Re: [PATCH v2] drm/qxl: do not run release if qxl failed to init
On Feb 5, 2021, at 2:43 AM, Gerd Hoffmann wrote: > > On Thu, Feb 04, 2021 at 11:30:50AM -0500, Tong Zhang wrote: >> if qxl_device_init() fail, drm device will not be registered, >> in this case, do not run qxl_drm_release() > > How do you trigger this? > This can be triggered by changing the QXL VGA rom magic value. In the QEMU source code ./hw/display/qxl.c or change the QXL_ROM_MAGIC in spice header file - Tong > take care, > Gerd >
Re: [PATCH v2] drm/qxl: do not run release if qxl failed to init
On Thu, Feb 04, 2021 at 11:30:50AM -0500, Tong Zhang wrote: > if qxl_device_init() fail, drm device will not be registered, > in this case, do not run qxl_drm_release() How do you trigger this? take care, Gerd
[PATCH v2] drm/qxl: do not run release if qxl failed to init
if qxl_device_init() fail, drm device will not be registered, in this case, do not run qxl_drm_release() [5.258534] == [5.258931] BUG: KASAN: user-memory-access in qxl_destroy_monitors_object+0x42/0xa0 [qxl] [5.259388] Write of size 8 at addr 14dc by task modprobe/95 [5.259754] [5.259842] CPU: 0 PID: 95 Comm: modprobe Not tainted 5.11.0-rc6-7-g88bb507a74ea #62 [5.260309] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-48-gd9c812dda54 [5.260917] Call Trace: [5.261056] dump_stack+0x7d/0xa3 [5.261245] kasan_report.cold+0x10c/0x10e [5.261475] ? qxl_destroy_monitors_object+0x42/0xa0 [qxl] [5.261789] check_memory_region+0x17c/0x1e0 [5.262029] qxl_destroy_monitors_object+0x42/0xa0 [qxl] [5.262332] qxl_modeset_fini+0x9/0x20 [qxl] [5.262595] qxl_drm_release+0x22/0x30 [qxl] [5.262841] drm_dev_release+0x32/0x50 [5.263047] release_nodes+0x39e/0x410 [5.263253] ? devres_release+0x40/0x40 [5.263462] really_probe+0x2ea/0x420 [5.263664] driver_probe_device+0x6d/0xd0 [5.263888] device_driver_attach+0x82/0x90 [5.264116] ? device_driver_attach+0x90/0x90 [5.264353] __driver_attach+0x60/0x100 [5.264563] ? device_driver_attach+0x90/0x90 [5.264801] bus_for_each_dev+0xe1/0x140 [5.265014] ? subsys_dev_iter_exit+0x10/0x10 [5.265251] ? klist_node_init+0x61/0x80 [5.265464] bus_add_driver+0x254/0x2a0 [5.265673] driver_register+0xd3/0x150 [5.265882] ? 0xc0048000 [5.266064] do_one_initcall+0x84/0x250 [5.266274] ? trace_event_raw_event_initcall_finish+0x150/0x150 [5.266596] ? unpoison_range+0xf/0x30 [5.266801] ? kasan_kmalloc.constprop.0+0x84/0xa0 [5.267082] ? unpoison_range+0xf/0x30 [5.267287] ? unpoison_range+0xf/0x30 [5.267491] do_init_module+0xf8/0x350 [5.267697] load_module+0x3fe6/0x4340 [5.267902] ? vm_unmap_ram+0x1d0/0x1d0 [5.268115] ? module_frob_arch_sections+0x20/0x20 [5.268375] ? __do_sys_finit_module+0x108/0x170 [5.268624] __do_sys_finit_module+0x108/0x170 [5.268865] ? __ia32_sys_init_module+0x40/0x40 [5.269111] ? file_open_root+0x200/0x200 [5.269330] ? do_sys_open+0x85/0xe0 [5.269527] ? filp_open+0x50/0x50 [5.269714] ? exit_to_user_mode_prepare+0xfc/0x130 [5.269978] do_syscall_64+0x33/0x40 [5.270176] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [5.270450] RIP: 0033:0x7fa3f685bcf7 [5.270646] Code: 48 89 57 30 48 8b 04 24 48 89 47 38 e9 1d a0 02 00 48 89 f8 48 89 f7 48 89 d1 [5.271634] RSP: 002b:7ffca83048d8 EFLAGS: 0246 ORIG_RAX: 0139 [5.272037] RAX: ffda RBX: 01e94a70 RCX: 7fa3f685bcf7 [5.272416] RDX: RSI: 01e939e0 RDI: 0003 [5.272794] RBP: 0003 R08: R09: 0001 [5.273171] R10: 7fa3f68bf300 R11: 0246 R12: 01e939e0 [5.273550] R13: R14: 01e93bd0 R15: 0001 [5.273928] == Signed-off-by: Tong Zhang --- v2: use qdev->ddev.mode_config.funcs instead of dev->registered, since mode_config.funcs will only be set if qxl_modeset_init() returns 0 drivers/gpu/drm/qxl/qxl_drv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/qxl/qxl_drv.c b/drivers/gpu/drm/qxl/qxl_drv.c index 6e7f16f4cec7..839d9e7a5765 100644 --- a/drivers/gpu/drm/qxl/qxl_drv.c +++ b/drivers/gpu/drm/qxl/qxl_drv.c @@ -144,6 +144,8 @@ static void qxl_drm_release(struct drm_device *dev) * reodering qxl_modeset_fini() + qxl_device_fini() calls is * non-trivial though. */ + if (!qdev->ddev.mode_config.funcs) + return; qxl_modeset_fini(qdev); qxl_device_fini(qdev); } -- 2.25.1
