lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 23 Dec 2016 13:46:36 +0800
From:   changbin.du@...el.com
To:     daniel.vetter@...el.com
Cc:     jani.nikula@...ux.intel.com, airlied@...ux.ie,
        intel-gfx@...ts.freedesktop.org, dri-devel@...ts.freedesktop.org,
        linux-kernel@...r.kernel.org,
        "Du, Changbin" <changbin.du@...el.com>
Subject: [PATCH] drm/i915: check if execlist_port is empty before using its content

From: "Du, Changbin" <changbin.du@...el.com>

This patch fix a crash in function reset_common_ring. In this case,
the port[0].request is null when reset the render ring, so a null
dereference exception is raised. We need to check execlist_port status
first.

[   35.748034] BUG: unable to handle kernel NULL pointer dereference at 0000000000000070
[   35.749567] IP: [<ffffffff81521bfe>] reset_common_ring+0xbe/0x150
[   35.749567] Call Trace:
[   35.749567]  [<ffffffff8150ded0>] i915_gem_reset+0x150/0x270
[   35.749567]  [<ffffffff814d3c0a>] i915_reset+0x8a/0xe0
[   35.749567]  [<ffffffff814d8c21>] i915_reset_and_wakeup+0x131/0x160
[   35.749567]  [<ffffffff815298f0>] ? gen5_read8+0x110/0x110
[   35.749567]  [<ffffffff814dc97a>] i915_handle_error+0xca/0x5a0
[   35.749567]  [<ffffffff813bac9d>] ? scnprintf+0x3d/0x70
[   35.749567]  [<ffffffff814dd063>] i915_hangcheck_elapsed+0x213/0x510
[   35.749567]  [<ffffffff810c4c4b>] process_one_work+0x15b/0x470
[   35.749567]  [<ffffffff810c4fa3>] worker_thread+0x43/0x4d0
[   35.749567]  [<ffffffff810c4f60>] ? process_one_work+0x470/0x470
[   35.749567]  [<ffffffff810c4f60>] ? process_one_work+0x470/0x470
[   35.749567]  [<ffffffff810c103e>] ? call_usermodehelper_exec_async+0x12e/0x130
[   35.749567]  [<ffffffff810ca1a5>] kthread+0xc5/0xe0
[   35.749567]  [<ffffffff810ca0e0>] ? kthread_park+0x60/0x60
[   35.749567]  [<ffffffff810c0f10>] ? umh_complete+0x40/0x40
[   35.749567]  [<ffffffff81a35392>] ret_from_fork+0x22/0x30

Signed-off-by: Changbin Du <changbin.du@...el.com>
---
 drivers/gpu/drm/i915/intel_lrc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/intel_lrc.c b/drivers/gpu/drm/i915/intel_lrc.c
index 0a09024..81a9b0b 100644
--- a/drivers/gpu/drm/i915/intel_lrc.c
+++ b/drivers/gpu/drm/i915/intel_lrc.c
@@ -1450,7 +1450,7 @@ static void reset_common_ring(struct intel_engine_cs *engine,
 
 	/* Catch up with any missed context-switch interrupts */
 	I915_WRITE(RING_CONTEXT_STATUS_PTR(engine), _MASKED_FIELD(0xffff, 0));
-	if (request->ctx != port[0].request->ctx) {
+	if (!execlists_elsp_idle(engine) && request->ctx != port[0].request->ctx) {
 		i915_gem_request_put(port[0].request);
 		port[0] = port[1];
 		memset(&port[1], 0, sizeof(port[1]));
-- 
2.7.4

Powered by blists - more mailing lists