/* * linux/include/video/neo_reg.h -- NeoMagic Framebuffer Driver * * Copyright (c) 2001 Denis Oliver Kropp * * This file is subject to the terms and conditions of the GNU General * Public License. See the file COPYING in the main directory of this * archive for more details. */ #define NEO_BS0_BLT_BUSY 0x00000001 #define NEO_BS0_FIFO_AVAIL 0x00000002 #define NEO_BS0_FIFO_PEND 0x00000004 #define NEO_BC0_DST_Y_DEC 0x00000001 #define NEO_BC0_X_DEC 0x00000002 #define NEO_BC0_SRC_TRANS 0x00000004 #define NEO_BC0_SRC_IS_FG 0x00000008 #define NEO_BC0_SRC_Y_DEC 0x00000010 #define NEO_BC0_FILL_PAT 0x00000020 #define NEO_BC0_SRC_MONO 0x00000040 #define NEO_BC0_SYS_TO_VID 0x00000080 #define NEO_BC1_DEPTH8 0x00000100 #define NEO_BC1_DEPTH16 0x00000200 #define NEO_BC1_X_320 0x00000400 #define NEO_BC1_X_640 0x00000800 #define NEO_BC1_X_800 0x00000c00 #define NEO_BC1_X_1024 0x00001000 #define NEO_BC1_X_1152 0x00001400 #define NEO_BC1_X_1280 0x00001800 #define NEO_BC1_X_1600 0x00001c00 #define NEO_BC1_DST_TRANS 0x00002000 #define NEO_BC1_MSTR_BLT 0x00004000 #define NEO_BC1_FILTER_Z 0x00008000 #define NEO_BC2_WR_TR_DST 0x00800000 #define NEO_BC3_SRC_XY_ADDR 0x01000000 #define NEO_BC3_DST_XY_ADDR 0x02000000 #define NEO_BC3_CLIP_ON 0x04000000 #define NEO_BC3_FIFO_EN 0x08000000 #define NEO_BC3_BLT_ON_ADDR 0x10000000 #define NEO_BC3_SKIP_MAPPING 0x80000000 #define NEO_MODE1_DEPTH8 0x0100 #define NEO_MODE1_DEPTH16 0x0200 #define NEO_MODE1_DEPTH24 0x0300 #define NEO_MODE1_X_320 0x0400 #define NEO_MODE1_X_640 0x0800 #define NEO_MODE1_X_800 0x0c00 #define NEO_MODE1_X_1024 0x1000 #define NEO_MODE1_X_1152 0x1400 #define NEO_MODE1_X_1280 0x1800 #define NEO_MODE1_X_1600 0x1c00 #define NEO_MODE1_BLT_ON_ADDR 0x2000 /* These are offseted in MMIO space by par->CursorOff */ #define NEOREG_CURSCNTL 0x00 #define NEOREG_CURSX 0x04 #define NEOREG_CURSY 0x08 #define NEOREG_CURSBGCOLOR 0x0C #define NEOREG_CURSFGCOLOR 0x10 #define NEOREG_CURSMEMPOS 0x14 #define NEO_CURS_DISABLE 0x00000000 #define NEO_CURS_ENABLE 0x00000001 #define NEO_ICON64_ENABLE 0x00000008 #define NEO_ICON128_ENABLE 0x0000000C #define NEO_ICON_BLANK 0x00000010 #define NEO_GR01_SUPPRESS_VSYNC 0x10 #define NEO_GR01_SUPPRESS_HSYNC 0x20 #ifdef __KERNEL__ #ifdef NEOFB_DEBUG # define DBG(x) printk (KERN_DEBUG "neofb: %s\n", (x)); #else # define DBG(x) #endif #define PCI_CHIP_NM2070 0x0001 #define PCI_CHIP_NM2090 0x0002 #define PCI_CHIP_NM2093 0x0003 #define PCI_CHIP_NM2097 0x0083 #define PCI_CHIP_NM2160 0x0004 #define PCI_CHIP_NM2200 0x0005 #define PCI_CHIP_NM2230 0x0025 #define PCI_CHIP_NM2360 0x0006 #define PCI_CHIP_NM2380 0x0016 /* --------------------------------------------------------------------- */ typedef volatile struct { __u32 bltStat; __u32 bltCntl; __u32 xpColor; __u32 fgColor; __u32 bgColor; __u32 pitch; __u32 clipLT; __u32 clipRB; __u32 srcBitOffset; __u32 srcStart; __u32 reserved0; __u32 dstStart; __u32 xyExt; __u32 reserved1[19]; __u32 pageCntl; __u32 pageBase; __u32 postBase; __u32 postPtr; __u32 