public-mirrors/linux
1
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-05-24 10:39:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/drivers/gpu/drm
History
Chris Wilson ad88d7fc6c drm/i915/fbdev: Serialise early hotplug events with async fbdev config 
As both the hotplug event and fbdev configuration run asynchronously, it
is possible for them to run concurrently. If configuration fails, we were
freeing the fbdev causing a use-after-free in the hotplug event.

<7>[ 3069.935211] [drm:intel_fb_initial_config [i915]] Not using firmware configuration
<7>[ 3069.935225] [drm:drm_setup_crtcs] looking for cmdline mode on connector 77
<7>[ 3069.935229] [drm:drm_setup_crtcs] looking for preferred mode on connector 77 0
<7>[ 3069.935233] [drm:drm_setup_crtcs] found mode 3200x1800
<7>[ 3069.935236] [drm:drm_setup_crtcs] picking CRTCs for 8192x8192 config
<7>[ 3069.935253] [drm:drm_setup_crtcs] desired mode 3200x1800 set on crtc 43 (0,0)
<7>[ 3069.935323] [drm:intelfb_create [i915]] no BIOS fb, allocating a new one
<4>[ 3069.967737] general protection fault: 0000 [#1] PREEMPT SMP
<0>[ 3069.977453] ---------------------------------
<4>[ 3069.977457] Modules linked in: i915(+) vgem snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic x86_pkg_temp_thermal intel_powerclamp coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm r8169 mei_me mii prime_numbers mei i2c_hid pinctrl_geminilake pinctrl_intel [last unloaded: i915]
<4>[ 3069.977492] CPU: 1 PID: 15414 Comm: kworker/1:0 Tainted: G     U          4.14.0-CI-CI_DRM_3388+ #1
<4>[ 3069.977497] Hardware name: Intel Corp. Geminilake/GLK RVP1 DDR4 (05), BIOS GELKRVPA.X64.0062.B30.1708222146 08/22/2017
<4>[ 3069.977508] Workqueue: events output_poll_execute
<4>[ 3069.977512] task: ffff880177734e40 task.stack: ffffc90001fe4000
<4>[ 3069.977519] RIP: 0010:__lock_acquire+0x109/0x1b60
<4>[ 3069.977523] RSP: 0018:ffffc90001fe7bb0 EFLAGS: 00010002
<4>[ 3069.977526] RAX: 6b6b6b6b6b6b6b6b RBX: 0000000000000282 RCX: 0000000000000000
<4>[ 3069.977530] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880170d4efd0
<4>[ 3069.977534] RBP: ffffc90001fe7c70 R08: 0000000000000001 R09: 0000000000000000
<4>[ 3069.977538] R10: 0000000000000000 R11: ffffffff81899609 R12: ffff880170d4efd0
<4>[ 3069.977542] R13: ffff880177734e40 R14: 0000000000000001 R15: 0000000000000000
<4>[ 3069.977547] FS:  0000000000000000(0000) GS:ffff88017fc80000(0000) knlGS:0000000000000000
<4>[ 3069.977551] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>[ 3069.977555] CR2: 00007f7e8b7bcf04 CR3: 0000000003e0f000 CR4: 00000000003406e0
<4>[ 3069.977559] Call Trace:
<4>[ 3069.977565]  ? mark_held_locks+0x64/0x90
<4>[ 3069.977571]  ? _raw_spin_unlock_irq+0x24/0x50
<4>[ 3069.977575]  ? _raw_spin_unlock_irq+0x24/0x50
<4>[ 3069.977579]  ? trace_hardirqs_on_caller+0xde/0x1c0
<4>[ 3069.977583]  ? _raw_spin_unlock_irq+0x2f/0x50
<4>[ 3069.977588]  ? finish_task_switch+0xa5/0x210
<4>[ 3069.977592]  ? lock_acquire+0xaf/0x200
<4>[ 3069.977596]  lock_acquire+0xaf/0x200
<4>[ 3069.977600]  ? __mutex_lock+0x5e9/0x9b0
<4>[ 3069.977604]  _raw_spin_lock+0x2a/0x40
<4>[ 3069.977608]  ? __mutex_lock+0x5e9/0x9b0
<4>[ 3069.977612]  __mutex_lock+0x5e9/0x9b0
<4>[ 3069.977616]  ? drm_fb_helper_hotplug_event.part.19+0x16/0xa0
<4>[ 3069.977621]  ? drm_fb_helper_hotplug_event.part.19+0x16/0xa0
<4>[ 3069.977625]  drm_fb_helper_hotplug_event.part.19+0x16/0xa0
<4>[ 3069.977630]  output_poll_execute+0x8d/0x180
<4>[ 3069.977635]  process_one_work+0x22e/0x660
<4>[ 3069.977640]  worker_thread+0x48/0x3a0
<4>[ 3069.977644]  ? _raw_spin_unlock_irqrestore+0x4c/0x60
<4>[ 3069.977649]  kthread+0x102/0x140
<4>[ 3069.977653]  ? process_one_work+0x660/0x660
<4>[ 3069.977657]  ? kthread_create_on_node+0x40/0x40
<4>[ 3069.977662]  ret_from_fork+0x27/0x40
<4>[ 3069.977666] Code: 8d 62 f8 c3 49 81 3c 24 e0 fa 3c 82 41 be 00 00 00 00 45 0f 45 f0 83 fe 01 77 86 89 f0 49 8b 44 c4 08 48 85 c0 0f 84 76 ff ff ff <f0> ff 80 38 01 00 00 8b 1d 62 f9 e8 01 45 8b 85 b8 08 00 00 85
<1>[ 3069.977707] RIP: __lock_acquire+0x109/0x1b60 RSP: ffffc90001fe7bb0
<4>[ 3069.977712] ---[ end trace 4ad012eb3af62df7 ]---

In order to keep the dev_priv->ifbdev alive after failure, we have to
avoid the free and leave it empty until we unload the module (which is
less than ideal, but a necessary evil for simplicity). Then we can use
intel_fbdev_sync() to serialise the hotplug event with the configuration.
The serialisation between the two was removed in commit 934458c2c9
("Revert "drm/i915: Fix races on fbdev""), but the use after free is much
older, commit 366e39b4d2 ("drm/i915: Tear down fbdev if initialization
fails")

Fixes: 366e39b4d2 ("drm/i915: Tear down fbdev if initialization fails")
Fixes: 934458c2c9 ("Revert "drm/i915: Fix races on fbdev"")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Lukas Wunner <lukas@wunner.de>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: stable@vger.kernel.org
Reviewed-by: Lukas Wunner <lukas@wunner.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20171125194155.355-1-chris@chris-wilson.co.uk
2017-11-26 12:44:59 +00:00
..
amd Merge branch 'linus-4.14-rc4-acp-prereq' of git://people.freedesktop.org/~agd5f/linux into drm-next 2017-11-14 05:53:39 +10:00
arc drm/arc: Use drm_gem_fb_create() 2017-09-02 14:23:06 +02:00
arm drm/arm/mali: Use drm_gem_fb_create() 2017-08-27 19:29:46 +02:00
armada drm/armada: Replace drm_framebuffer_reference/unreference() with _get/put() 2017-10-16 15:02:44 -04:00
ast drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
atmel-hlcdc drm/atmel-hlcdc: Use drm_gem_fb_create() 2017-08-27 19:30:15 +02:00
bochs drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
bridge drm/bridge: adv7511: Fix a use after free 2017-10-18 09:38:43 +05:30
cirrus drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
etnaviv drm/etnaviv: short-circuit perfmon ioctls 2017-10-22 18:41:56 +02:00
exynos - Improved HDMI and Mixer drivers 2017-11-14 14:12:43 +10:00
fsl-dcu drm/fsl-dcu: Use drm_gem_fb_create() 2017-10-01 17:00:20 +02:00
gma500 drm/gma500: use ARRAY_SIZE 2017-10-16 11:29:05 +02:00
hisilicon drm/hisilicon: Ensure LDI regs are properly configured. 2017-11-01 10:36:50 +08:00
i2c drm: i2c: tda998x: constify i2c_device_id 2017-08-22 08:33:44 +02:00
i810
i915 drm/i915/fbdev: Serialise early hotplug events with async fbdev config 2017-11-26 12:44:59 +00:00
imx Merge tag 'drm-misc-next-2017-09-20' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-09-28 05:46:15 +10:00
lib mm: treewide: remove GFP_TEMPORARY allocation flag 2017-09-13 18:53:16 -07:00
mediatek drm/mediatek: hdmi: clean up drm_bridge_add call 2017-08-21 08:49:24 +05:30
meson drm/meson: Use drm_gem_fb_create() 2017-10-01 17:01:39 +02:00
mga Merge airlied/drm-next into drm-misc-next 2017-07-26 13:43:33 +02:00
mgag200 drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
msm Linux 4.14-rc7 2017-11-02 12:40:41 +10:00
mxsfb drm/mxsfb: Use drm_gem_fb_create() and drm_gem_fb_prepare_fb() 2017-10-01 17:02:20 +02:00
nouveau drm/nouveau/bios/timing: mark expected switch fall-throughs 2017-11-03 09:12:10 +10:00
omapdrm omapdrm: omapdss_hdmi_ops: add lost_hotplug op 2017-10-12 10:49:14 +03:00
panel drm/panel: simple: add Toshiba LT089AC19000 2017-10-19 11:48:44 +02:00
pl111 drm/pl111: Add handling of Versatile platforms 2017-09-10 23:58:42 +02:00
qxl qxl: alloc & use shadow for dumb buffers 2017-10-23 08:23:11 +02:00
r128
radeon Merge tag 'drm-amdkfd-next-2017-11-02' of git://people.freedesktop.org/~gabbayo/linux into drm-next 2017-11-03 05:12:24 +10:00
rcar-du drm/rcar-du: Use drm_gem_fb_create() 2017-10-01 17:02:53 +02:00
rockchip Driver Changes: 2017-11-14 05:29:34 +10:00
savage
selftests mm: treewide: remove GFP_TEMPORARY allocation flag 2017-09-13 18:53:16 -07:00
shmobile drm/shmobile: Use drm_gem_fb_create() 2017-10-01 17:03:22 +02:00
sis
sti drm/sti: Use drm_gem_fb_create() 2017-08-27 19:30:49 +02:00
stm drm/stm: ltdc: remove bridge from driver internal structure 2017-10-10 11:32:48 +02:00
sun4i drm/sun4i: Add support for A20 display pipeline components 2017-10-17 19:49:17 +02:00
tdfx
tegra drm/tegra: hdmi: Add cec-notifier support 2017-10-20 14:19:54 +02:00
tilcdc tilcdc changes for v4.15 2017-10-17 10:13:47 +10:00
tinydrm drm/tinydrm: Remove explicit .best_encoder assignment 2017-10-13 17:34:51 +02:00
ttm drm/ttm: Downgrade pr_err to pr_debug for memory allocation failures 2017-11-04 09:48:28 -04:00
tve200 drm/tve200: Use drm_gem_fb_create() and drm_gem_fb_prepare_fb() 2017-10-01 17:04:36 +02:00
udl Merge tag 'drm-misc-next-2017-10-20' of git://anongit.freedesktop.org/drm/drm-misc into drm-next 2017-10-24 16:51:05 +10:00
vc4 drm/vc4: Fix wrong printk format in vc4_bo_stats_debugfs() 2017-11-03 10:15:42 -07:00
vgem drm/vgem: switch to drm_*_get(), drm_*_put() helpers 2017-08-11 11:41:43 -04:00
via drm/via: use ARRAY_SIZE 2017-10-16 11:29:28 +02:00
virtio Merge airlied/drm-next into drm-misc-next 2017-10-03 11:09:16 +02:00
vmwgfx drm: Reorganize drm_pending_event to support future event types [v2] 2017-10-21 07:23:40 +10:00
zte drm/zte: Use drm_gem_fb_create() 2017-08-27 19:31:06 +02:00
ati_pcigart.c
drm_agpsupport.c drm/agpsupport: Remove extra blank line 2017-09-20 09:54:19 -07:00
drm_atomic.c drm: Reorganize drm_pending_event to support future event types [v2] 2017-10-21 07:23:40 +10:00
drm_atomic_helper.c Merge tag 'drm-misc-next-2017-10-20' of git://anongit.freedesktop.org/drm/drm-misc into drm-next 2017-10-24 16:51:05 +10:00
drm_auth.c drm: Check mode object lease status in all master ioctl paths [v4] 2017-10-25 16:31:30 +10:00
drm_blend.c mm: treewide: remove GFP_TEMPORARY allocation flag 2017-09-13 18:53:16 -07:00
drm_bridge.c drm/bridge: change return type of drm_bridge_add function 2017-08-21 08:51:53 +05:30
drm_bufs.c
drm_cache.c
drm_color_mgmt.c drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_connector.c drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_context.c
drm_crtc.c drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_crtc_helper.c drm: Replace kzalloc with kcalloc 2017-10-13 15:49:03 -04:00
drm_crtc_helper_internal.h
drm_crtc_internal.h drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_debugfs.c
drm_debugfs_crc.c drm/atomic: Prepare drm_modeset_lock infrastructure for interruptible waiting, v2. 2017-09-13 09:50:52 +02:00
drm_dma.c
drm_dp_aux_dev.c
drm_dp_dual_mode_helper.c drm: Add retries for lspcon mode detection 2017-10-13 12:13:54 +03:00
drm_dp_helper.c drm/dp: WARN about invalid/unknown link rates and bw codes 2017-10-11 18:41:44 +03:00
drm_dp_mst_topology.c drm/dp/mst: Sideband message transaction to power up/down nodes 2017-09-11 16:03:57 +03:00
drm_drv.c drm: Add new LEASE debug level 2017-10-25 16:31:29 +10:00
drm_dumb_buffers.c drm/dumb-buffers: Add defaults for .dumb_map_offset and .dumb_destroy 2017-07-29 13:51:44 +02:00
drm_edid.c drm: handle override and firmware EDID at drm_do_get_edid() level 2017-09-19 17:49:25 +03:00
drm_edid_load.c drm: add backwards compatibility support for drm_kms_helper.edid_firmware 2017-09-19 18:11:45 +03:00
drm_encoder.c drm: Check mode object lease status in all master ioctl paths [v4] 2017-10-25 16:31:30 +10:00
drm_encoder_slave.c
drm_fb_cma_helper.c drm/fb-cma-helper: Remove unused functions 2017-10-01 17:05:39 +02:00
