subject:"Re\: \[BUG\] drm\: vc4\: refcount_t\: increment on 0; use\-after\-free."

RE: [BUG] drm: vc4: refcount_t: increment on 0; use-after-free.

2017-11-28 Thread Reshetova, Elena

Hi and sorry for the delayed reply!

 
> Hi Kees,
> 
> On Sat, 25 Nov 2017 12:57:04 -0800
> Kees Cook  wrote:
> 
> > On Wed, Nov 22, 2017 at 11:57 PM, Daniel Vetter  wrote:
> > > On Wed, Nov 22, 2017 at 07:21:00PM +0100, Boris Brezillon wrote:
> > >> On Wed, 22 Nov 2017 19:13:09 +0100
> > >> Daniel Vetter  wrote:
> > >>
> > >> > On Wed, Nov 22, 2017 at 6:51 PM, Boris Brezillon
> > >> >  wrote:
> > >> > > Hi Stefan,
> > >> > >
> > >> > > On Wed, 22 Nov 2017 17:43:35 +0100 (CET)
> > >> > > Stefan Wahren  wrote:
> > >> > >
> > >> > >> Hi Boris,
> > >> > >> if i boot Raspberry Pi 3 (ARM64, defconfig, linux-next-20171122) 
> > >> > >> with
> sufficient CMA memory (32 MB), i'll get this warning during boot:
> > >> > >>
> > >> > >> [7.623510] vc4-drm soc:gpu: bound 3f902000.hdmi (ops 
> > >> > >> vc4_hdmi_ops
> [vc4])
> > >> > >> [7.632453] vc4-drm soc:gpu: bound 3f806000.vec (ops vc4_vec_ops
> [vc4])
> > >> > >> [7.639707] vc4-drm soc:gpu: bound 3f40.hvs (ops vc4_hvs_ops
> [vc4])
> > >> > >> [7.647364] vc4-drm soc:gpu: bound 3f206000.pixelvalve (ops
> vc4_crtc_ops [vc4])
> > >> > >> [7.655451] vc4-drm soc:gpu: bound 3f207000.pixelvalve (ops
> vc4_crtc_ops [vc4])
> > >> > >> [7.663415] vc4-drm soc:gpu: bound 3f807000.pixelvalve (ops
> vc4_crtc_ops [vc4])
> > >> > >> [7.730580] vc4-drm soc:gpu: bound 3fc0.v3d (ops vc4_v3d_ops
> [vc4])
> > >> > >> [7.743965] [drm] Initialized vc4 0.0.0 20140616 for soc:gpu on 
> > >> > >> minor 0
> > >> > >> [7.750841] [drm] Supports vblank timestamp caching Rev 2 
> > >> > >> (21.10.2013).
> > >> > >> [7.757620] [drm] Driver supports precise vblank timestamp query.
> > >> > >> [7.811775] [ cut here ]
> > >> > >> [7.811780] refcount_t: increment on 0; use-after-free.
> > >> > >> [7.811881] WARNING: CPU: 2 PID: 2188 at lib/refcount.c:153
> refcount_inc+0x44/0x50
> > >> > >> [7.811884] Modules linked in: vc4(+) cfg80211 cec drm_kms_helper
> smsc95xx usbnet drm rfkill brcmutil bcm2835_rng rng_core bcm2835_dma crc32_ce
> i2c_bcm2835 pwm_bcm2835 ip_tables x_tables ipv6
> > >> > >> [7.811950] CPU: 2 PID: 2188 Comm: systemd-udevd Not tainted 
> > >> > >> 4.14.0-
> next-20171122 #1
> > >> > >> [7.811953] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
> > >> > >> [7.811958] task: 800036b91c00 task.stack: 0d6f
> > >> > >> [7.811967] pstate: 2005 (nzCv daif -PAN -UAO)
> > >> > >> [7.811974] pc : refcount_inc+0x44/0x50
> > >> > >> [7.811981] lr : refcount_inc+0x44/0x50
> > >> > >> [7.811984] sp : 0d6f3300
> > >> > >> [7.811988] x29: 0d6f3300 x28: 
> > >> > >> [7.811996] x27: 0003 x26: 800037107800
> > >> > >> [7.812004] x25: 0001 x24: 800035afdc00
> > >> > >> [7.812012] x23:  x22: 800035dfa600
> > >> > >> [7.812020] x21: 800035afd9b0 x20: 800035afd9a4
> > >> > >> [7.812027] x19:  x18: 
> > >> > >> [7.812034] x17: 0001 x16: 0019
> > >> > >> [7.812042] x15: 0001 x14: fff0
> > >> > >> [7.812049] x13: 090ae840 x12: 08fa2d50
> > >> > >> [7.812057] x11: 08fa2000 x10: 090ad000
> > >> > >> [7.812064] x9 :  x8 : 090b5c2f
> > >> > >> [7.812072] x7 :  x6 : 0015ee00
> > >> > >> [7.812079] x5 :  x4 : 
> > >> > >> [7.812087] x3 :  x2 : 800030047000
> > >> > >> [7.812094] x1 : 800036b91c00 x0 : 002b
> > >> > >> [7.812102] Call trace:
> > >> > >> [7.812109]  refcount_inc+0x44/0x50
> > >> > >> [7.812226]  vc4_bo_inc_usecnt+0x84/0x88 [vc4]
> > >> > >> [7.812310]  vc4_prepare_fb+0x40/0xf0 [vc4]
> > >> > >> [7.812460]  drm_atomic_helper_prepare_planes+0x54/0xf0
> [drm_kms_helper]
> > >> > >> [7.812543]  vc4_atomic_commit+0x88/0x130 [vc4]
> > >> > >> [7.812868]  drm_atomic_commit+0x48/0x68 [drm]
> > >> > >> [7.813002]  restore_fbdev_mode_atomic+0x1d8/0x1e8
> [drm_kms_helper]
> > >> > >> [7.813113]  restore_fbdev_mode+0x28/0x160 [drm_kms_helper]
> > >> > >> [7.813223]
> drm_fb_helper_restore_fbdev_mode_unlocked.part.24+0x28/0x90
> [drm_kms_helper]
> > >> > >> [7.813331]  drm_fb_helper_set_par+0x54/0xa8 [drm_kms_helper]
> > >> > >> [7.813346]  fbcon_init+0x4e8/0x538
> > >> > >> [7.813357]  visual_init+0xb4/0x108
> > >> > >> [7.813366]  do_bind_con_driver+0x1b8/0x3a0
> > >> > >> [7.813373]  do_take_over_console+0x150/0x1d0
> > >> > >> [7.813380]  do_fbcon_takeover+0x6c/0xf0
> > >> > >> [7.813387]  fbcon_event_notify+0x8fc/0x928
> > >> > >> [7.813399]  notifier_call_chain+0x50/0x90
> > >> > >> [7.813406]

