linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] drm/radeon: fix DRM_IOCTL_RADEON_CS oops
@ 2015-03-02 19:36 Tommi Rantala
  2015-03-03  9:10 ` Christian König
  0 siblings, 1 reply; 3+ messages in thread
From: Tommi Rantala @ 2015-03-02 19:36 UTC (permalink / raw)
  To: Alex Deucher, Christian König, David Airlie
  Cc: dri-devel, linux-kernel, Tommi Rantala

Passing zeroed drm_radeon_cs struct to DRM_IOCTL_RADEON_CS produces the
following oops.

Fix by always calling INIT_LIST_HEAD() to avoid the crash in list_sort().

----------------------------------

 #include <stdint.h>
 #include <fcntl.h>
 #include <unistd.h>
 #include <sys/ioctl.h>
 #include <drm/radeon_drm.h>

 static const struct drm_radeon_cs cs;

 int main(int argc, char **argv)
 {
         return ioctl(open(argv[1], O_RDWR), DRM_IOCTL_RADEON_CS, &cs);
 }

----------------------------------

[ttrantal@test2 ~]$ ./main /dev/dri/card0
[   46.904650] BUG: unable to handle kernel NULL pointer dereference at           (null)
[   46.905022] IP: [<ffffffff814d6df2>] list_sort+0x42/0x240
[   46.905022] PGD 68f29067 PUD 688b5067 PMD 0
[   46.905022] Oops: 0002 [#1] SMP
[   46.905022] CPU: 0 PID: 2413 Comm: main Not tainted 4.0.0-rc1+ #58
[   46.905022] Hardware name: Hewlett-Packard HP Compaq dc5750 Small Form Factor/0A64h, BIOS 786E3 v02.10 01/25/2007
[   46.905022] task: ffff880058e2bcc0 ti: ffff880058e64000 task.ti: ffff880058e64000
[   46.905022] RIP: 0010:[<ffffffff814d6df2>]  [<ffffffff814d6df2>] list_sort+0x42/0x240
[   46.905022] RSP: 0018:ffff880058e67998  EFLAGS: 00010246
[   46.905022] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   46.905022] RDX: ffffffff81644410 RSI: ffff880058e67b40 RDI: ffff880058e67a58
[   46.905022] RBP: ffff880058e67a88 R08: 0000000000000000 R09: 0000000000000000
[   46.905022] R10: ffff880058e2bcc0 R11: ffffffff828e6ca0 R12: ffffffff81644410
[   46.905022] R13: ffff8800694b8018 R14: 0000000000000000 R15: ffff880058e679b0
[   46.905022] FS:  00007fdc65a65700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000
[   46.905022] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   46.905022] CR2: 0000000000000000 CR3: 0000000058dd9000 CR4: 00000000000006f0
[   46.905022] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   46.905022] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
[   46.905022] Stack:
[   46.905022]  ffff880058e67b40 ffff880058e2bcc0 ffff880058e67a78 0000000000000000
[   46.905022]  0000000000000000 0000000000000000 0000000000000000 0000000000000000
[   46.905022]  0000000000000000 0000000000000000 0000000000000000 0000000000000000
[   46.905022] Call Trace:
[   46.905022]  [<ffffffff81644a65>] radeon_cs_parser_fini+0x195/0x220
[   46.905022]  [<ffffffff81645069>] radeon_cs_ioctl+0xa9/0x960
[   46.905022]  [<ffffffff815e1f7c>] drm_ioctl+0x19c/0x640
[   46.905022]  [<ffffffff810f8fdd>] ? trace_hardirqs_on_caller+0xfd/0x1c0
[   46.905022]  [<ffffffff810f90ad>] ? trace_hardirqs_on+0xd/0x10
[   46.905022]  [<ffffffff8160c066>] radeon_drm_ioctl+0x46/0x80
[   46.905022]  [<ffffffff81211868>] do_vfs_ioctl+0x318/0x570
[   46.905022]  [<ffffffff81462ef6>] ? selinux_file_ioctl+0x56/0x110
[   46.905022]  [<ffffffff81211b41>] SyS_ioctl+0x81/0xa0
[   46.905022]  [<ffffffff81dc6312>] system_call_fastpath+0x12/0x17
[   46.905022] Code: 48 89 b5 10 ff ff ff 0f 84 03 01 00 00 4c 8d bd 28 ff ff
ff 31 c0 48 89 fb b9 15 00 00 00 49 89 d4 4c 89 ff f3 48 ab 48 8b 46 08 <48> c7
00 00 00 00 00 48 8b 0e 48 85 c9 0f 84 7d 00 00 00 c7 85
[   46.905022] RIP  [<ffffffff814d6df2>] list_sort+0x42/0x240
[   46.905022]  RSP <ffff880058e67998>
[   46.905022] CR2: 0000000000000000
[   47.149253] ---[ end trace 09576b4e8b2c20b8 ]---

Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
---
 drivers/gpu/drm/radeon/radeon_cs.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c
index a579ed3..4d0f96c 100644
--- a/drivers/gpu/drm/radeon/radeon_cs.c
+++ b/drivers/gpu/drm/radeon/radeon_cs.c
@@ -256,11 +256,13 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data)
 	u32 ring = RADEON_CS_RING_GFX;
 	s32 priority = 0;
 
+	INIT_LIST_HEAD(&p->validated);
+
 	if (!cs->num_chunks) {
 		return 0;
 	}
+
 	/* get chunks */
-	INIT_LIST_HEAD(&p->validated);
 	p->idx = 0;
 	p->ib.sa_bo = NULL;
 	p->const_ib.sa_bo = NULL;
-- 
1.9.3


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] drm/radeon: fix DRM_IOCTL_RADEON_CS oops
  2015-03-02 19:36 [PATCH] drm/radeon: fix DRM_IOCTL_RADEON_CS oops Tommi Rantala
@ 2015-03-03  9:10 ` Christian König
  2015-03-03 13:28   ` Alex Deucher
  0 siblings, 1 reply; 3+ messages in thread
From: Christian König @ 2015-03-03  9:10 UTC (permalink / raw)
  To: Tommi Rantala, Alex Deucher, Christian König, David Airlie
  Cc: linux-kernel, dri-devel

Good catch.

Patch is Reviewed-by: Christian König <christian.koenig@amd.com>

Regards,
Christian.

On 02.03.2015 20:36, Tommi Rantala wrote:
> Passing zeroed drm_radeon_cs struct to DRM_IOCTL_RADEON_CS produces the
> following oops.
>
> Fix by always calling INIT_LIST_HEAD() to avoid the crash in list_sort().
>
> ----------------------------------
>
>   #include <stdint.h>
>   #include <fcntl.h>
>   #include <unistd.h>
>   #include <sys/ioctl.h>
>   #include <drm/radeon_drm.h>
>
>   static const struct drm_radeon_cs cs;
>
>   int main(int argc, char **argv)
>   {
>           return ioctl(open(argv[1], O_RDWR), DRM_IOCTL_RADEON_CS, &cs);
>   }
>
> ----------------------------------
>
> [ttrantal@test2 ~]$ ./main /dev/dri/card0
> [   46.904650] BUG: unable to handle kernel NULL pointer dereference at           (null)
> [   46.905022] IP: [<ffffffff814d6df2>] list_sort+0x42/0x240
> [   46.905022] PGD 68f29067 PUD 688b5067 PMD 0
> [   46.905022] Oops: 0002 [#1] SMP
> [   46.905022] CPU: 0 PID: 2413 Comm: main Not tainted 4.0.0-rc1+ #58
> [   46.905022] Hardware name: Hewlett-Packard HP Compaq dc5750 Small Form Factor/0A64h, BIOS 786E3 v02.10 01/25/2007
> [   46.905022] task: ffff880058e2bcc0 ti: ffff880058e64000 task.ti: ffff880058e64000
> [   46.905022] RIP: 0010:[<ffffffff814d6df2>]  [<ffffffff814d6df2>] list_sort+0x42/0x240
> [   46.905022] RSP: 0018:ffff880058e67998  EFLAGS: 00010246
> [   46.905022] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
> [   46.905022] RDX: ffffffff81644410 RSI: ffff880058e67b40 RDI: ffff880058e67a58
> [   46.905022] RBP: ffff880058e67a88 R08: 0000000000000000 R09: 0000000000000000
> [   46.905022] R10: ffff880058e2bcc0 R11: ffffffff828e6ca0 R12: ffffffff81644410
> [   46.905022] R13: ffff8800694b8018 R14: 0000000000000000 R15: ffff880058e679b0
> [   46.905022] FS:  00007fdc65a65700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000
> [   46.905022] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   46.905022] CR2: 0000000000000000 CR3: 0000000058dd9000 CR4: 00000000000006f0
> [   46.905022] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [   46.905022] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
> [   46.905022] Stack:
> [   46.905022]  ffff880058e67b40 ffff880058e2bcc0 ffff880058e67a78 0000000000000000
> [   46.905022]  0000000000000000 0000000000000000 0000000000000000 0000000000000000
> [   46.905022]  0000000000000000 0000000000000000 0000000000000000 0000000000000000
> [   46.905022] Call Trace:
> [   46.905022]  [<ffffffff81644a65>] radeon_cs_parser_fini+0x195/0x220
> [   46.905022]  [<ffffffff81645069>] radeon_cs_ioctl+0xa9/0x960
> [   46.905022]  [<ffffffff815e1f7c>] drm_ioctl+0x19c/0x640
> [   46.905022]  [<ffffffff810f8fdd>] ? trace_hardirqs_on_caller+0xfd/0x1c0
> [   46.905022]  [<ffffffff810f90ad>] ? trace_hardirqs_on+0xd/0x10
> [   46.905022]  [<ffffffff8160c066>] radeon_drm_ioctl+0x46/0x80
> [   46.905022]  [<ffffffff81211868>] do_vfs_ioctl+0x318/0x570
> [   46.905022]  [<ffffffff81462ef6>] ? selinux_file_ioctl+0x56/0x110
> [   46.905022]  [<ffffffff81211b41>] SyS_ioctl+0x81/0xa0
> [   46.905022]  [<ffffffff81dc6312>] system_call_fastpath+0x12/0x17
> [   46.905022] Code: 48 89 b5 10 ff ff ff 0f 84 03 01 00 00 4c 8d bd 28 ff ff
> ff 31 c0 48 89 fb b9 15 00 00 00 49 89 d4 4c 89 ff f3 48 ab 48 8b 46 08 <48> c7
> 00 00 00 00 00 48 8b 0e 48 85 c9 0f 84 7d 00 00 00 c7 85
> [   46.905022] RIP  [<ffffffff814d6df2>] list_sort+0x42/0x240
> [   46.905022]  RSP <ffff880058e67998>
> [   46.905022] CR2: 0000000000000000
> [   47.149253] ---[ end trace 09576b4e8b2c20b8 ]---
>
> Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
> ---
>   drivers/gpu/drm/radeon/radeon_cs.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c
> index a579ed3..4d0f96c 100644
> --- a/drivers/gpu/drm/radeon/radeon_cs.c
> +++ b/drivers/gpu/drm/radeon/radeon_cs.c
> @@ -256,11 +256,13 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data)
>   	u32 ring = RADEON_CS_RING_GFX;
>   	s32 priority = 0;
>   
> +	INIT_LIST_HEAD(&p->validated);
> +
>   	if (!cs->num_chunks) {
>   		return 0;
>   	}
> +
>   	/* get chunks */
> -	INIT_LIST_HEAD(&p->validated);
>   	p->idx = 0;
>   	p->ib.sa_bo = NULL;
>   	p->const_ib.sa_bo = NULL;


