linux/include/drm
Noralf Trønnes 4d4c2d8991 drm/cma-helper: Fix crash in fbdev error path
Sergey Suloev reported a crash happening in drm_client_dev_hotplug()
when fbdev had failed to register.

[    9.124598] vc4_hdmi 3f902000.hdmi: ASoC: Failed to create component debugfs directory
[    9.147667] vc4_hdmi 3f902000.hdmi: vc4-hdmi-hifi <-> 3f902000.hdmi mapping ok
[    9.155184] vc4_hdmi 3f902000.hdmi: ASoC: no DMI vendor name!
[    9.166544] vc4-drm soc:gpu: bound 3f902000.hdmi (ops vc4_hdmi_ops [vc4])
[    9.173840] vc4-drm soc:gpu: bound 3f806000.vec (ops vc4_vec_ops [vc4])
[    9.181029] vc4-drm soc:gpu: bound 3f004000.txp (ops vc4_txp_ops [vc4])
[    9.188519] vc4-drm soc:gpu: bound 3f400000.hvs (ops vc4_hvs_ops [vc4])
[    9.195690] vc4-drm soc:gpu: bound 3f206000.pixelvalve (ops vc4_crtc_ops [vc4])
[    9.203523] vc4-drm soc:gpu: bound 3f207000.pixelvalve (ops vc4_crtc_ops [vc4])
[    9.215032] vc4-drm soc:gpu: bound 3f807000.pixelvalve (ops vc4_crtc_ops [vc4])
[    9.274785] vc4-drm soc:gpu: bound 3fc00000.v3d (ops vc4_v3d_ops [vc4])
[    9.290246] [drm] Initialized vc4 0.0.0 20140616 for soc:gpu on minor 0
[    9.297464] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[    9.304600] [drm] Driver supports precise vblank timestamp query.
[    9.382856] vc4-drm soc:gpu: [drm:drm_fb_helper_fbdev_setup [drm_kms_helper]] *ERROR* Failed to set fbdev configuration
[   10.404937] Unable to handle kernel paging request at virtual address 00330a656369768a
[   10.441620] [00330a656369768a] address between user and kernel address ranges
[   10.449087] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[   10.454762] Modules linked in: brcmfmac vc4 drm_kms_helper cfg80211 drm rfkill smsc95xx brcmutil usbnet drm_panel_orientation_quirks raspberrypi_hwmon bcm2835_dma crc32_ce pwm_bcm2835 bcm2835_rng virt_dma rng_core i2c_bcm2835 ip_tables x_tables ipv6
[   10.477296] CPU: 2 PID: 45 Comm: kworker/2:1 Not tainted 4.19.0-rc5 #3
[   10.483934] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
[   10.489966] Workqueue: events output_poll_execute [drm_kms_helper]
[   10.596515] Process kworker/2:1 (pid: 45, stack limit = 0x000000007e8924dc)
[   10.603590] Call trace:
[   10.606259]  drm_client_dev_hotplug+0x5c/0xb0 [drm]
[   10.611303]  drm_kms_helper_hotplug_event+0x30/0x40 [drm_kms_helper]
[   10.617849]  output_poll_execute+0xc4/0x1e0 [drm_kms_helper]
[   10.623616]  process_one_work+0x1c8/0x318
[   10.627695]  worker_thread+0x48/0x428
[   10.631420]  kthread+0xf8/0x128
[   10.634615]  ret_from_fork+0x10/0x18
[   10.638255] Code: 54000220 f9401261 aa1303e0 b4000141 (f9400c21)
[   10.644456] ---[ end trace c75b4a4b0e141908 ]---

The reason for this is that drm_fbdev_cma_init() removes the drm_client
when fbdev registration fails, but it doesn't remove the client from the
drm_device client list. So the client list now has a pointer that points
into the unknown and we have a 'use after free' situation.

Split drm_client_new() into drm_client_init() and drm_client_add() to fix
removal in the error path.