drm_fb_helper.c drm: Replace kzalloc with kcalloc 2017-10-13 15:49:03 -04:00
drm_file.c drm: Document device unplug infrastructure 2017-08-11 10:48:03 +02:00
drm_flip_work.c
drm_fourcc.c
drm_framebuffer.c drm/mode_object: fix documentation for object lookups. 2017-11-10 13:50:47 +10:00
drm_gem.c drm: fix typo in drm_gem_get_pages() comment 2017-10-04 18:04:28 +02:00
drm_gem_cma_helper.c drm/gem-cma-helper: Change the level of the allocation failure message 2017-10-16 15:19:57 +02:00
drm_gem_framebuffer_helper.c drm/gem-fb-helper: Improve documentation 2017-10-08 15:02:51 +02:00
drm_global.c
drm_hashtab.c
drm_info.c
drm_internal.h drm: Add CRTC_GET_SEQUENCE and CRTC_QUEUE_SEQUENCE ioctls [v3] 2017-10-23 11:15:03 +10:00
drm_ioc32.c Merge airlied/drm-next into drm-misc-next 2017-07-26 13:43:33 +02:00
drm_ioctl.c drm: Add four ioctls for managing drm mode object leases [v7] 2017-10-25 16:31:30 +10:00
drm_irq.c
drm_kms_helper_common.c drm: add backwards compatibility support for drm_kms_helper.edid_firmware 2017-09-19 18:11:45 +03:00
drm_lease.c drm: Add four ioctls for managing drm mode object leases [v7] 2017-10-25 16:31:30 +10:00
drm_legacy.h
drm_lock.c
drm_memory.c
drm_mipi_dsi.c drm: Convert to using %pOF instead of full_name 2017-07-26 13:45:06 +02:00
drm_mm.c lib/interval_tree: fast overlap detection 2017-09-08 18:26:49 -07:00
drm_mode_config.c drm: Check mode object lease status in all master ioctl paths [v4] 2017-10-25 16:31:30 +10:00
drm_mode_object.c drm/mode_object: fix documentation for object lookups. 2017-11-10 13:50:47 +10:00
drm_modes.c drm/modes: Fix drm_mode_is_420_only() comment 2017-07-31 14:23:30 +02:00
drm_modeset_helper.c drm: Plumb modifiers through plane init 2017-08-01 17:50:06 +01:00
drm_modeset_lock.c drm: Require __GFP_NOFAIL for the legacy drm_modeset_lock_all 2017-10-31 17:36:46 +01:00
drm_of.c drm/drm_of: Move drm_of_panel_bridge_remove_function into header. 2017-10-13 16:59:36 +02:00
drm_panel.c
drm_pci.c drm/core: clean up references to drm_dev_unref() 2017-09-27 10:53:12 +02:00
drm_plane.c drm: Check mode object lease status in all master ioctl paths [v4] 2017-10-25 16:31:30 +10:00
drm_plane_helper.c drm: Replace kzalloc with kcalloc 2017-10-13 15:49:03 -04:00
drm_prime.c drm/core: clean up references to drm_dev_unref() 2017-09-27 10:53:12 +02:00
drm_print.c
drm_probe_helper.c drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_property.c drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_rect.c
drm_scatter.c
drm_scdc_helper.c Merge tag 'drm-misc-next-2017-09-20' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-09-28 05:46:15 +10:00
drm_simple_kms_helper.c drm: Plumb modifiers through plane init 2017-08-01 17:50:06 +01:00
drm_syncobj.c Merge tag 'drm-misc-next-2017-10-16' of git://anongit.freedesktop.org/drm/drm-misc into drm-next 2017-10-17 10:10:17 +10:00
drm_sysfs.c
drm_trace.h drm: Use correct path to trace include 2017-09-05 11:11:18 +02:00
drm_trace_points.c
drm_vblank.c drm/vblank: Tune drm_crtc_accurate_vblank_count() WARN down to a debug 2017-11-07 21:07:02 +02:00
drm_vm.c Merge branch 'x86-mm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-04 12:21:28 -07:00
drm_vma_manager.c lib/interval_tree: fast overlap detection 2017-09-08 18:26:49 -07:00
Kconfig Merge branch 'drm-next-4.15' of git://people.freedesktop.org/~agd5f/linux into drm-next 2017-09-28 08:37:02 +10:00
Makefile drm: Add drm_object lease infrastructure [v5] 2017-10-25 16:31:29 +10:00