7 +102,8 @@ static void drm_minor_alloc_release(struct drm_device *dev, void *data)
>
> WARN_ON(dev != minor->dev);
>
> - put_device(minor->kdev);
> + if (!IS_ERR(minor->kdev))
> + put_device(minor->kdev);
Assigning error pointers into things is a terrible idea.
IMO the correct fix would be to not return some
half-constructed garbage from drm_minor_alloc().
So basically should at least partically revert
commit f96306f9892b ("drm: manage drm_minor cleanup with drmm_")
>
> spin_lock_irqsave(&drm_minor_lock, flags);
> idr_remove(&drm_minors_idr, minor->index);
> --
> 2.25.1
--
Ville Syrjälä
Intel
next prev parent reply other threads:[~2022-11-07 15:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-07 14:45 [PATCH RESEND] drm: fix crash in drm_minor_alloc_release Stanislaw Gruszka
2022-11-07 15:10 ` Ville Syrjälä [this message]
2022-11-07 15:40 ` Stanislaw Gruszka
2022-11-07 15:56 ` Ville Syrjälä
2022-11-08 16:24 ` Stanislaw Gruszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y2kf+HLy/Kz5BclF@intel.com \
--to=ville.syrjala@linux.intel.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=jacek.lawrynowicz@linux.intel.com \
--cc=stanislaw.gruszka@linux.intel.com \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.