Fixes: 894a677f4b ("drm/cma-helper: Use the generic fbdev emulation")
Reported-by: Sergey Suloev <ssuloev@orpaltech.com>
Cc: Stefan Wahren <stefan.wahren@i2se.com>
Cc: Eric Anholt <eric@anholt.net>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20181001194536.57756-1-noralf@tronnes.org
2018-10-02 13:03:34 +02:00
..
bridge drm for v4.18-rc1 2018-06-06 08:16:33 -07:00
i2c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
tinydrm drm/tinydrm: Fix doc build warnings 2018-07-11 22:24:02 +02:00
ttm drm/ttm: Add ttm_set_pages_wc and ttm_set_pages_uc helper 2018-08-01 17:23:05 -05:00
amd_asic_type.h drm/amdgpu: Add vega20 to asic_type enum. 2018-05-17 10:13:09 -05:00
ati_pcigart.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
drm_agpsupport.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
drm_atomic_helper.h drm/crtc: Add a generic infrastructure to fake VBLANK events 2018-07-07 07:53:09 +02:00
drm_atomic.h drm: writeback: Add out-fences for writeback connectors 2018-06-20 15:29:18 +01:00
drm_audio_component.h ALSA: hda: Make audio component support more generic 2018-07-17 22:25:48 +02:00
drm_auth.h drm: Add drm_object lease infrastructure [v5] 2017-10-25 16:31:29 +10:00
drm_blend.h drm/blend: Add a generic alpha property 2018-04-16 21:17:29 +02:00
drm_bridge.h drm/bridge: Move the struct drm_bridge member kerneldoc inline. 2018-06-21 14:00:06 -07:00
drm_cache.h drm: add func to get max iomem address v2 2018-02-13 11:57:59 -05:00
drm_client.h drm/cma-helper: Fix crash in fbdev error path 2018-10-02 13:03:34 +02:00
drm_color_mgmt.h drm: Introduce drm_color_lut_size() 2018-03-16 15:44:01 +02:00
drm_connector.h drm: drop _mode_ from remaining connector functions 2018-07-13 18:40:27 +02:00
drm_crtc_helper.h drm: Allow determining if current task is output poll worker 2018-02-16 22:30:06 +01:00
drm_crtc.h drm/doc: use inline kerneldoc style for drm_crtc_state 2018-07-13 18:40:28 +02:00
drm_debugfs_crc.h drm/crc: Only report a single overflow when a CRC fd is opened 2018-07-06 14:57:03 +02:00
drm_debugfs.h drm/debugfs: Add kerneldoc 2017-03-24 09:36:06 +01:00
drm_device.h drm: Begin an API for in-kernel clients 2018-07-10 14:51:37 +02:00
drm_displayid.h
drm_dp_dual_mode_helper.h
drm_dp_helper.h drm: add support for DisplayPort CEC-Tunneling-over-AUX 2018-07-13 17:58:19 +03:00
drm_dp_mst_helper.h drm/dp/mst: Sideband message transaction to power up/down nodes 2017-09-11 16:03:57 +03:00
drm_drv.h drm: fix drm_drv_uses_atomic_modeset on non modesetting drivers. 2018-09-18 11:17:06 +02:00
drm_edid.h drm: Don't EXPORT drm_add/reset_display_info 2018-04-24 21:34:53 +02:00
drm_encoder_slave.h
drm_encoder.h drm: Add drm_encoder_mask() 2018-07-02 18:45:55 +03:00
drm_fb_cma_helper.h drm/cma-helper: Remove drm_fb_cma_fbdev_init_with_funcs() 2018-07-10 14:54:50 +02:00
drm_fb_helper.h drm/fb-helper: Finish the generic fbdev emulation 2018-07-10 14:54:09 +02:00
drm_file.h drm: writeback: Add client capability for exposing writeback connectors 2018-06-20 15:30:20 +01:00
drm_fixed.h
drm_flip_work.h drm/kms-helpers: Use recommened kerneldoc for struct member refs 2017-01-25 16:18:57 +01:00
drm_fourcc.h drm/fourcc: Add is_yuv field to drm_format_info to denote if the format is yuv 2018-07-18 16:56:45 +01:00
drm_framebuffer.h drm/framebuffer: Print task that allocated the fb in debug info. 2017-12-20 15:30:17 +01:00
drm_gem_cma_helper.h Merge tag 'drm-misc-next-2017-11-30' of git://anongit.freedesktop.org/drm/drm-misc into drm-next 2017-12-04 05:42:49 +10:00
drm_gem_framebuffer_helper.h drm: Move simple_display_pipe prepare_fb helper into gem fb helpers 2018-04-24 13:57:22 +02:00
drm_gem.h drm: move read_domains and write_domain into i915 2018-02-16 14:12:48 +00:00
drm_global.h drm: drop extern from function decls 2017-03-24 09:36:06 +01:00