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] drm/radeon: fix DRM_IOCTL_RADEON_CS oops
  2015-03-03  9:10 ` Christian König
@ 2015-03-03 13:28   ` Alex Deucher
  0 siblings, 0 replies; 3+ messages in thread
From: Alex Deucher @ 2015-03-03 13:28 UTC (permalink / raw)
  To: Christian König
  Cc: Tommi Rantala, Alex Deucher, Christian König, David Airlie,
	LKML, Maling list - DRI developers

On Tue, Mar 3, 2015 at 4:10 AM, Christian König <deathsimple@vodafone.de> wrote:
> Good catch.
>
> Patch is Reviewed-by: Christian König <christian.koenig@amd.com>
>
> Regards,
> Christian.
>

Applied to my -fixes tree.  Thanks!

Alex

>
> On 02.03.2015 20:36, Tommi Rantala wrote:
>>
>> Passing zeroed drm_radeon_cs struct to DRM_IOCTL_RADEON_CS produces the
>> following oops.
>>
>> Fix by always calling INIT_LIST_HEAD() to avoid the crash in list_sort().
>>
>> ----------------------------------
>>
>>   #include <stdint.h>
>>   #include <fcntl.h>
>>   #include <unistd.h>
>>   #include <sys/ioctl.h>
>>   #include <drm/radeon_drm.h>
>>
>>   static const struct drm_radeon_cs cs;
>>
>>   int main(int argc, char **argv)
>>   {
>>           return ioctl(open(argv[1], O_RDWR), DRM_IOCTL_RADEON_CS, &cs);
>>   }
>>
>> ----------------------------------
>>
>> [ttrantal@test2 ~]$ ./main /dev/dri/card0
>> [   46.904650] BUG: unable to handle kernel NULL pointer dereference at
>> (null)
>> [   46.905022] IP: [<ffffffff814d6df2>] list_sort+0x42/0x240
>> [   46.905022] PGD 68f29067 PUD 688b5067 PMD 0
>> [   46.905022] Oops: 0002 [#1] SMP
>> [   46.905022] CPU: 0 PID: 2413 Comm: main Not tainted 4.0.0-rc1+ #58
>> [   46.905022] Hardware name: Hewlett-Packard HP Compaq dc5750 Small Form
>> Factor/0A64h, BIOS 786E3 v02.10 01/25/2007
>> [   46.905022] task: ffff880058e2bcc0 ti: ffff880058e64000 task.ti:
>> ffff880058e64000
>> [   46.905022] RIP: 0010:[<ffffffff814d6df2>]  [<ffffffff814d6df2>]
>> list_sort+0x42/0x240
>> [   46.905022] RSP: 0018:ffff880058e67998  EFLAGS: 00010246
>> [   46.905022] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
>> 0000000000000000
>> [   46.905022] RDX: ffffffff81644410 RSI: ffff880058e67b40 RDI:
>> ffff880058e67a58
>> [   46.905022] RBP: ffff880058e67a88 R08: 0000000000000000 R09:
>> 0000000000000000
>> [   46.905022] R10: ffff880058e2bcc0 R11: ffffffff828e6ca0 R12:
>> ffffffff81644410
>> [   46.905022] R13: ffff8800694b8018 R14: 0000000000000000 R15:
>> ffff880058e679b0
>> [   46.905022] FS:  00007fdc65a65700(0000) GS:ffff88006d600000(0000)
>> knlGS:0000000000000000
>> [   46.905022] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [   46.905022] CR2: 0000000000000000 CR3: 0000000058dd9000 CR4:
>> 00000000000006f0
>> [   46.905022] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>> 0000000000000000
