dc: fix double free issue for dc sink

Chunming Zhou Tue, 02 Jan 2018 02:12:07 -0800

[345508.995835] 
==================================================================
[345508.995843] BUG: KASAN: double-free or invalid-free in           (null)


[345508.995853] CPU: 4 PID: 18706 Comm: deqp-vk Tainted: G    B            
4.15.0-rc2-custom #9
[345508.995854] Hardware name: Gigabyte Technology Co., Ltd. Default 
string/X99P-SLI-CF, BIOS F23 07/22/2016
[345508.995854] Call Trace:
[345508.995856]  dump_stack+0xad/0x139
[345508.995858]  ? dma_virt_map_sg+0x1f7/0x1f7
[345508.995860]  ? kmem_cache_alloc_trace+0x100/0x1e0
[345508.995905]  ? dc_create_stream_for_sink+0x9c/0xc20 [amdgpu]
[345508.995950]  ? amdgpu_dm_connector_mode_valid+0x166/0xd40 [amdgpu]
[345508.995957]  ? drm_helper_probe_single_connector_modes+0xd73/0x16a0 
[drm_kms_helper]
[345508.995959]  print_address_description+0x6a/0x270
[345508.995962]  kasan_report_double_free+0x65/0xa0
[345508.995965]  kasan_slab_free+0x14f/0x1a0
[345508.995966]  ? kasan_slab_free+0x12c/0x1a0
[345508.995968]  ? kfree+0x8d/0x1a0
[345508.996012]  ? amdgpu_dm_connector_mode_valid+0x346/0xd40 [amdgpu]
[345508.996023]  ? drm_helper_probe_single_connector_modes+0xd73/0x16a0 
[drm_kms_helper]
[345508.996041]  ? drm_mode_getconnector+0x4a4/0xdb0 [drm]
[345508.996058]  ? drm_ioctl_kernel+0x1ba/0x2c0 [drm]
[345508.996076]  ? drm_match_cea_mode.part.16+0x3ac/0x490 [drm]
[345508.996084]  ? SyS_ioctl+0x74/0x80
[345508.996097]  ? cea_mode_alternate_timings+0x1b0/0x1b0 [drm]
[345508.996148]  ? dc_create_transfer_func+0x6e/0x110 [amdgpu]
[345508.996198]  ? dc_plane_state_release+0xd0/0xd0 [amdgpu]
[345508.996249]  ? dce120_timing_generator_validate_timing+0x130/0x2f0 [amdgpu]
[345508.996299]  ? dc_stream_release+0x4b/0xc0 [amdgpu]
[345508.996306]  kfree+0x8d/0x1a0
[345508.996353]  dc_stream_release+0x4b/0xc0 [amdgpu]
[345508.996404]  amdgpu_dm_connector_mode_valid+0x346/0xd40 [amdgpu]
[345508.996455]  ? dm_update_crtcs_state+0xca0/0xca0 [amdgpu]
[345508.996473]  ? drm_mode_object_lease_required+0x30/0x30 [drm]
[345508.996484]  drm_helper_probe_single_connector_modes+0xd73/0x16a0 
[drm_kms_helper]
[345508.996496]  ? drm_helper_probe_detect+0x170/0x170 [drm_kms_helper]
[345508.996503]  ? rcu_note_context_switch+0x5d0/0x5d0
[345508.996517]  ? drm_mode_object_lease_required+0x30/0x30 [drm]
[345508.996528]  ? drm_helper_probe_detect+0x170/0x170 [drm_kms_helper]
[345508.996542]  drm_mode_getconnector+0x4a4/0xdb0 [drm]
[345508.996554]  ? drm_mode_getresources+0x737/0xac0 [drm]
[345508.996565]  ? drm_mode_connector_property_set_ioctl+0x280/0x280 [drm]
[345508.996568]  ? __check_object_size+0x20b/0x4a0
[345508.996579]  ? drm_mode_connector_property_set_ioctl+0x280/0x280 [drm]
[345508.996588]  drm_ioctl_kernel+0x1ba/0x2c0 [drm]
[345508.996599]  ? drm_ioctl_permit+0x2b0/0x2b0 [drm]
[345508.996610]  drm_ioctl+0x73b/0xa20 [drm]
[345508.996615]  ? e1000_update_nvm_checksum_ich8lan+0x787/0x860 [e1000e]
[345508.996627]  ? drm_mode_connector_property_set_ioctl+0x280/0x280 [drm]
[345508.996642]  ? drm_getstats+0x20/0x20 [drm]
[345508.996649]  ? __save_stack_trace+0x92/0x100
[345508.996655]  ? depot_save_stack+0x12d/0x470
[345508.996691]  amdgpu_drm_ioctl+0x11d/0x290 [amdgpu]
[345508.996696]  ? 0xffffffffc06b8000
[345508.996698]  ? do_filp_open+0x252/0x3c0
[345508.996700]  do_vfs_ioctl+0x18e/0x12a0
[345508.996703]  ? ioctl_preallocate+0x2a0/0x2a0
[345508.996704]  ? syscall_trace_enter+0x456/0x1010
[345508.996707]  ? __fsnotify_update_child_dentry_flags.part.0+0x250/0x250
[345508.996710]  ? iterate_fd+0x2a0/0x2a0
[345508.996712]  ? do_sys_open+0x260/0x640
[345508.996713]  ? kmem_cache_free+0x75/0x1f0
[345508.996715]  ? do_sys_open+0x260/0x640
[345508.996717]  SyS_ioctl+0x74/0x80
[345508.996719]  ? do_vfs_ioctl+0x12a0/0x12a0
[345508.996722]  do_syscall_64+0x229/0x610
[345508.996723]  ? exit_to_usermode_loop+0x137/0x1f0
[345508.996727]  ? syscall_return_slowpath+0x2f0/0x2f0
[345508.996734]  ? do_page_fault+0x93/0x330
[345508.996739]  ? __do_page_fault+0xad0/0xad0
[345508.996747]  ? prepare_exit_to_usermode+0x1c2/0x210
[345508.996752]  ? syscall_trace_enter+0x1010/0x1010
[345508.996758]  entry_SYSCALL64_slow_path+0x25/0x25
[345508.996763] RIP: 0033:0x7f3528147f07
[345508.996767] RSP: 002b:00007ffdc30575a8 EFLAGS: 00000202 ORIG_RAX: 
0000000000000010
[345508.996770] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 
00007f3528147f07
[345508.996771] RDX: 00007ffdc3057610 RSI: 00000000c05064a7 RDI: 
0000000000000009
[345508.996772] RBP: 00007ffdc30575e0 R08: 0000000006d62370 R09: 
00007ffdc3057700
[345508.996772] R10: 0000000000000005 R11: 0000000000000202 R12: 
0000000006ba8510
[345508.996773] R13: 0000000000000009 R14: 0000000000000000 R15: 
000000000705e1c8

