Re: imxdrm issue on SABRE Lite

Russell King - ARM Linux <linux@xxxxxxxxxxxxxxx> · Mon, 13 Feb 2017 09:20:12 +0000

On Mon, Feb 13, 2017 at 09:05:33AM +0100, Thierry Reding wrote:
> On Sun, Feb 12, 2017 at 12:15:46AM +0000, Russell King - ARM Linux wrote:
> > diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
> > index 21f992605541..46668d071d6a 100644
> > --- a/drivers/gpu/drm/drm_atomic_helper.c
> > +++ b/drivers/gpu/drm/drm_atomic_helper.c
> > @@ -1201,9 +1201,8 @@ static void commit_tail(struct drm_atomic_state *state)
> >  	else
> >  		drm_atomic_helper_commit_tail(state);
> >  
> > -	drm_atomic_helper_commit_cleanup_done(state);
> > -
> > -	drm_atomic_state_free(state);
> > +	if (drm_atomic_helper_commit_cleanup_done(state) == 0)
> > +		drm_atomic_state_free(state);
> 
> Chris (Cc'ed) added reference counting to atomic state for v4.10, maybe
> that already fixes the issue?

No.  It's not the atomic state that's referenced, it's only a completion
within the drm_crtc_commit structure, which is completely separate from
the atomic state.  Moreover, the event code has no knowledge of commits,
so it can't "put" a reference count on it.  See:

void drm_send_event_locked(struct drm_device *dev, struct drm_pending_event *e)
{
        assert_spin_locked(&dev->event_lock);

        if (e->completion) {
                /* ->completion might disappear as soon as it signalled. */
                complete_all(e->completion);
                e->completion = NULL;
        }

vs the setup of the event done in drm_atomic_helper_setup_commit():

                if (!crtc_state->event) {
                        commit->event = kzalloc(sizeof(*commit->event),
                                                GFP_KERNEL);
                        if (!commit->event)
                                return -ENOMEM;

                        crtc_state->event = commit->event;
                }

                crtc_state->event->base.completion = &commit->flip_done;

"commit" gets freed before drm_send_event_locked() is called (hence
the timeout message) and when drm_send_event_locked() is eventually
called via drm_vblank_off(), this causes a use-after-free bug.

-- 
RMK's Patch system: http://www.armlinux.org.uk/developer/patches/
FTTC broadband for 0.8mile line: currently at 9.6Mbps down 400kbps up
according to speedtest.net.
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel