leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b74ad5ae14
linux/drivers
History
Chris Wilson b74ad5ae14 drm: Fix use-after-free in drm_gem_vm_close() 
As we may release the last reference, we need to store the device in a
local variable in order to unlock afterwards.

[   60.140768] BUG: unable to handle kernel paging request at 6b6b6b9f
[   60.140973] IP: [<c1536d11>] __mutex_unlock_slowpath+0x5a/0x111
[   60.141014] *pdpt = 0000000024a54001 *pde = 0000000000000000
[   60.141014] Oops: 0002 [] PREEMPT SMP
[   60.141014] last sysfs file: /sys/devices/LNXSYSTM:00/device:00/PNP0A08:00/PNP0C0A:00/power_supply/BAT0/voltage_now
[   60.141014] Modules linked in: uvcvideo ath9k pegasus ath9k_common ath9k_hw hid_egalax ath3k joydev asus_laptop sparse_keymap battery input_polldev
[   60.141014]
[   60.141014] Pid: 771, comm: meego-ux-daemon Not tainted 2.6.37.2-7.1  EXOPC EXOPG06411/EXOPG06411
[   60.141014] EIP: 0060:[<c1536d11>] EFLAGS: 00010046 CPU: 0
[   60.141014] EIP is at __mutex_unlock_slowpath+0x5a/0x111
[   60.141014] EAX: 00000100 EBX: 6b6b6b9b ECX: e9b4a1b0 EDX: e4a4e580
[   60.141014] ESI: db162558 EDI: 00000246 EBP: e480be50 ESP: e480be44
[   60.141014]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[   60.141014] Process meego-ux-daemon (pid: 771, ti=e480a000 task=e9b4a1b0 task.ti=e480a000)
[   60.141014] Stack:
[   60.141014]  e4a4e580 db162558 f5a2f838 e480be58 c1536dd0 e480be68 c125ab1b db162558
[   60.141014]  db1624e0 e480be78 c10ba071 db162558 f760241c e480be94 c10bb0bc 000155fe
[   60.141014]  f760241c f5a2f838 f5a2f8c8 00000000 e480bea4 c1037c24 00000000 f5a2f838
[   60.141014] Call Trace:
[   60.141014]  [<c1536dd0>] ? mutex_unlock+0x8/0xa
[   60.141014]  [<c125ab1b>] ? drm_gem_vm_close+0x39/0x3d
[   60.141014]  [<c10ba071>] ? remove_vma+0x2d/0x58
[   60.141014]  [<c10bb0bc>] ? exit_mmap+0x126/0x13f
[   60.141014]  [<c1037c24>] ? mmput+0x37/0x9a
[   60.141014]  [<c10d450d>] ? exec_mmap+0x178/0x19c
[   60.141014]  [<c1537f85>] ? _raw_spin_unlock+0x1d/0x36
[   60.141014]  [<c10d4eb0>] ? flush_old_exec+0x42/0x75
[   60.141014]  [<c1104442>] ? load_elf_binary+0x32a/0x922
[   60.141014]  [<c10d3f76>] ? search_binary_handler+0x200/0x2ea
[   60.141014]  [<c10d3ecf>] ? search_binary_handler+0x159/0x2ea
[   60.141014]  [<c1104118>] ? load_elf_binary+0x0/0x922
[   60.141014]  [<c10d56b2>] ? do_execve+0x1ff/0x2e6
[   60.141014]  [<c100970e>] ? sys_execve+0x2d/0x55
[   60.141014]  [<c1002a5a>] ? ptregs_execve+0x12/0x18
[   60.141014]  [<c10029dc>] ? sysenter_do_call+0x12/0x3c
[   60.141014]  [<c1530000>] ? init_centaur+0x9c/0x1ba
[   60.141014] Code: c1 00 75 0f ba 38 01 00 00 b8 8c 3a 6c c1 e8 cc 2e b0 ff 9c 58 8d 74 26 00 89 c7 fa 90 8d 74 26 00 e8 d2 b4 b2 ff b8 00 01 00 00 <f0> 66 0f c1 43 04 38 e0 74 07 f3 90 8a 43 04 eb f5 83 3d 64 ef
[   60.141014] EIP: [<c1536d11>] __mutex_unlock_slowpath+0x5a/0x111 SS:ESP 0068:e480be44
[   60.141014] CR2: 000000006b6b6b9f

Reported-by: Rusty Lynch <rusty.lynch@intel.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
2011-03-21 09:15:22 +10:00
..
accessibility
acpi ACPI / ACPICA: Implicit notify for multiple devices 2011-02-24 19:59:21 +01:00
amba
ata
atm ATM, Solos PCI ADSL2+: Don't deref NULL pointer if net_ratelimit() and alloc_skb() interact badly. 2011-02-13 16:55:46 -08:00
auxdisplay
base
block block: kill loop_mutex 2011-03-03 11:53:25 -05:00
bluetooth Revert "Bluetooth: Enable USB autosuspend by default on btusb" 2011-02-23 19:42:03 -08:00
cdrom cdrom: support devices that have check_events but not media_changed 2011-02-09 14:22:37 +01:00
char ipmi: Fix IPMI errors due to timing problems 2011-03-10 13:21:16 -08:00
clk
clocksource
connector
cpufreq [CPUFREQ] fix BUG on cpufreq policy init failure 2011-03-01 18:49:44 -05:00
cpuidle
crypto
dca
dio
dma Merge branch 'imx' into dmaengine-fixes 2011-02-14 02:40:46 -08:00
edac amd64_edac: Fix DIMMs per DCTs output 2011-02-10 14:41:49 +01:00
eisa
firewire
firmware x86, dmi, debug: Log board name (when present) in dmesg/oops output 2011-02-15 04:20:57 +01:00
gpio drivers/gpio/pca953x.c: add a mutex to fix race condition 2011-02-11 16:12:20 -08:00
gpu drm: Fix use-after-free in drm_gem_vm_close() 2011-03-21 09:15:22 +10:00
hid
hwmon hwmon: (adt7411) add MODULE_DEVICE_TABLE 2011-02-26 08:59:32 -08:00
i2c i2c-eg20t: include slab.h for memory allocations 2011-03-08 23:13:30 +00:00
ide
idle intel_idle: disable Atom/Lincroft HW C-state auto-demotion 2011-02-17 17:08:48 -05:00
ieee802154
infiniband Merge branches 'nes' and 'qib' into for-next 2011-02-17 14:04:59 -08:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2011-02-23 14:44:25 -08:00
isdn drivers:isdn:istream.c Fix typo pice to piece 2011-02-28 12:07:32 -08:00
leds
lguest
macintosh
mca
md md: Fix - again - partition detection when array becomes active 2011-02-24 17:26:41 +11:00
media Merge branch 'media_fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-2.6 2011-03-10 13:22:10 -08:00
memstick workqueue, freezer: unify spelling of 'freeze' + 'able' to 'freezable' 2011-02-16 17:48:59 +01:00
message [SCSI] mptfusion: Bump version 03.04.18 2011-02-12 12:51:21 -06:00
mfd mfd: Avoid tps6586x burst writes 2011-03-02 10:57:50 +01:00
misc drivers/misc/bmp085.c: add MODULE_DEVICE_TABLE 2011-03-04 17:53:38 -08:00
mmc Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/cjb/mmc 2011-03-09 14:00:44 -08:00
mtd workqueue, freezer: unify spelling of 'freeze' + 'able' to 'freezable' 2011-02-16 17:48:59 +01:00
net r8169: disable ASPM 2011-03-03 11:55:43 -08:00
nfc drivers/nfc/pn544.c: add missing regulator 2011-02-25 15:07:36 -08:00
nubus
of of/promtree: allow DT device matching by fixing 'name' brokenness (v5) 2011-03-02 13:45:19 -07:00
oprofile
parisc
parport
pci pci: use security_capable() when checking capablities during config space read 2011-02-15 19:06:31 +11:00
pcmcia Merge branch 'fixes' of master.kernel.org:/home/rmk/linux-2.6-arm 2011-03-07 20:45:42 -08:00
platform dell-laptop: Toggle the unsupported hardware killswitch 2011-02-21 17:06:21 -05:00
pnp
power
pps pps: make pps_gen_parport depend on BROKEN 2011-03-04 17:53:38 -08:00
ps3
rapidio rapidio: fix sysfs config attribute to access 16MB of maint space 2011-02-25 15:07:37 -08:00
regulator regulator, mc13xxx: Remove pointless test for unsigned less than zero 2011-02-25 08:51:07 +00:00
rtc drivers/rtc/rtc-s3c.c: fix prototype for s3c_rtc_setaie() 2011-03-04 17:53:38 -08:00
s390 [S390] tape: deadlock on system work queue 2011-03-03 17:56:14 +01:00
sbus
scsi block: add @force_kblockd to __blk_run_queue() 2011-03-02 08:48:05 -05:00
sfi
sh
sn
spi spi/pxa2xx pci: fix the release - remove race 2011-02-15 13:25:36 -07:00
ssb Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2011-02-08 12:03:54 -08:00
staging Merge branch 'staging-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging-2.6 2011-02-10 12:19:23 -08:00
target [SCSI] target: fix use after free detected by SLUB poison 2011-02-12 12:32:41 -06:00
tc
telephony
thermal ACPI: Fix build for CONFIG_NET unset 2011-02-28 18:00:31 -08:00
tty fmvj18x_cs: add new id 2011-02-28 12:06:20 -08:00
uio
usb Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2011-03-03 15:43:15 -08:00
uwb
vhost
video drivers/video/backlight/ltv350qv.c: fix a memory leak 2011-03-04 17:53:38 -08:00
virtio
vlynq
w1 drivers/w1/masters/omap_hdq.c: add missing clk_put 2011-02-11 16:12:20 -08:00
watchdog watchdog: sbc_fitpc2_wdt, fix crash on systems without DMI_BOARD_NAME 2011-03-09 21:33:37 +00:00
xen xen: suspend and resume system devices when running PVHVM 2011-02-17 10:31:20 +00:00
zorro
Kconfig
Makefile