From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Akhil P Oommen <akhilpo@codeaurora.org>,
Rob Clark <robdclark@chromium.org>,
Sasha Levin <sashal@kernel.org>,
linux-arm-msm@vger.kernel.org, dri-devel@lists.freedesktop.org,
freedreno@lists.freedesktop.org
Subject: [PATCH AUTOSEL 5.4 22/45] drm/msm: Fix a null pointer access in msm_gem_shrinker_count()
Date: Mon, 10 Aug 2020 15:11:30 -0400 [thread overview]
Message-ID: <20200810191153.3794446-22-sashal@kernel.org> (raw)
In-Reply-To: <20200810191153.3794446-1-sashal@kernel.org>
From: Akhil P Oommen <akhilpo@codeaurora.org>
[ Upstream commit 3cbdc8d8b7f39a7af3ea7b8dfa75caaebfda4e56 ]
Adding an msm_gem_object object to the inactive_list before completing
its initialization is a bad idea because shrinker may pick it up from the
inactive_list. Fix this by making sure that the initialization is complete
before moving the msm_obj object to the inactive list.
This patch fixes the below error:
[10027.553044] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000068
[10027.573305] Mem abort info:
[10027.590160] ESR = 0x96000006
[10027.597905] EC = 0x25: DABT (current EL), IL = 32 bits
[10027.614430] SET = 0, FnV = 0
[10027.624427] EA = 0, S1PTW = 0
[10027.632722] Data abort info:
[10027.638039] ISV = 0, ISS = 0x00000006
[10027.647459] CM = 0, WnR = 0
[10027.654345] user pgtable: 4k pages, 39-bit VAs, pgdp=00000001e3a6a000
[10027.672681] [0000000000000068] pgd=0000000198c31003, pud=0000000198c31003, pmd=0000000000000000
[10027.693900] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[10027.738261] CPU: 3 PID: 214 Comm: kswapd0 Tainted: G S 5.4.40 #1
[10027.745766] Hardware name: Qualcomm Technologies, Inc. SC7180 IDP (DT)
[10027.752472] pstate: 80c00009 (Nzcv daif +PAN +UAO)
[10027.757409] pc : mutex_is_locked+0x14/0x2c
[10027.761626] lr : msm_gem_shrinker_count+0x70/0xec
[10027.766454] sp : ffffffc011323ad0
[10027.769867] x29: ffffffc011323ad0 x28: ffffffe677e4b878
[10027.775324] x27: 0000000000000cc0 x26: 0000000000000000
[10027.780783] x25: ffffff817114a708 x24: 0000000000000008
[10027.786242] x23: ffffff8023ab7170 x22: 0000000000000001
[10027.791701] x21: ffffff817114a080 x20: 0000000000000119
[10027.797160] x19: 0000000000000068 x18: 00000000000003bc
[10027.802621] x17: 0000000004a34210 x16: 00000000000000c0
[10027.808083] x15: 0000000000000000 x14: 0000000000000000
[10027.813542] x13: ffffffe677e0a3c0 x12: 0000000000000000
[10027.819000] x11: 0000000000000000 x10: ffffff8174b94340
[10027.824461] x9 : 0000000000000000 x8 : 0000000000000000
[10027.829919] x7 : 00000000000001fc x6 : ffffffc011323c88
[10027.835373] x5 : 0000000000000001 x4 : ffffffc011323d80
[10027.840832] x3 : ffffffff0477b348 x2 : 0000000000000000
[10027.846290] x1 : ffffffc011323b68 x0 : 0000000000000068
[10027.851748] Call trace:
[10027.854264] mutex_is_locked+0x14/0x2c
[10027.858121] msm_gem_shrinker_count+0x70/0xec
[10027.862603] shrink_slab+0xc0/0x4b4
[10027.866187] shrink_node+0x4a8/0x818
[10027.869860] kswapd+0x624/0x890
[10027.873097] kthread+0x11c/0x12c
[10027.876424] ret_from_fork+0x10/0x18
[10027.880102] Code: f9000bf3 910003fd aa0003f3 d503201f (f9400268)
[10027.886362] ---[ end trace df5849a1a3543251 ]---
[10027.891518] Kernel panic - not syncing: Fatal exception
Signed-off-by: Akhil P Oommen <akhilpo@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/msm_gem.c | 36 ++++++++++++++++++++---------------
1 file changed, 21 insertions(+), 15 deletions(-)
diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
index 5a6a79fbc9d6e..d92a0ffe2a767 100644
--- a/drivers/gpu/drm/msm/msm_gem.c
+++ b/drivers/gpu/drm/msm/msm_gem.c
@@ -977,10 +977,8 @@ int msm_gem_new_handle(struct drm_device *dev, struct drm_file *file,
static int msm_gem_new_impl(struct drm_device *dev,
uint32_t size, uint32_t flags,
- struct drm_gem_object **obj,
- bool struct_mutex_locked)
+ struct drm_gem_object **obj)
{
- struct msm_drm_private *priv = dev->dev_private;
struct msm_gem_object *msm_obj;
switch (flags & MSM_BO_CACHE_MASK) {
