From: "Christian König" <deathsimple@vodafone.de>
To: "Tommi Rantala" <tt.rantala@gmail.com>,
"Alex Deucher" <alexander.deucher@amd.com>,
"Christian König" <christian.koenig@amd.com>,
"David Airlie" <airlied@linux.ie>
Cc: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] drm/radeon: fix DRM_IOCTL_RADEON_CS oops
Date: Tue, 03 Mar 2015 10:10:47 +0100 [thread overview]
Message-ID: <54F57A97.9040204@vodafone.de> (raw)
In-Reply-To: <1425324967-7427-1-git-send-email-tt.rantala@gmail.com>
Good catch.
Patch is Reviewed-by: Christian König <christian.koenig@amd.com>
Regards,
Christian.
On 02.03.2015 20:36, Tommi Rantala wrote:
> Passing zeroed drm_radeon_cs struct to DRM_IOCTL_RADEON_CS produces the
> following oops.
>
> Fix by always calling INIT_LIST_HEAD() to avoid the crash in list_sort().
>
> ----------------------------------
>
> #include <stdint.h>
> #include <fcntl.h>
> #include <unistd.h>
> #include <sys/ioctl.h>
> #include <drm/radeon_drm.h>
>
> static const struct drm_radeon_cs cs;
>
> int main(int argc, char **argv)
> {
> return ioctl(open(argv[1], O_RDWR), DRM_IOCTL_RADEON_CS, &cs);
> }
>
> ----------------------------------
>
> [ttrantal@test2 ~]$ ./main /dev/dri/card0
> [ 46.904650] BUG: unable to handle kernel NULL pointer dereference at (null)
> [ 46.905022] IP: [<ffffffff814d6df2>] list_sort+0x42/0x240
> [ 46.905022] PGD 68f29067 PUD 688b5067 PMD 0
> [ 46.905022] Oops: 0002 [#1] SMP
> [ 46.905022] CPU: 0 PID: 2413 Comm: main Not tainted 4.0.0-rc1+ #58
> [ 46.905022] Hardware name: Hewlett-Packard HP Compaq dc5750 Small Form Factor/0A64h, BIOS 786E3 v02.10 01/25/2007
> [ 46.905022] task: ffff880058e2bcc0 ti: ffff880058e64000 task.ti: ffff880058e64000
> [ 46.905022] RIP: 0010:[<ffffffff814d6df2>] [<ffffffff814d6df2>] list_sort+0x42/0x240
> [ 46.905022] RSP: 0018:ffff880058e67998 EFLAGS: 00010246
> [ 46.905022] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
> [ 46.905022] RDX: ffffffff81644410 RSI: ffff880058e67b40 RDI: ffff880058e67a58
> [ 46.905022] RBP: ffff880058e67a88 R08: 0000000000000000 R09: 0000000000000000
> [ 46.905022] R10: ffff880058e2bcc0 R11: ffffffff828e6ca0 R12: ffffffff81644410
> [ 46.905022] R13: ffff8800694b8018 R14: 0000000000000000 R15: ffff880058e679b0
> [ 46.905022] FS: 00007fdc65a65700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000
> [ 46.905022] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 46.905022] CR2: 0000000000000000 CR3: 0000000058dd9000 CR4: 00000000000006f0
> [ 46.905022] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 46.905022] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
> [ 46.905022] Stack:
> [ 46.905022] ffff880058e67b40 ffff880058e2bcc0 ffff880058e67a78 0000000000000000
> [ 46.905022] 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> [ 46.905022] 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> [ 46.905022] Call Trace:
> [ 46.905022] [<ffffffff81644a65>] radeon_cs_parser_fini+0x195/0x220
> [ 46.905022] [<ffffffff81645069>] radeon_cs_ioctl+0xa9/0x960
> [ 46.905022] [<ffffffff815e1f7c>] drm_ioctl+0x19c/0x640
> [ 46.905022] [<ffffffff810f8fdd>] ? trace_hardirqs_on_caller+0xfd/0x1c0
> [ 46.905022] [<ffffffff810f90ad>] ? trace_hardirqs_on+0xd/0x10
> [ 46.905022] [<ffffffff8160c066>] radeon_drm_ioctl+0x46/0x80
> [ 46.905022] [<ffffffff81211868>] do_vfs_ioctl+0x318/0x570
> [ 46.905022] [<ffffffff81462ef6>] ? selinux_file_ioctl+0x56/0x110
> [ 46.905022] [<ffffffff81211b41>] SyS_ioctl+0x81/0xa0
> [ 46.905022] [<ffffffff81dc6312>] system_call_fastpath+0x12/0x17
> [ 46.905022] Code: 48 89 b5 10 ff ff ff 0f 84 03 01 00 00 4c 8d bd 28 ff ff
> ff 31 c0 48 89 fb b9 15 00 00 00 49 89 d4 4c 89 ff f3 48 ab 48 8b 46 08 <48> c7
> 00 00 00 00 00 48 8b 0e 48 85 c9 0f 84 7d 00 00 00 c7 85
> [ 46.905022] RIP [<ffffffff814d6df2>] list_sort+0x42/0x240
> [ 46.905022] RSP <ffff880058e67998>
> [ 46.905022] CR2: 0000000000000000
> [ 47.149253] ---[ end trace 09576b4e8b2c20b8 ]---
>
> Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
> ---
> drivers/gpu/drm/radeon/radeon_cs.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c
> index a579ed3..4d0f96c 100644
> --- a/drivers/gpu/drm/radeon/radeon_cs.c
> +++ b/drivers/gpu/drm/radeon/radeon_cs.c
> @@ -256,11 +256,13 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data)
> u32 ring = RADEON_CS_RING_GFX;
> s32 priority = 0;
>
> + INIT_LIST_HEAD(&p->validated);
> +
> if (!cs->num_chunks) {
> return 0;
> }
> +
> /* get chunks */
> - INIT_LIST_HEAD(&p->validated);
> p->idx = 0;
> p->ib.sa_bo = NULL;
> p->const_ib.sa_bo = NULL;
next prev parent reply other threads:[~2015-03-03 9:11 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-02 19:36 [PATCH] drm/radeon: fix DRM_IOCTL_RADEON_CS oops Tommi Rantala
2015-03-03 9:10 ` Christian König [this message]
2015-03-03 13:28 ` Alex Deucher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54F57A97.9040204@vodafone.de \
--to=deathsimple@vodafone.de \
--cc=airlied@linux.ie \
--cc=alexander.deucher@amd.com \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tt.rantala@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox