redonkable/alistair23-linux
redonkable/alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/drivers/gpu/drm
History
Noralf Trønnes 4d4c2d8991 drm/cma-helper: Fix crash in fbdev error path 
Sergey Suloev reported a crash happening in drm_client_dev_hotplug()
when fbdev had failed to register.

[    9.124598] vc4_hdmi 3f902000.hdmi: ASoC: Failed to create component debugfs directory
[    9.147667] vc4_hdmi 3f902000.hdmi: vc4-hdmi-hifi <-> 3f902000.hdmi mapping ok
[    9.155184] vc4_hdmi 3f902000.hdmi: ASoC: no DMI vendor name!
[    9.166544] vc4-drm soc:gpu: bound 3f902000.hdmi (ops vc4_hdmi_ops [vc4])
[    9.173840] vc4-drm soc:gpu: bound 3f806000.vec (ops vc4_vec_ops [vc4])
[    9.181029] vc4-drm soc:gpu: bound 3f004000.txp (ops vc4_txp_ops [vc4])
[    9.188519] vc4-drm soc:gpu: bound 3f400000.hvs (ops vc4_hvs_ops [vc4])
[    9.195690] vc4-drm soc:gpu: bound 3f206000.pixelvalve (ops vc4_crtc_ops [vc4])
[    9.203523] vc4-drm soc:gpu: bound 3f207000.pixelvalve (ops vc4_crtc_ops [vc4])
[    9.215032] vc4-drm soc:gpu: bound 3f807000.pixelvalve (ops vc4_crtc_ops [vc4])
[    9.274785] vc4-drm soc:gpu: bound 3fc00000.v3d (ops vc4_v3d_ops [vc4])
[    9.290246] [drm] Initialized vc4 0.0.0 20140616 for soc:gpu on minor 0
[    9.297464] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[    9.304600] [drm] Driver supports precise vblank timestamp query.
[    9.382856] vc4-drm soc:gpu: [drm:drm_fb_helper_fbdev_setup [drm_kms_helper]] *ERROR* Failed to set fbdev configuration
[   10.404937] Unable to handle kernel paging request at virtual address 00330a656369768a
[   10.441620] [00330a656369768a] address between user and kernel address ranges
[   10.449087] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[   10.454762] Modules linked in: brcmfmac vc4 drm_kms_helper cfg80211 drm rfkill smsc95xx brcmutil usbnet drm_panel_orientation_quirks raspberrypi_hwmon bcm2835_dma crc32_ce pwm_bcm2835 bcm2835_rng virt_dma rng_core i2c_bcm2835 ip_tables x_tables ipv6
[   10.477296] CPU: 2 PID: 45 Comm: kworker/2:1 Not tainted 4.19.0-rc5 #3
[   10.483934] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
[   10.489966] Workqueue: events output_poll_execute [drm_kms_helper]
[   10.596515] Process kworker/2:1 (pid: 45, stack limit = 0x000000007e8924dc)
[   10.603590] Call trace:
[   10.606259]  drm_client_dev_hotplug+0x5c/0xb0 [drm]
[   10.611303]  drm_kms_helper_hotplug_event+0x30/0x40 [drm_kms_helper]
[   10.617849]  output_poll_execute+0xc4/0x1e0 [drm_kms_helper]
[   10.623616]  process_one_work+0x1c8/0x318
[   10.627695]  worker_thread+0x48/0x428
[   10.631420]  kthread+0xf8/0x128
[   10.634615]  ret_from_fork+0x10/0x18
[   10.638255] Code: 54000220 f9401261 aa1303e0 b4000141 (f9400c21)
[   10.644456] ---[ end trace c75b4a4b0e141908 ]---

The reason for this is that drm_fbdev_cma_init() removes the drm_client
when fbdev registration fails, but it doesn't remove the client from the
drm_device client list. So the client list now has a pointer that points
into the unknown and we have a 'use after free' situation.

Split drm_client_new() into drm_client_init() and drm_client_add() to fix
removal in the error path.

Fixes: 894a677f4b ("drm/cma-helper: Use the generic fbdev emulation")
Reported-by: Sergey Suloev <ssuloev@orpaltech.com>
Cc: Stefan Wahren <stefan.wahren@i2se.com>
Cc: Eric Anholt <eric@anholt.net>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20181001194536.57756-1-noralf@tronnes.org
2018-10-02 13:03:34 +02:00
..
amd drm/amd/display: Fix Edid emulation for linux 2018-09-27 10:05:21 -05:00
arc drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
arm drm/malidp: Fix writeback in NV12 2018-09-21 10:55:00 +01:00
armada drm/armada: remove obsolete fb unreferencing kfifo and workqueue 2018-07-30 11:53:06 +01:00
ast drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
atmel-hlcdc
bochs drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
bridge drm pull for 4.19-rc1 2018-08-15 17:39:07 -07:00
cirrus drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
etnaviv drm/etnaviv: add DMA configuration for etnaviv platform device 2018-09-14 18:46:10 +02:00
exynos drm/exynos/mixer: Remove unused local variable priv 2018-07-24 16:28:53 +09:00
fsl-dcu drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
gma500 drivers/gpu/drm/gma500/: change return type to vm_fault_t 2018-08-23 18:48:43 -07:00
hisilicon drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
i2c VLA leftovers pull summary: 2018-08-17 10:40:09 -07:00
i810
i915 Merge tag 'gvt-fixes-2018-09-18' of https://github.com/intel/gvt-linux into drm-intel-fixes 2018-09-18 08:09:44 -07:00
imx drm/imx: use suspend/resume helpers, add ipu-v3 V4L2 XRGB32/XBGR32 support 2018-08-10 11:13:36 +10:00
lib
mediatek drm/mediatek: fix connection from RDMA2 to DSI1 2018-08-27 11:24:37 +08:00
meson drm/meson: Make DMT timings parameters and pixel clock generic 2018-07-16 11:14:59 +02:00
mga
mgag200 drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
msm drm/msm: a6xx: fix spelling mistake: "initalization" -> "initialization" 2018-08-10 18:49:18 -04:00
mxsfb
nouveau drm/nouveau/devinit: fix warning when PMU/PRE_OS is missing 2018-09-13 10:56:58 +10:00
omapdrm drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
panel drm/panel: simple: tv123wam: Add unprepare delay 2018-08-14 13:42:37 -04:00
pl111 drm/pl111: Make sure of_device_id tables are NULL terminated 2018-09-10 16:01:22 -04:00
qxl drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
r128
radeon mm, oom: distinguish blockable mode for mmu notifiers 2018-08-22 10:52:44 -07:00
rcar-du drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
rockchip drm/rockchip: Substitute is_yuv_support() with format->is_yuv 2018-07-18 16:59:27 +01:00
savage
scheduler drm/scheduler: fix param documentation 2018-08-09 11:57:39 -05:00
selftests
shmobile drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
sis
sti drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
stm drm/stm: Replace drm_dev_unref with drm_dev_put 2018-07-13 10:11:02 +02:00
sun4i drm: sun4i: drop second PLL from A64 HDMI PHY 2018-09-19 09:58:40 +02:00
tdfx
tegra drm pull for 4.19-rc1 2018-08-15 17:39:07 -07:00
tilcdc drm-misc-next for 4.19: 2018-07-20 10:46:49 +10:00
tinydrm drm/tinydrm: add backlight dependency for ili9341 2018-07-12 12:10:07 -05:00
ttm drm/ttm: clean up non-x86 definitions on ttm_tt 2018-08-01 17:23:56 -05:00
tve200
udl drm: udl: Destroy framebuffer only if it was initialized 2018-09-10 16:02:51 -04:00
v3d drm/scheduler: modify API to avoid redundancy 2018-07-25 15:06:19 -05:00
vc4 drm/vc4: Fix the "no scaling" case on multi-planar YUV formats 2018-09-10 16:01:22 -04:00
vgem
via
virtio drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
vkms drm/vkms: Fix connector leak at the module removal 2018-07-28 16:09:39 -03:00
vmwgfx drm/vmwgfx: Fix buffer object eviction 2018-09-20 08:05:14 +02:00
xen
zte drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
ati_pcigart.c
drm_agpsupport.c
drm_atomic.c drm/atomic: Use drm_drv_uses_atomic_modeset() for debugfs creation 2018-09-17 19:24:37 -04:00