@@ -1006,15 +1004,6 @@ static int msm_gem_new_impl(struct drm_device *dev,
INIT_LIST_HEAD(&msm_obj->submit_entry);
INIT_LIST_HEAD(&msm_obj->vmas);
- if (struct_mutex_locked) {
- WARN_ON(!mutex_is_locked(&dev->struct_mutex));
- list_add_tail(&msm_obj->mm_list, &priv->inactive_list);
- } else {
- mutex_lock(&dev->struct_mutex);
- list_add_tail(&msm_obj->mm_list, &priv->inactive_list);
- mutex_unlock(&dev->struct_mutex);
- }
-
*obj = &msm_obj->base;
return 0;
@@ -1024,6 +1013,7 @@ static struct drm_gem_object *_msm_gem_new(struct drm_device *dev,
uint32_t size, uint32_t flags, bool struct_mutex_locked)
{
struct msm_drm_private *priv = dev->dev_private;
+ struct msm_gem_object *msm_obj;
struct drm_gem_object *obj = NULL;
bool use_vram = false;
int ret;
@@ -1044,14 +1034,15 @@ static struct drm_gem_object *_msm_gem_new(struct drm_device *dev,
if (size == 0)
return ERR_PTR(-EINVAL);
- ret = msm_gem_new_impl(dev, size, flags, &obj, struct_mutex_locked);
+ ret = msm_gem_new_impl(dev, size, flags, &obj);
if (ret)
goto fail;
+ msm_obj = to_msm_bo(obj);
+
if (use_vram) {
struct msm_gem_vma *vma;
struct page **pages;
- struct msm_gem_object *msm_obj = to_msm_bo(obj);
mutex_lock(&msm_obj->lock);
@@ -1086,6 +1077,15 @@ static struct drm_gem_object *_msm_gem_new(struct drm_device *dev,
mapping_set_gfp_mask(obj->filp->f_mapping, GFP_HIGHUSER);
}
+ if (struct_mutex_locked) {
+ WARN_ON(!mutex_is_locked(&dev->struct_mutex));
+ list_add_tail(&msm_obj->mm_list, &priv->inactive_list);
+ } else {
+ mutex_lock(&dev->struct_mutex);
+ list_add_tail(&msm_obj->mm_list, &priv->inactive_list);
+ mutex_unlock(&dev->struct_mutex);
+ }
+
return obj;
fail:
@@ -1108,6 +1108,7 @@ struct drm_gem_object *msm_gem_new(struct drm_device *dev,
struct drm_gem_object *msm_gem_import(struct drm_device *dev,
struct dma_buf *dmabuf, struct sg_table *sgt)
{
+ struct msm_drm_private *priv = dev->dev_private;
struct msm_gem_object *msm_obj;
struct drm_gem_object *obj;
uint32_t size;
@@ -1121,7 +1122,7 @@ struct drm_gem_object *msm_gem_import(struct drm_device *dev,
size = PAGE_ALIGN(dmabuf->size);
- ret = msm_gem_new_impl(dev, size, MSM_BO_WC, &obj, false);
+ ret = msm_gem_new_impl(dev, size, MSM_BO_WC, &obj);
if (ret)
goto fail;
@@ -1146,6 +1147,11 @@ struct drm_gem_object *msm_gem_import(struct drm_device *dev,
}
mutex_unlock(&msm_obj->lock);
+
+ mutex_lock(&dev->struct_mutex);
+ list_add_tail(&msm_obj->mm_list, &priv->inactive_list);
+ mutex_unlock(&dev->struct_mutex);
+
return obj;
fail:
--
2.25.1
next prev parent reply other threads:[~2020-08-10 19:12 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-10 19:11 [PATCH AUTOSEL 5.4 01/45] drm/tilcdc: fix leak & null ref in panel_connector_get_modes Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 02/45] soc: qcom: rpmh-rsc: Set suppress_bind_attrs flag Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 03/45] Bluetooth: add a mutex lock to avoid UAF in do_enale_set Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 04/45] loop: be paranoid on exit and prevent new additions / removals Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 05/45] fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 06/45] drm/amdgpu: avoid dereferencing a NULL pointer Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 07/45] drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 08/45] crypto: aesni - Fix build with LLVM_IAS=1 Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 09/45] video: fbdev: savage: fix memory leak on error handling path in probe Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 10/45] video: fbdev: neofb: fix memory leak in neo_scan_monitor() Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 11/45] bus: ti-sysc: Add missing quirk flags for usb_host_hs Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 12/45] md-cluster: fix wild pointer of unlock_all_bitmaps() Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 13/45] drm/nouveau/kms/nv50-: Fix disabling