redonkable/alistair23-linux
redonkable/alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/drivers
History
Noralf Trønnes 4d4c2d8991 drm/cma-helper: Fix crash in fbdev error path 
Sergey Suloev reported a crash happening in drm_client_dev_hotplug()
when fbdev had failed to register.

[    9.124598] vc4_hdmi 3f902000.hdmi: ASoC: Failed to create component debugfs directory
[    9.147667] vc4_hdmi 3f902000.hdmi: vc4-hdmi-hifi <-> 3f902000.hdmi mapping ok
[    9.155184] vc4_hdmi 3f902000.hdmi: ASoC: no DMI vendor name!
[    9.166544] vc4-drm soc:gpu: bound 3f902000.hdmi (ops vc4_hdmi_ops [vc4])
[    9.173840] vc4-drm soc:gpu: bound 3f806000.vec (ops vc4_vec_ops [vc4])
[    9.181029] vc4-drm soc:gpu: bound 3f004000.txp (ops vc4_txp_ops [vc4])
[    9.188519] vc4-drm soc:gpu: bound 3f400000.hvs (ops vc4_hvs_ops [vc4])
[    9.195690] vc4-drm soc:gpu: bound 3f206000.pixelvalve (ops vc4_crtc_ops [vc4])
[    9.203523] vc4-drm soc:gpu: bound 3f207000.pixelvalve (ops vc4_crtc_ops [vc4])
[    9.215032] vc4-drm soc:gpu: bound 3f807000.pixelvalve (ops vc4_crtc_ops [vc4])
[    9.274785] vc4-drm soc:gpu: bound 3fc00000.v3d (ops vc4_v3d_ops [vc4])
[    9.290246] [drm] Initialized vc4 0.0.0 20140616 for soc:gpu on minor 0
[    9.297464] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[    9.304600] [drm] Driver supports precise vblank timestamp query.
[    9.382856] vc4-drm soc:gpu: [drm:drm_fb_helper_fbdev_setup [drm_kms_helper]] *ERROR* Failed to set fbdev configuration
[   10.404937] Unable to handle kernel paging request at virtual address 00330a656369768a
[   10.441620] [00330a656369768a] address between user and kernel address ranges
[   10.449087] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[   10.454762] Modules linked in: brcmfmac vc4 drm_kms_helper cfg80211 drm rfkill smsc95xx brcmutil usbnet drm_panel_orientation_quirks raspberrypi_hwmon bcm2835_dma crc32_ce pwm_bcm2835 bcm2835_rng virt_dma rng_core i2c_bcm2835 ip_tables x_tables ipv6
[   10.477296] CPU: 2 PID: 45 Comm: kworker/2:1 Not tainted 4.19.0-rc5 #3
[   10.483934] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
[   10.489966] Workqueue: events output_poll_execute [drm_kms_helper]
[   10.596515] Process kworker/2:1 (pid: 45, stack limit = 0x000000007e8924dc)
[   10.603590] Call trace:
[   10.606259]  drm_client_dev_hotplug+0x5c/0xb0 [drm]
[   10.611303]  drm_kms_helper_hotplug_event+0x30/0x40 [drm_kms_helper]
[   10.617849]  output_poll_execute+0xc4/0x1e0 [drm_kms_helper]
[   10.623616]  process_one_work+0x1c8/0x318
[   10.627695]  worker_thread+0x48/0x428
[   10.631420]  kthread+0xf8/0x128
[   10.634615]  ret_from_fork+0x10/0x18
[   10.638255] Code: 54000220 f9401261 aa1303e0 b4000141 (f9400c21)
[   10.644456] ---[ end trace c75b4a4b0e141908 ]---

The reason for this is that drm_fbdev_cma_init() removes the drm_client
when fbdev registration fails, but it doesn't remove the client from the
drm_device client list. So the client list now has a pointer that points
into the unknown and we have a 'use after free' situation.

Split drm_client_new() into drm_client_init() and drm_client_add() to fix
removal in the error path.

Fixes: 894a677f4b ("drm/cma-helper: Use the generic fbdev emulation")
Reported-by: Sergey Suloev <ssuloev@orpaltech.com>
Cc: Stefan Wahren <stefan.wahren@i2se.com>
Cc: Eric Anholt <eric@anholt.net>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20181001194536.57756-1-noralf@tronnes.org
2018-10-02 13:03:34 +02:00
..
accessibility
acpi Merge branch 'acpi-bus' 2018-09-07 10:05:20 +02:00
amba
android android: binder: fix the race mmap and alloc_new_buf_locked 2018-09-12 09:18:29 +02:00
ata for-linus-20180920 2018-09-21 09:41:05 +02:00
atm
auxdisplay Char/Misc driver patches for 4.19-rc1 2018-08-18 11:04:51 -07:00
base firmware: Fix security issue with request_firmware_into_buf() 2018-09-12 09:31:00 +02:00
bcma
block for-linus-20180929 2018-09-29 14:52:14 -07:00
bluetooth Bluetooth: hci_ldisc: Free rw_semaphore on close 2018-09-11 13:33:57 +02:00
bus Merge branch 'perm-fix' into omap-for-v4.19/fixes-v2 2018-08-28 09:58:03 -07:00
cdrom cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status 2018-08-29 08:09:20 -06:00
char A few fixes that came around or after the merge window, except 2018-09-12 19:33:56 -10:00
clk clk: x86: Stop marking clocks as CLK_IS_CRITICAL 2018-09-17 18:47:58 -07:00
clocksource clocksource/drivers/timer-atmel-pit: Properly handle error cases 2018-09-27 12:01:45 +02:00
connector
cpufreq cpufreq: qcom-kryo: Fix section annotations 2018-09-29 15:01:10 +02:00
cpuidle cpuidle: menu: Retain tick when shallow state is selected 2018-08-25 13:16:08 +02:00
crypto crypto: ccp - add timeout support in the SEV command 2018-09-13 13:27:43 +08:00
dax device-dax: Add missing address_space_operations 2018-09-22 09:07:33 -07:00
dca
devfreq Char/Misc driver patches for 4.19-rc1 2018-08-18 11:04:51 -07:00
dio
dma dmaengine: mic_x100_dma: use devm_kzalloc to fix an issue 2018-08-27 11:16:04 +05:30
dma-buf
edac EDAC: Add missing MEM_LRDDR4 entry in edac_mem_types[] 2018-08-17 15:13:34 +02:00
eisa
extcon
firewire firewire: use 64-bit time_t based interfaces 2018-08-17 16:20:27 -07:00
firmware efi/libstub/arm: default EFI_ARMSTUB_DTB_LOADER to y 2018-09-12 16:41:41 +02:00
fmc
fpga fpga: dfl: fme: fix return value check in in pr_mgmt_init() 2018-09-12 09:31:00 +02:00
fsi fsi: sbefifo: Bump max command length 2018-08-08 15:44:47 +10:00
gnss
gpio gpio: Fix crash due to registration race 2018-08-31 11:30:45 +02:00
gpu drm/cma-helper: Fix crash in fbdev error path 2018-10-02 13:03:34 +02:00
hid HID: i2c-hid: Don't reset device upon system resume 2018-09-06 16:30:53 +02:00
hsi
hv vmbus: don't return values for uninitalized channels 2018-09-12 09:31:00 +02:00
hwmon Various bug fixes for nct6775 driver 2018-09-19 22:59:30 +02:00
hwspinlock hwspinlock: Fix incorrect return pointers 2018-07-30 20:54:51 -07:00
hwtracing intel_th: pci: Add Ice Lake PCH support 2018-09-18 16:08:38 +02:00
i2c i2c: xiic: Make the start and the byte count write atomic 2018-09-06 20:49:09 +02:00
ide Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide 2018-08-22 07:40:33 -07:00
idle
iio First set of IIO fixes for the 4.19 cycle. 2018-09-09 09:33:29 +02:00
infiniband Second rc pull request 2018-09-27 21:53:55 +02:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2018-09-28 18:04:50 -07:00
iommu iommu/amd: Return devid as alias for ACPI HID devices 2018-09-26 09:41:11 +02:00
ipack
irqchip irqchip/gic-v3-its: Cap lpi_id_bits to reduce memory footprint 2018-09-06 20:31:59 +02:00
isdn isdn: Disable IIOCDBGVAR 2018-08-16 12:26:24 -07:00
leds leds: ns2: Change unsigned to unsigned int 2018-08-06 23:03:12 +02:00
lightnvm
macintosh macintosh: therm_windtunnel: drop using attach_adapter 2018-08-24 14:42:42 +02:00
mailbox mailbox: Add support for i.MX messaging unit 2018-08-15 09:53:07 +05:30
mcb
md for-linus-20180929 2018-09-29 14:52:14 -07:00
media media: platform: fix cros-ec-cec build error 2018-09-17 14:32:29 -04:00
memory memory: ti-aemif: fix a potential NULL-pointer dereference 2018-09-06 10:04:07 -07:00
memstick
message scsi: message: fusion: Replace GFP_ATOMIC with GFP_KERNEL 2018-07-30 23:17:53 -04:00