drm_hashtab.h drm: drop extern from function decls 2017-03-24 09:36:06 +01:00
drm_hdcp.h drm: Fix HDCP downstream dev count read 2018-04-16 12:10:48 -04:00
drm_ioctl.h drm: remove all control node code 2018-05-03 21:26:32 +02:00
drm_irq.h drm: Extract drm_vblank.[hc] 2017-06-01 08:02:14 +02:00
drm_lease.h drm: Add four ioctls for managing drm mode object leases [v7] 2017-10-25 16:31:30 +10:00
drm_legacy.h drm: prefer inline over __inline__ 2018-03-28 09:34:12 +03:00
drm_mipi_dsi.h
drm_mm.h drm/mm: Add a search-by-address variant to only inspect a single hole 2018-05-24 15:04:30 +01:00
drm_mode_config.h drm: Document mode_config.max_width/height as the max fb dimensions 2018-06-21 19:16:07 +03:00
drm_mode_object.h drm: remove drm_mode_object_{un/reference} aliases 2018-03-19 09:09:46 -04:00
drm_modes.h drm: drop _mode_ from remaining connector functions 2018-07-13 18:40:27 +02:00
drm_modeset_helper_vtables.h drm: drop _mode_ from update_edit_property() 2018-07-13 18:40:27 +02:00
drm_modeset_helper.h drm/modeset-helper: Add simple modeset suspend/resume helpers 2017-11-30 18:18:08 +01:00
drm_modeset_lock.h drm/atomic: Prepare drm_modeset_lock infrastructure for interruptible waiting, v2. 2017-09-13 09:50:52 +02:00
drm_of.h drm: of: Export and rename drm_crtc_port_mask() 2018-06-27 21:44:04 +02:00
drm_os_linux.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
drm_panel.h Revert "drm/panel: Add device_link from panel device to DRM device" 2018-09-27 11:00:42 -04:00
drm_pci.h drm: drop drm_pcie_get_speed_cap_mask and drm_pcie_get_max_link_width 2018-07-05 16:40:00 -05:00
drm_pciids.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
drm_plane_helper.h drm: add missing ctx argument to plane transitional helpers 2018-07-03 09:30:19 +02:00
drm_plane.h drm: switch drm_plane to inline comments 2018-07-13 18:40:28 +02:00
drm_prime.h dma-buf: remove kmap_atomic interface 2018-06-20 15:59:34 +02:00
drm_print.h drm: Add puts callback for the coredump printer 2018-07-30 08:49:41 -04:00
drm_property.h drm: Fix kerneldoc for DRM_MODE_PROP_IMMUTABLE 2018-07-13 12:18:03 -04:00
drm_rect.h drm/rect: Handle rounding errors in drm_rect_clip_scaled, v3. 2018-05-04 11:09:54 +02:00
drm_scdc_helper.h drm: Fix warning when building docs for scdc_helper 2017-07-31 14:24:14 +02:00
drm_simple_kms_helper.h drm: Move simple_display_pipe prepare_fb helper into gem fb helpers 2018-04-24 13:57:22 +02:00
drm_syncobj.h drm/syncobj: some kerneldoc polish 2017-12-15 11:26:52 +01:00
drm_sysfs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
drm_utils.h drm: Add panel orientation quirks, v6. 2017-12-04 23:03:21 +01:00
drm_vblank.h Merge tag 'drm-intel-next-2018-02-21' of git://anongit.freedesktop.org/drm/drm-intel into drm-next 2018-03-01 14:07:22 +10:00
drm_vma_manager.h drm/i915: Prevent writing into a read-only object via a GGTT mmap 2018-07-13 16:14:04 +01:00
drm_writeback.h drm/atomic: Avoid connector to writeback_connector casts 2018-07-07 07:51:19 +02:00
drmP.h drm: move drv test macros out of drmP.h 2018-07-13 18:40:27 +02:00
gma_drm.h
gpu_scheduler.h drm/scheduler: only kill entity if last user is killed v2 2018-07-31 16:58:20 -05:00
i915_component.h drm/i915: Split audio component to a generic type 2018-07-17 22:25:19 +02:00
i915_drm.h x86/gpu: reserve ICL's graphics stolen memory 2018-07-10 16:28:47 -07:00
i915_pciids.h drm/i915/aml: Introducing Amber Lake platform 2018-06-18 10:49:57 -07:00
intel_lpe_audio.h ALSA: x86: Register multiple PCM devices for the LPE audio card 2017-05-03 16:24:00 +03:00
intel-gtt.h drm/i915: prefer resource_size_t for everything stolen 2017-12-12 12:30:22 +02:00
spsc_queue.h drm: move amd_gpu_scheduler into common location 2017-12-07 11:51:56 -05:00