>> [   46.905022] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7:
>> 0000000000000400
>> [   46.905022] Stack:
>> [   46.905022]  ffff880058e67b40 ffff880058e2bcc0 ffff880058e67a78
>> 0000000000000000
>> [   46.905022]  0000000000000000 0000000000000000 0000000000000000
>> 0000000000000000
>> [   46.905022]  0000000000000000 0000000000000000 0000000000000000
>> 0000000000000000
>> [   46.905022] Call Trace:
>> [   46.905022]  [<ffffffff81644a65>] radeon_cs_parser_fini+0x195/0x220
>> [   46.905022]  [<ffffffff81645069>] radeon_cs_ioctl+0xa9/0x960
>> [   46.905022]  [<ffffffff815e1f7c>] drm_ioctl+0x19c/0x640
>> [   46.905022]  [<ffffffff810f8fdd>] ? trace_hardirqs_on_caller+0xfd/0x1c0
>> [   46.905022]  [<ffffffff810f90ad>] ? trace_hardirqs_on+0xd/0x10
>> [   46.905022]  [<ffffffff8160c066>] radeon_drm_ioctl+0x46/0x80
>> [   46.905022]  [<ffffffff81211868>] do_vfs_ioctl+0x318/0x570
>> [   46.905022]  [<ffffffff81462ef6>] ? selinux_file_ioctl+0x56/0x110
>> [   46.905022]  [<ffffffff81211b41>] SyS_ioctl+0x81/0xa0
>> [   46.905022]  [<ffffffff81dc6312>] system_call_fastpath+0x12/0x17
>> [   46.905022] Code: 48 89 b5 10 ff ff ff 0f 84 03 01 00 00 4c 8d bd 28 ff
>> ff
>> ff 31 c0 48 89 fb b9 15 00 00 00 49 89 d4 4c 89 ff f3 48 ab 48 8b 46 08
>> <48> c7
>> 00 00 00 00 00 48 8b 0e 48 85 c9 0f 84 7d 00 00 00 c7 85
>> [   46.905022] RIP  [<ffffffff814d6df2>] list_sort+0x42/0x240
>> [   46.905022]  RSP <ffff880058e67998>
>> [   46.905022] CR2: 0000000000000000
>> [   47.149253] ---[ end trace 09576b4e8b2c20b8 ]---
>>
>> Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
>> ---
>>   drivers/gpu/drm/radeon/radeon_cs.c | 4 +++-
>>   1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/radeon/radeon_cs.c
>> b/drivers/gpu/drm/radeon/radeon_cs.c
>> index a579ed3..4d0f96c 100644
>> --- a/drivers/gpu/drm/radeon/radeon_cs.c
>> +++ b/drivers/gpu/drm/radeon/radeon_cs.c
>> @@ -256,11 +256,13 @@ int radeon_cs_parser_init(struct radeon_cs_parser
>> *p, void *data)
>>         u32 ring = RADEON_CS_RING_GFX;
>>         s32 priority = 0;
>>   +     INIT_LIST_HEAD(&p->validated);
>> +
>>         if (!cs->num_chunks) {
>>                 return 0;
>>         }
>> +
>>         /* get chunks */
>> -       INIT_LIST_HEAD(&p->validated);
>>         p->idx = 0;
>>         p->ib.sa_bo = NULL;
>>         p->const_ib.sa_bo = NULL;
>
>
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/dri-devel

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-03-03 13:28 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-02 19:36 [PATCH] drm/radeon: fix DRM_IOCTL_RADEON_CS oops Tommi Rantala
2015-03-03  9:10 ` Christian König
2015-03-03 13:28   ` Alex Deucher

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).