drm_atomic_helper.c drm pull for 4.19-rc1 2018-08-15 17:39:07 -07:00
drm_auth.c
drm_blend.c
drm_bridge.c
drm_bufs.c
drm_cache.c
drm_client.c drm/cma-helper: Fix crash in fbdev error path 2018-10-02 13:03:34 +02:00
drm_color_mgmt.c
drm_connector.c drm/connector: Fix typo in drm_connector_list_iter_next() 2018-07-16 13:18:09 -04:00
drm_context.c drm: re-enable error handling 2018-07-16 10:01:19 -04:00
drm_crtc.c drm: Skip __drm_mode_set_config_internal() on atomic drivers 2018-07-13 17:58:19 +03:00
drm_crtc_helper.c
drm_crtc_helper_internal.h
drm_crtc_internal.h drm: drop _mode_ from remaining connector functions 2018-07-13 18:40:27 +02:00
drm_debugfs.c drm/atomic: Use drm_drv_uses_atomic_modeset() for debugfs creation 2018-09-17 19:24:37 -04:00
drm_debugfs_crc.c drm/crc: Only report a single overflow when a CRC fd is opened 2018-07-06 14:57:03 +02:00
drm_dma.c
drm_dp_aux_dev.c
drm_dp_cec.c drm_dp_cec.c: fix formatting typo: %pdH -> %phD 2018-07-28 15:50:40 -03:00
drm_dp_dual_mode_helper.c
drm_dp_helper.c drm/dp_helper: Add DP aux channel tracing 2018-07-16 11:47:53 -04:00
drm_dp_mst_topology.c drm: drop _mode_ from remaining connector functions 2018-07-13 18:40:27 +02:00
drm_drv.c drm/dp_helper: Add DP aux channel tracing 2018-07-16 11:47:53 -04:00
drm_dumb_buffers.c
drm_edid.c drm/edid: Add 6 bpc quirk for SDC panel in Lenovo B50-80 2018-08-23 10:25:39 +02:00
drm_edid_load.c
drm_encoder.c
drm_encoder_slave.c
drm_fb_cma_helper.c drm/cma-helper: Fix crash in fbdev error path 2018-10-02 13:03:34 +02:00
drm_fb_helper.c drm/cma-helper: Fix crash in fbdev error path 2018-10-02 13:03:34 +02:00
drm_file.c drm: Begin an API for in-kernel clients 2018-07-10 14:51:37 +02:00
drm_flip_work.c
drm_fourcc.c drm/fourcc: Add is_yuv field to drm_format_info to denote if the format is yuv 2018-07-18 16:56:45 +01:00
drm_framebuffer.c
drm_gem.c drm/i915: Prevent writing into a read-only object via a GGTT mmap 2018-07-13 16:14:04 +01:00
drm_gem_cma_helper.c
drm_gem_framebuffer_helper.c
drm_global.c
drm_hashtab.c
drm_info.c
drm_internal.h
drm_ioc32.c
drm_ioctl.c drm: drop _mode_ from remaining connector functions 2018-07-13 18:40:27 +02:00
drm_irq.c
drm_kms_helper_common.c
drm_lease.c drm: fix use-after-free read in drm_mode_create_lease_ioctl() 2018-10-02 10:22:10 +02:00
drm_legacy.h
drm_lock.c
drm_memory.c
drm_mipi_dsi.c drm: Add support for pps and compression mode command packet 2018-07-25 07:51:05 -04:00
drm_mm.c
drm_mode_config.c
drm_mode_object.c drm: drop _mode_ from remaining connector functions 2018-07-13 18:40:27 +02:00
drm_modes.c drm: drop _mode_ from remaining connector functions 2018-07-13 18:40:27 +02:00
drm_modeset_helper.c
drm_modeset_lock.c
drm_of.c drm/doc: Include drm_of.c helpers 2018-07-13 18:40:28 +02:00
drm_panel.c Revert "drm/panel: Add device_link from panel device to DRM device" 2018-09-27 11:00:42 -04:00
drm_panel_orientation_quirks.c
drm_pci.c drm: drop drm_pcie_get_speed_cap_mask and drm_pcie_get_max_link_width 2018-07-05 16:40:00 -05:00
drm_plane.c drm: Introduce __setplane_atomic() 2018-07-13 17:58:19 +03:00
drm_plane_helper.c
drm_prime.c
drm_print.c drm: Add puts callback for the coredump printer 2018-07-30 08:49:41 -04:00
drm_probe_helper.c drm: drop _mode_ from remaining connector functions 2018-07-13 18:40:27 +02:00
drm_property.c
drm_rect.c
drm_scatter.c
drm_scdc_helper.c
drm_simple_kms_helper.c drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
drm_syncobj.c drm/syncobj: Don't leak fences when WAIT_FOR_SUBMIT is set 2018-09-26 10:39:14 -04:00
drm_sysfs.c
drm_trace.h
drm_trace_points.c
drm_vblank.c
drm_vm.c
drm_vma_manager.c
drm_writeback.c drm: writeback: Fix doc that says connector should be disconnected 2018-07-16 16:35:27 +01:00
Kconfig drm: add support for DisplayPort CEC-Tunneling-over-AUX 2018-07-13 17:58:19 +03:00
Makefile drm: add support for DisplayPort CEC-Tunneling-over-AUX 2018-07-13 17:58:19 +03:00