1. 19 10月, 2018 1 次提交
    • L
      drm: Get ref on CRTC commit object when waiting for flip_done · 4364bcb2
      Leo Li 提交于
      This fixes a general protection fault, caused by accessing the contents
      of a flip_done completion object that has already been freed. It occurs
      due to the preemption of a non-blocking commit worker thread W by
      another commit thread X. X continues to clear its atomic state at the
      end, destroying the CRTC commit object that W still needs. Switching
      back to W and accessing the commit objects then leads to bad results.
      
      Worker W becomes preemptable when waiting for flip_done to complete. At
      this point, a frequently occurring commit thread X can take over. Here's
      an example where W is a worker thread that flips on both CRTCs, and X
      does a legacy cursor update on both CRTCs:
      
              ...
           1. W does flip work
           2. W runs commit_hw_done()
           3. W waits for flip_done on CRTC 1
           4. > flip_done for CRTC 1 completes
           5. W finishes waiting for CRTC 1
           6. W waits for flip_done on CRTC 2
      
           7. > Preempted by X
           8. > flip_done for CRTC 2 completes
           9. X atomic_check: hw_done and flip_done are complete on all CRTCs
          10. X updates cursor on both CRTCs
          11. X destroys atomic state
          12. X done
      
          13. > Switch back to W
          14. W waits for flip_done on CRTC 2
          15. W raises general protection fault
      
      The error looks like so:
      
          general protection fault: 0000 [#1] PREEMPT SMP PTI
          **snip**
          Call Trace:
           lock_acquire+0xa2/0x1b0
           _raw_spin_lock_irq+0x39/0x70
           wait_for_completion_timeout+0x31/0x130
           drm_atomic_helper_wait_for_flip_done+0x64/0x90 [drm_kms_helper]
           amdgpu_dm_atomic_commit_tail+0xcae/0xdd0 [amdgpu]
           commit_tail+0x3d/0x70 [drm_kms_helper]
           process_one_work+0x212/0x650
           worker_thread+0x49/0x420
           kthread+0xfb/0x130
           ret_from_fork+0x3a/0x50
          Modules linked in: x86_pkg_temp_thermal amdgpu(O) chash(O)
          gpu_sched(O) drm_kms_helper(O) syscopyarea sysfillrect sysimgblt
          fb_sys_fops ttm(O) drm(O)
      
      Note that i915 has this issue masked, since hw_done is signaled after
      waiting for flip_done. Doing so will block the cursor update from
      happening until hw_done is signaled, preventing the cursor commit from
      destroying the state.
      
      v2: The reference on the commit object needs to be obtained before
          hw_done() is signaled, since that's the point where another commit
          is allowed to modify the state. Assuming that the
          new_crtc_state->commit object still exists within flip_done() is
          incorrect.
      
          Fix by getting a reference in setup_commit(), and releasing it
          during default_clear().
      Signed-off-by: NLeo Li <sunpeng.li@amd.com>
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: NHarry Wentland <harry.wentland@amd.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/1539611200-6184-1-git-send-email-sunpeng.li@amd.com
      4364bcb2
  2. 16 10月, 2018 1 次提交
  3. 05 10月, 2018 1 次提交
  4. 04 10月, 2018 1 次提交
  5. 03 10月, 2018 1 次提交
  6. 02 10月, 2018 2 次提交
    • N
      drm/cma-helper: Fix crash in fbdev error path · 4d4c2d89
      Noralf Trønnes 提交于
      Sergey Suloev reported a crash happening in drm_client_dev_hotplug()
      when fbdev had failed to register.
      