dithering Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 14/45] arm64: dts: hisilicon: hikey: fixes to comply with adi, adv7533 DT binding Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 15/45] drm/etnaviv: fix ref count leak via pm_runtime_get_sync Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 16/45] drm/nouveau: fix reference count leak in nouveau_debugfs_strap_peek Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 17/45] drm/nouveau: fix multiple instances of reference count leaks Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 18/45] mmc: sdhci-cadence: do not use hardware tuning for SD mode Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 19/45] btrfs: fix lockdep splat from btrfs_dump_space_info Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 20/45] usb: mtu3: clear dual mode of u3port when disable device Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 21/45] drm: msm: a6xx: fix gpu failure after system resume Sasha Levin
2020-08-10 19:11 ` Sasha Levin [this message]
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 23/45] drm/debugfs: fix plain echo to connector "force" attribute Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 24/45] drm/radeon: disable AGP by default Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 25/45] irqchip/irq-mtk-sysirq: Replace spinlock with raw_spinlock Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 26/45] mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 27/45] drm/amdgpu/display bail early in dm_pp_get_static_clocks Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 28/45] drm/amd/powerplay: fix compile error with ARCH=arc Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 29/45] bpf: Fix fds_example SIGSEGV error Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 30/45] brcmfmac: keep SDIO watchdog running when console_interval is non-zero Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 31/45] brcmfmac: To fix Bss Info flag definition Bug Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 32/45] brcmfmac: set state of hanger slot to FREE when flushing PSQ Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 33/45] platform/x86: asus-nb-wmi: add support for ASUS ROG Zephyrus G14 and G15 Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 34/45] iwlegacy: Check the return value of pcie_capability_read_*() Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 35/45] gpu: host1x: debug: Fix multiple channels emitting messages simultaneously Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 36/45] ionic: update eid test for overflow Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 37/45] mmc: sdhci-pci-o2micro: Bug fix for O2 host controller Seabird1 Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 38/45] usb: gadget: net2280: fix memory leak on probe error handling paths Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 39/45] bdc: Fix bug causing crash after multiple disconnects Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 40/45] usb: bdc: Halt controller on suspend Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 41/45] dyndbg: fix a BUG_ON in ddebug_describe_flags Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 42/45] dyndbg: prefer declarative init in caller, to memset in callee Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 43/45] bcache: fix super block seq numbers comparision in register_cache_set() Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 44/45] ACPICA: Do not increment operation_region reference counts for field units Sasha Levin
2020-08-10 19:11 ` [PATCH AUTOSEL 5.4 45/45] drm/msm: ratelimit crtc event overflow error Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200810191153.3794446-22-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=akhilpo@codeaurora.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=freedreno@lists.freedesktop.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=robdclark@chromium.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).