dataPtr; } Neo2200; #define MMIO_SIZE 0x200000 #define NEO_EXT_CR_MAX 0x85 #define NEO_EXT_GR_MAX 0xC7 struct neofb_par { struct vgastate state; unsigned int ref_count; unsigned char MiscOutReg; /* Misc */ unsigned char CRTC[25]; /* Crtc Controller */ unsigned char Sequencer[5]; /* Video Sequencer */ unsigned char Graphics[9]; /* Video Graphics */ unsigned char Attribute[21]; /* Video Attribute */ unsigned char GeneralLockReg; unsigned char ExtCRTDispAddr; unsigned char ExtCRTOffset; unsigned char SysIfaceCntl1; unsigned char SysIfaceCntl2; unsigned char ExtColorModeSelect; unsigned char biosMode; unsigned char PanelDispCntlReg1; unsigned char PanelDispCntlReg2; unsigned char PanelDispCntlReg3; unsigned char PanelDispCntlRegRead; unsigned char PanelVertCenterReg1; unsigned char PanelVertCenterReg2; unsigned char PanelVertCenterReg3; unsigned char PanelVertCenterReg4; unsigned char PanelVertCenterReg5; unsigned char PanelHorizCenterReg1; unsigned char PanelHorizCenterReg2; unsigned char PanelHorizCenterReg3; unsigned char PanelHorizCenterReg4; unsigned char PanelHorizCenterReg5; int ProgramVCLK; unsigned char VCLK3NumeratorLow; unsigned char VCLK3NumeratorHigh; unsigned char VCLK3Denominator; unsigned char VerticalExt; int wc_cookie; u8 __iomem *mmio_vbase; u8 cursorOff; u8 *cursorPad; /* Must die !! */ Neo2200 __iomem *neo2200; /* Panels size */ int NeoPanelWidth; int NeoPanelHeight; int maxClock; int pci_burst; int lcd_stretch; int internal_display; int external_display; int libretto; u32 palette[16]; }; typedef struct { int x_res; int y_res; int mode; } biosMode; #endif id=92c715fca907686f5298220ece53423e38ba3aed'>patch) tree286158fdad04c9b54955350abb95d4f1c0dc860a /net/core/scm.c parente6e7b48b295afa5a5ab440de0a94d9ad8b3ce2d0 (diff)
drm/atomic: Fix double free in drm_atomic_state_default_clear
drm_atomic_helper_page_flip and drm_atomic_ioctl set their own events in crtc_state->event. But when it's set the event is freed in 2 places. Solve this by only freeing the event in the atomic ioctl when it allocated its own event. This has been broken twice. The first time when the code was introduced, but only in the corner case when an event is allocated, but more crtc's were included by atomic check and then failing. This can mostly happen when you do an atomic modeset in i915 and the display clock is changed, which forces all crtc's to be included to the state. This has been broken worse by adding in-fences support, which caused the double free to be done unconditionally. [IGT] kms_rotation_crc: starting subtest primary-rotation-180 ============================================================================= BUG kmalloc-128 (Tainted: G U ): Object already free ----------------------------------------------------------------------------- Disabling lock debugging due to kernel taint INFO: Allocated in drm_atomic_helper_setup_commit+0x285/0x2f0 [drm_kms_helper] age=0 cpu=3 pid=1529 ___slab_alloc+0x308/0x3b0 __slab_alloc+0xd/0x20 kmem_cache_alloc_trace+0x92/0x1c0 drm_atomic_helper_setup_commit+0x285/0x2f0 [drm_kms_helper] intel_atomic_commit+0x35/0x4f0 [i915] drm_atomic_commit+0x46/0x50 [drm] drm_mode_atomic_ioctl+0x7d4/0xab0 [drm] drm_ioctl+0x2b3/0x490 [drm] do_vfs_ioctl+0x69c/0x700 SyS_ioctl+0x4e/0x80 entry_SYSCALL_64_fastpath+0x13/0x94 INFO: Freed in drm_event_cancel_free+0xa3/0xb0 [drm] age=0 cpu=3 pid=1529 __slab_free+0x48/0x2e0 kfree+0x159/0x1a0 drm_event_cancel_free+0xa3/0xb0 [drm] drm_mode_atomic_ioctl+0x86d/0xab0 [drm] drm_ioctl+0x2b3/0x490 [drm] do_vfs_ioctl+0x69c/0x700 SyS_ioctl+0x4e/0x80 entry_SYSCALL_64_fastpath+0x13/0x94 INFO: Slab 0xffffde1f0997b080 objects=17 used=2 fp=0xffff92fb65ec2578 flags=0x200000000008101 INFO: Object 0xffff92fb65ec2578 @offset=1400 fp=0xffff92fb65ec2ae8 Redzone ffff92fb65ec2570: bb bb bb bb bb bb bb bb ........ Object ffff92fb65ec2578: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object ffff92fb65ec2588: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object ffff92fb65ec2598: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object ffff92fb65ec25a8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object ffff92fb65ec25b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object ffff92fb65ec25c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object ffff92fb65ec25d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object ffff92fb65ec25e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk. Redzone ffff92fb65ec25f8: bb bb bb bb bb bb bb bb ........ Padding ffff92fb65ec2738: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ CPU: 3 PID: 180 Comm: kworker/3:2 Tainted: G BU 4.10.0-rc6-patser+ #5039 Hardware name: /NUC5PPYB, BIOS PYBSWCEL.86A.0031.2015.0601.1712 06/01/2015 Workqueue: events intel_atomic_helper_free_state [i915] Call Trace: dump_stack+0x4d/0x6d print_trailer+0x20c/0x220 free_debug_processing+0x1c6/0x330 ? drm_atomic_state_default_clear+0xf7/0x1c0 [drm] __slab_free+0x48/0x2e0 ? drm_atomic_state_default_clear+0xf7/0x1c0 [drm] kfree+0x159/0x1a0 drm_atomic_state_default_clear+0xf7/0x1c0 [drm] ? drm_atomic_state_clear+0x30/0x30 [drm] intel_atomic_state_clear+0xd/0x20 [i915] drm_atomic_state_clear+0x1a/0x30 [drm] __drm_atomic_state_free+0x13/0x60 [drm] intel_atomic_helper_free_state+0x5d/0x70 [i915] process_one_work+0x260/0x4a0 worker_thread+0x2d1/0x4f0 kthread+0x127/0x130 ? process_one_work+0x4a0/0x4a0 ? kthread_stop+0x120/0x120 ret_from_fork+0x29/0x40 FIX kmalloc-128: Object at 0xffff92fb65ec2578 not freed Fixes: 3b24f7d67581 ("drm/atomic: Add struct drm_crtc_commit to track async updates") Fixes: 9626014258a5 ("drm/fence: add in-fences support") Cc: <stable@vger.kernel.org> # v4.8+ Cc: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> Reviewed-by: Gustavo Padovan <gustavo.padovan@collabora.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: http://patchwork.freedesktop.org/patch/msgid/1485854725-27640-1-git-send-email-maarten.lankhorst@linux.intel.com
Diffstat (limited to 'net/core/scm.c')