lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 30 Dec 2023 09:59:23 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+59dcc2e7283a6f5f5ba1@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [dri?] WARNING in drm_prime_destroy_file_private (2)

On Wed, 27 Dec 2023 12:51:18 -0800
> HEAD commit:    5254c0cbc92d Merge tag 'block-6.7-2023-12-22' of git://git..
> git tree:       upstream
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=155d5fd6e80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git  master

--- a/drivers/gpu/drm/drm_file.c
+++ b/drivers/gpu/drm/drm_file.c
@@ -287,6 +287,7 @@ void drm_file_free(struct drm_file *file
 	if (dev->driver->postclose)
 		dev->driver->postclose(dev, file);
 
+	drm_prime_del_handles(&file->prime);
 	drm_prime_destroy_file_private(&file->prime);
 
 	WARN_ON(!list_empty(&file->event_list));
--- a/drivers/gpu/drm/drm_internal.h
+++ b/drivers/gpu/drm/drm_internal.h
@@ -76,6 +76,7 @@ void drm_prime_init_file_private(struct
 void drm_prime_destroy_file_private(struct drm_prime_file_private *prime_fpriv);
 void drm_prime_remove_buf_handle(struct drm_prime_file_private *prime_fpriv,
 				 uint32_t handle);
+void drm_prime_del_handles(struct drm_prime_file_private *prime_fpriv);
 
 /* drm_drv.c */
 struct drm_minor *drm_minor_acquire(unsigned int minor_id);
--- a/drivers/gpu/drm/drm_prime.c
+++ b/drivers/gpu/drm/drm_prime.c
@@ -106,6 +106,8 @@ static int drm_prime_add_buf_handle(stru
 	get_dma_buf(dma_buf);
 	member->dma_buf = dma_buf;
 	member->handle = handle;
+	RB_CLEAR_NODE(&member->dmabuf_rb);
+	RB_CLEAR_NODE(&member->handle_rb);
 
 	rb = NULL;
 	p = &prime_fpriv->dmabufs.rb_node;
@@ -185,6 +187,27 @@ static int drm_prime_lookup_buf_handle(s
 	return -ENOENT;
 }
 
+void drm_prime_del_handles(struct drm_prime_file_private *prime_fpriv)
+{
+	struct drm_prime_member *member;
+	struct rb_node *rb;
+
+	mutex_lock(&prime_fpriv->lock);
+	for (;;) {
+		rb = rb_first(&prime_fpriv->dmabufs);
+		if (!rb)
+			break;
+		member = rb_entry(rb, struct drm_prime_member, dmabuf_rb);
+
+		rb_erase(&member->handle_rb, &prime_fpriv->handles);
+		rb_erase(&member->dmabuf_rb, &prime_fpriv->dmabufs);
+
+		dma_buf_put(member->dma_buf);
+		kfree(member);
+	}
+	mutex_unlock(&prime_fpriv->lock);
+}
+
 void drm_prime_remove_buf_handle(struct drm_prime_file_private *prime_fpriv,
 				 uint32_t handle)
 {
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