      [    9.124598] vc4_hdmi 3f902000.hdmi: ASoC: Failed to create component debugfs directory
      [    9.147667] vc4_hdmi 3f902000.hdmi: vc4-hdmi-hifi <-> 3f902000.hdmi mapping ok
      [    9.155184] vc4_hdmi 3f902000.hdmi: ASoC: no DMI vendor name!
      [    9.166544] vc4-drm soc:gpu: bound 3f902000.hdmi (ops vc4_hdmi_ops [vc4])
      [    9.173840] vc4-drm soc:gpu: bound 3f806000.vec (ops vc4_vec_ops [vc4])
      [    9.181029] vc4-drm soc:gpu: bound 3f004000.txp (ops vc4_txp_ops [vc4])
      [    9.188519] vc4-drm soc:gpu: bound 3f400000.hvs (ops vc4_hvs_ops [vc4])
      [    9.195690] vc4-drm soc:gpu: bound 3f206000.pixelvalve (ops vc4_crtc_ops [vc4])
      [    9.203523] vc4-drm soc:gpu: bound 3f207000.pixelvalve (ops vc4_crtc_ops [vc4])
      [    9.215032] vc4-drm soc:gpu: bound 3f807000.pixelvalve (ops vc4_crtc_ops [vc4])
      [    9.274785] vc4-drm soc:gpu: bound 3fc00000.v3d (ops vc4_v3d_ops [vc4])
      [    9.290246] [drm] Initialized vc4 0.0.0 20140616 for soc:gpu on minor 0
      [    9.297464] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
      [    9.304600] [drm] Driver supports precise vblank timestamp query.
      [    9.382856] vc4-drm soc:gpu: [drm:drm_fb_helper_fbdev_setup [drm_kms_helper]] *ERROR* Failed to set fbdev configuration
      [   10.404937] Unable to handle kernel paging request at virtual address 00330a656369768a
      [   10.441620] [00330a656369768a] address between user and kernel address ranges
      [   10.449087] Internal error: Oops: 96000004 [#1] PREEMPT SMP
      [   10.454762] Modules linked in: brcmfmac vc4 drm_kms_helper cfg80211 drm rfkill smsc95xx brcmutil usbnet drm_panel_orientation_quirks raspberrypi_hwmon bcm2835_dma crc32_ce pwm_bcm2835 bcm2835_rng virt_dma rng_core i2c_bcm2835 ip_tables x_tables ipv6
      [   10.477296] CPU: 2 PID: 45 Comm: kworker/2:1 Not tainted 4.19.0-rc5 #3
      [   10.483934] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
      [   10.489966] Workqueue: events output_poll_execute [drm_kms_helper]
      [   10.596515] Process kworker/2:1 (pid: 45, stack limit = 0x000000007e8924dc)
      [   10.603590] Call trace:
      [   10.606259]  drm_client_dev_hotplug+0x5c/0xb0 [drm]
      [   10.611303]  drm_kms_helper_hotplug_event+0x30/0x40 [drm_kms_helper]
      [   10.617849]  output_poll_execute+0xc4/0x1e0 [drm_kms_helper]
      [   10.623616]  process_one_work+0x1c8/0x318
      [   10.627695]  worker_thread+0x48/0x428
      [   10.631420]  kthread+0xf8/0x128
      [   10.634615]  ret_from_fork+0x10/0x18
      [   10.638255] Code: 54000220 f9401261 aa1303e0 b4000141 (f9400c21)
      [   10.644456] ---[ end trace c75b4a4b0e141908 ]---
      
      The reason for this is that drm_fbdev_cma_init() removes the drm_client
      when fbdev registration fails, but it doesn't remove the client from the
      drm_device client list. So the client list now has a pointer that points
      into the unknown and we have a 'use after free' situation.
      
      Split drm_client_new() into drm_client_init() and drm_client_add() to fix
      removal in the error path.
      
      Fixes: 894a677f ("drm/cma-helper: Use the generic fbdev emulation")
      Reported-by: NSergey Suloev <ssuloev@orpaltech.com>
      Cc: Stefan Wahren <stefan.wahren@i2se.com>
      Cc: Eric Anholt <eric@anholt.net>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: NNoralf Trønnes <noralf@tronnes.org>
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20181001194536.57756-1-noralf@tronnes.org
      4d4c2d89
    • J
      drm: fix use-after-free read in drm_mode_create_lease_ioctl() · 12d43deb
      Jann Horn 提交于
      fd_install() moves the reference given to it into the file descriptor table
      of the current process. If the current process is multithreaded, then
      immediately after fd_install(), another thread can close() the file
      descriptor and cause the file's resources to be cleaned up.
      
      Since the reference to "lessee" is held by the file, we must not access
      "lessee" after the fd_install() call.
      
      As far as I can tell, to reach this codepath, the caller must have an open
      file descriptor to a DRI device in master mode. I'm not sure what the
      requirements for that are.
      Signed-off-by: NJann Horn <jannh@google.com>
      Fixes: 62884cd3 ("drm: Add four ioctls for managing drm mode object leases [v7]")
      Cc: stable@vger.kernel.org
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20181001153117.216923-1-jannh@google.com
      12d43deb
  7. 30 9月, 2018 8 次提交
  8. 29 9月, 2018 12 次提交
  9. 28 9月, 2018 11 次提交
  10. 27 9月, 2018 2 次提交