* [PATCH] drm: fix send_vblank_event use-after-free error
@ 2016-06-20 16:42 Matthew Auld
2016-06-20 17:17 ` ✗ Ro.CI.BAT: warning for " Patchwork
2016-06-20 19:18 ` [PATCH] " Daniel Vetter
0 siblings, 2 replies; 3+ messages in thread
From: Matthew Auld @ 2016-06-20 16:42 UTC (permalink / raw)
To: intel-gfx; +Cc: Daniel Vetter, dri-devel
The drm_pending_event can be freed by drm_send_event_locked, as a
result we should call trace_drm_vblank_event_delivered before this
to avoid hitting a user-after-free error when accessing the pid member:
[ 378.438497] BUG: KASAN: use-after-free in send_vblank_event+0xf0/0x310 [drm] at addr ffff8801ac7e50a0
[ 378.438500] Read of size 4 by task Xorg/1562
[ 378.438501] =============================================================================
[ 378.438504] BUG kmalloc-128 (Tainted: G B ): kasan: bad access detected
[ 378.438506] -----------------------------------------------------------------------------
[ 378.438509] INFO: Freed in 0x10001309c age=18446737369265680575 cpu=0 pid=0
[ 378.438541] drm_send_event_locked+0x207/0x2f0 [drm]
[ 378.438544] __slab_free+0x24c/0x650
[ 378.438546] kfree+0x3a2/0x760
[ 378.438578] drm_send_event_locked+0x207/0x2f0 [drm]
[ 378.438610] send_vblank_event+0xb7/0x310 [drm]
[ 378.438643] drm_crtc_send_vblank_event+0x130/0x1f0 [drm]
[ 378.438722] intel_atomic_commit_tail+0x23b5/0x53f0 [i915]
[ 378.438802] intel_atomic_commit+0xbae/0x12f0 [i915]
[ 378.438839] drm_atomic_commit+0xb0/0x120 [drm]
[ 378.438855] drm_atomic_helper_connector_dpms+0x339/0x5d0 [drm_kms_helper]
[ 378.438891] drm_mode_obj_set_property_ioctl+0x8f1/0xcc0 [drm]
[ 378.438927] drm_mode_connector_property_set_ioctl+0xf3/0x170 [drm]
[ 378.438959] drm_ioctl+0x2d7/0xae0 [drm]
[ 378.438962] do_vfs_ioctl+0x1c9/0x1280
[ 378.438964] SyS_ioctl+0x79/0x90
[ 378.438967] entry_SYSCALL_64_fastpath+0x1a/0xa4
Cc: dri-devel@lists.freedesktop.org
Cc: Daniel Vetter <daniel.vetter@intel.com>
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
---
drivers/gpu/drm/drm_irq.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c
index 76e39c5..8ca3d2b 100644
--- a/drivers/gpu/drm/drm_irq.c
+++ b/drivers/gpu/drm/drm_irq.c
@@ -994,10 +994,10 @@ static void send_vblank_event(struct drm_device *dev,
e->event.tv_sec = now->tv_sec;
e->event.tv_usec = now->tv_usec;
- drm_send_event_locked(dev, &e->base);
-
trace_drm_vblank_event_delivered(e->base.pid, e->pipe,
e->event.sequence);
+
+ drm_send_event_locked(dev, &e->base);
}
/**
--
2.5.5
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply related [flat|nested] 3+ messages in thread
* ✗ Ro.CI.BAT: warning for drm: fix send_vblank_event use-after-free error
2016-06-20 16:42 [PATCH] drm: fix send_vblank_event use-after-free error Matthew Auld
@ 2016-06-20 17:17 ` Patchwork
2016-06-20 19:18 ` [PATCH] " Daniel Vetter
1 sibling, 0 replies; 3+ messages in thread
From: Patchwork @ 2016-06-20 17:17 UTC (permalink / raw)
To: Matthew Auld; +Cc: intel-gfx
== Series Details ==
Series: drm: fix send_vblank_event use-after-free error
URL : https://patchwork.freedesktop.org/series/8939/
State : warning
== Summary ==
Series 8939v1 drm: fix send_vblank_event use-after-free error
http://patchwork.freedesktop.org/api/1.0/series/8939/revisions/1/mbox
Test kms_pipe_crc_basic:
Subgroup suspend-read-crc-pipe-b:
skip -> DMESG-WARN (ro-bdw-i5-5250u)
Subgroup suspend-read-crc-pipe-c:
skip -> DMESG-WARN (ro-bdw-i5-5250u)
ro-bdw-i5-5250u total:223 pass:195 dwarn:3 dfail:0 fail:2 skip:23
ro-bdw-i7-5600u total:223 pass:183 dwarn:0 dfail:0 fail:2 skip:38
ro-bsw-n3050 total:223 pass:170 dwarn:0 dfail:0 fail:4 skip:49
ro-byt-n2820 total:223 pass:171 dwarn:0 dfail:0 fail:5 skip:47
ro-hsw-i3-4010u total:223 pass:188 dwarn:0 dfail:0 fail:2 skip:33
ro-hsw-i7-4770r total:223 pass:188 dwarn:0 dfail:0 fail:2 skip:33
ro-ilk-i7-620lm total:223 pass:148 dwarn:0 dfail:0 fail:3 skip:72
ro-ilk1-i5-650 total:218 pass:148 dwarn:0 dfail:0 fail:3 skip:67
ro-ivb-i7-3770 total:223 pass:179 dwarn:0 dfail:0 fail:2 skip:42
ro-ivb2-i7-3770 total:223 pass:183 dwarn:0 dfail:0 fail:2 skip:38
ro-skl3-i5-6260u total:223 pass:199 dwarn:1 dfail:0 fail:2 skip:21
ro-snb-i7-2620M total:223 pass:172 dwarn:0 dfail:0 fail:3 skip:48
ro-bdw-i7-5557U failed to connect after reboot
Results at /archive/results/CI_IGT_test/RO_Patchwork_1242/
9bb3a64 drm-intel-nightly: 2016y-06m-20d-14h-58m-45s UTC integration manifest
ca52fa3 drm: fix send_vblank_event use-after-free error
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] drm: fix send_vblank_event use-after-free error
2016-06-20 16:42 [PATCH] drm: fix send_vblank_event use-after-free error Matthew Auld
2016-06-20 17:17 ` ✗ Ro.CI.BAT: warning for " Patchwork
@ 2016-06-20 19:18 ` Daniel Vetter
1 sibling, 0 replies; 3+ messages in thread
From: Daniel Vetter @ 2016-06-20 19:18 UTC (permalink / raw)
To: Matthew Auld; +Cc: Daniel Vetter, intel-gfx, dri-devel
On Mon, Jun 20, 2016 at 05:42:46PM +0100, Matthew Auld wrote:
> The drm_pending_event can be freed by drm_send_event_locked, as a
> result we should call trace_drm_vblank_event_delivered before this
> to avoid hitting a user-after-free error when accessing the pid member:
>
> [ 378.438497] BUG: KASAN: use-after-free in send_vblank_event+0xf0/0x310 [drm] at addr ffff8801ac7e50a0
> [ 378.438500] Read of size 4 by task Xorg/1562
> [ 378.438501] =============================================================================
> [ 378.438504] BUG kmalloc-128 (Tainted: G B ): kasan: bad access detected
> [ 378.438506] -----------------------------------------------------------------------------
>
> [ 378.438509] INFO: Freed in 0x10001309c age=18446737369265680575 cpu=0 pid=0
> [ 378.438541] drm_send_event_locked+0x207/0x2f0 [drm]
> [ 378.438544] __slab_free+0x24c/0x650
> [ 378.438546] kfree+0x3a2/0x760
> [ 378.438578] drm_send_event_locked+0x207/0x2f0 [drm]
> [ 378.438610] send_vblank_event+0xb7/0x310 [drm]
> [ 378.438643] drm_crtc_send_vblank_event+0x130/0x1f0 [drm]
> [ 378.438722] intel_atomic_commit_tail+0x23b5/0x53f0 [i915]
> [ 378.438802] intel_atomic_commit+0xbae/0x12f0 [i915]
> [ 378.438839] drm_atomic_commit+0xb0/0x120 [drm]
> [ 378.438855] drm_atomic_helper_connector_dpms+0x339/0x5d0 [drm_kms_helper]
> [ 378.438891] drm_mode_obj_set_property_ioctl+0x8f1/0xcc0 [drm]
> [ 378.438927] drm_mode_connector_property_set_ioctl+0xf3/0x170 [drm]
> [ 378.438959] drm_ioctl+0x2d7/0xae0 [drm]
> [ 378.438962] do_vfs_ioctl+0x1c9/0x1280
> [ 378.438964] SyS_ioctl+0x79/0x90
> [ 378.438967] entry_SYSCALL_64_fastpath+0x1a/0xa4
>
> Cc: dri-devel@lists.freedesktop.org
> Cc: Daniel Vetter <daniel.vetter@intel.com>
> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Nice catch, applied to drm-misc.
Thanks, Daniel
> ---
> drivers/gpu/drm/drm_irq.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c
> index 76e39c5..8ca3d2b 100644
> --- a/drivers/gpu/drm/drm_irq.c
> +++ b/drivers/gpu/drm/drm_irq.c
> @@ -994,10 +994,10 @@ static void send_vblank_event(struct drm_device *dev,
> e->event.tv_sec = now->tv_sec;
> e->event.tv_usec = now->tv_usec;
>
> - drm_send_event_locked(dev, &e->base);
> -
> trace_drm_vblank_event_delivered(e->base.pid, e->pipe,
> e->event.sequence);
> +
> + drm_send_event_locked(dev, &e->base);
> }
>
> /**
> --
> 2.5.5
>
> _______________________________________________
> Intel-gfx mailing list
> Intel-gfx@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/intel-gfx
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-06-20 19:18 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-20 16:42 [PATCH] drm: fix send_vblank_event use-after-free error Matthew Auld
2016-06-20 17:17 ` ✗ Ro.CI.BAT: warning for " Patchwork
2016-06-20 19:18 ` [PATCH] " Daniel Vetter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.