mfd mfd: omap-usb-host: Fix dts probe of children 2018-09-11 16:47:33 +01:00
misc misc: hmc6352: fix potential Spectre v1 2018-09-12 09:31:00 +02:00
mmc mmc: meson-mx-sdio: fix OF child-node lookup 2018-09-05 08:28:45 +02:00
mtd mtd: devices: m25p80: Make sure the buffer passed in op is DMA-able 2018-09-18 10:17:48 +02:00
mux mux: adgs1408: new driver for Analog Devices ADGS1408/1409 mux 2018-08-02 10:23:02 +02:00
net Second rc pull request 2018-09-27 21:53:55 +02:00
nfc
ntb
nubus
nvdimm libnvdimm-for-4.19_dax-memory-failure 2018-08-25 18:43:59 -07:00
nvme nvme: properly propagate errors in nvme_mpath_init 2018-09-25 16:21:40 -07:00
nvmem
of Devicetree fixes for 4.19, part 2: 2018-09-14 13:03:17 -10:00
opp
oprofile
parisc
parport Char/Misc driver patches for 4.19-rc1 2018-08-18 11:04:51 -07:00
pci pci-v4.19-fixes-2 2018-09-28 18:20:41 +02:00
pcmcia pcmcia: remove long deprecated pcmcia_request_exclusive_irq() function 2018-08-18 12:30:42 -07:00
perf Char/Misc driver patches for 4.19-rc1 2018-08-18 11:04:51 -07:00
phy Merge 4.18-rc7 into usb-next 2018-07-30 10:04:58 +02:00
pinctrl Revert "pinctrl: intel: Do pin translation when lock IRQ" 2018-09-25 12:50:00 +02:00
platform platform/x86: alienware-wmi: Correct a memory leak 2018-09-10 13:45:43 -07:00
pnp
power treewide: convert ISO_8859-1 text comments to utf-8 2018-08-23 18:48:43 -07:00
powercap
pps
ps3
ptp Char/Misc driver patches for 4.19-rc1 2018-08-18 11:04:51 -07:00
pwm pwm: mediatek: Add MT7628 support 2018-08-20 11:36:07 +02:00
rapidio drivers/rapidio/devices/rio_mport_cdev.c: remove redundant pointer md 2018-08-22 10:52:51 -07:00
ras
regulator regulator: fix crash caused by null driver data 2018-09-20 09:04:51 -07:00
remoteproc remoteproc/davinci: use the reset framework 2018-08-16 17:39:55 -07:00
reset ARM: SoC: late updates 2018-08-25 14:12:36 -07:00
rpmsg rpmsg: Add compat ioctl for rpmsg char driver 2018-07-30 23:40:23 -07:00
rtc RTC for 4.19 2018-08-20 16:30:27 -07:00
s390 s390 fixes for 4.19-rc4 2018-09-13 16:22:24 -10:00
sbus
scsi scsi: sd: don't crash the host on invalid commands 2018-09-21 12:42:57 -04:00
sfi
sh sh: introduce a sh_cacheop_vaddr helper 2018-08-02 13:54:06 +02:00
siox
slimbus
sn
soc ARM: Device-tree updates 2018-08-23 14:02:22 -07:00
soundwire soundwire: Fix acquiring bus lock twice during master release 2018-08-27 09:49:48 +05:30
spi spi: Fixes for v4.19 2018-09-28 18:04:06 -07:00
spmi
ssb ssb: Remove SSB_WARN_ON, SSB_BUG_ON and SSB_DEBUG 2018-08-09 18:47:47 +03:00
staging media fixes for v4.19-rc5 2018-09-24 15:16:41 +02:00
target scsi: target: iscsi: Use bin2hex instead of a re-implementation 2018-09-21 12:32:30 -04:00
tc
tee ARM: SoC driver updates 2018-08-23 13:52:46 -07:00
thermal Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal 2018-08-28 16:11:34 -07:00
thunderbolt
tty serial: imx: restore handshaking irq for imx1 2018-09-20 14:51:31 +02:00
uio Char/Misc fix for 4.19-rc1 2018-08-19 09:30:44 -07:00
usb usb: typec: mux: Take care of driver module reference counting 2018-09-20 13:35:01 +02:00
uwb
vfio powerpc updates for 4.19 2018-08-17 11:32:50 -07:00
vhost Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-08-27 11:59:39 -07:00
video fbdev changes for v4.19: 2018-08-23 15:44:58 -07:00
virt
virtio virtio, vhost: fixes, tweaks 2018-08-24 08:45:19 -07:00
visorbus
vlynq
vme
w1 power supply and reset changes for the v4.19 series 2018-08-21 18:06:27 -07:00
watchdog include/linux/compiler*.h: make compiler-*.h mutually exclusive 2018-08-22 17:31:34 -07:00
xen xen: issue warning message when out of grant maptrack entries 2018-09-19 11:27:42 -04:00
zorro
Kconfig
Makefile Char/Misc driver patches for 4.19-rc1 2018-08-18 11:04:51 -07:00