[345508.996776] Allocated by task 25684:
[345508.996778]  kmem_cache_alloc_trace+0x100/0x1e0
[345508.996823]  dc_sink_create+0x90/0x420 [amdgpu]
[345508.996872]  dc_link_detect+0x7b0/0x3010 [amdgpu]
[345508.996922]  handle_hpd_irq+0xa4/0x150 [amdgpu]
[345508.996972]  dm_irq_work_func+0xd9/0x140 [amdgpu]
[345508.996980]  process_one_work+0x859/0x15f0
[345508.996986]  worker_thread+0x216/0x17b0
[345508.996991]  kthread+0x2d9/0x390
[345508.996993]  ret_from_fork+0x1f/0x30

[345508.996995] Freed by task 25684:
[345508.996997]  kfree+0x8d/0x1a0
[345508.997041]  dc_link_detect+0x485/0x3010 [amdgpu]
[345508.997091]  handle_hpd_irq+0xa4/0x150 [amdgpu]
[345508.997141]  dm_irq_work_func+0xd9/0x140 [amdgpu]
[345508.997148]  process_one_work+0x859/0x15f0
[345508.997150]  worker_thread+0x216/0x17b0
[345508.997151]  kthread+0x2d9/0x390
[345508.997152]  ret_from_fork+0x1f/0x30

[345508.997154] The buggy address belongs to the object at ffff8801b5ee7980
[345508.997154]  which belongs to the cache kmalloc-1024 of size 1024
[345508.997157] The buggy address is located 0 bytes inside of
[345508.997157]  1024-byte region [ffff8801b5ee7980, ffff8801b5ee7d80)
[345508.997159] The buggy address belongs to the page:
[345508.997161] page:00000000b0e44434 count:1 mapcount:0 mapping:          
(null) index:0x0 compound_mapcount: 0
[345508.997163] flags: 0x17ffffc0008100(slab|head)
[345508.997172] raw: 0017ffffc0008100 0000000000000000 0000000000000000 
00000001001c001c
[345508.997179] raw: dead000000000100 dead000000000200 ffff8803bb80ebc0 
0000000000000000
[345508.997187] page dumped because: kasan: bad access detected

[345508.997194] Memory state around the buggy address:
[345508.997195]  ffff8801b5ee7880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 
fb
[345508.997197]  ffff8801b5ee7900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 
fc
[345508.997198] >ffff8801b5ee7980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 
fb
[345508.997200]                    ^
[345508.997201]  ffff8801b5ee7a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 
fb
[345508.997202]  ffff8801b5ee7a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 
fb
[345508.997205] 
==================================================================

Change-Id: I069f723d501acb988aae7895a4f865ebf0313f21
Signed-off-by: Chunming Zhou <david1.z...@amd.com>
---
 drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c 
b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
index 261811e0c094..afd04974b70b 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
@@ -58,11 +58,10 @@ static void construct(struct dc_stream_state *stream,
 {
        uint32_t i = 0;
 
+       dc_sink_retain(dc_sink_data);
        stream->sink = dc_sink_data;
        stream->ctx = stream->sink->ctx;
 
-       dc_sink_retain(dc_sink_data);
-
        /* Copy audio modes */
        /* TODO - Remove this translation */
        for (i = 0; i < (dc_sink_data->edid_caps.audio_mode_count); i++)
-- 
2.14.1

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

[PATCH] drm/amd/display/dc: fix double free issue for dc sink

Reply via email to