Re: [BUG] drm: vc4: refcount_t: increment on 0; use-after-free.

2017-11-27 Thread Kees Cook

On Wed, Nov 22, 2017 at 11:57 PM, Daniel Vetter  wrote:
> On Wed, Nov 22, 2017 at 07:21:00PM +0100, Boris Brezillon wrote:
>> On Wed, 22 Nov 2017 19:13:09 +0100
>> Daniel Vetter  wrote:
>>
>> > On Wed, Nov 22, 2017 at 6:51 PM, Boris Brezillon
>> >  wrote:
>> > > Hi Stefan,
>> > >
>> > > On Wed, 22 Nov 2017 17:43:35 +0100 (CET)
>> > > Stefan Wahren  wrote:
>> > >
>> > >> Hi Boris,
>> > >> if i boot Raspberry Pi 3 (ARM64, defconfig, linux-next-20171122) with 
>> > >> sufficient CMA memory (32 MB), i'll get this warning during boot:
>> > >>
>> > >> [7.623510] vc4-drm soc:gpu: bound 3f902000.hdmi (ops vc4_hdmi_ops 
>> > >> [vc4])
>> > >> [7.632453] vc4-drm soc:gpu: bound 3f806000.vec (ops vc4_vec_ops 
>> > >> [vc4])
>> > >> [7.639707] vc4-drm soc:gpu: bound 3f40.hvs (ops vc4_hvs_ops 
>> > >> [vc4])
>> > >> [7.647364] vc4-drm soc:gpu: bound 3f206000.pixelvalve (ops 
>> > >> vc4_crtc_ops [vc4])
>> > >> [7.655451] vc4-drm soc:gpu: bound 3f207000.pixelvalve (ops 
>> > >> vc4_crtc_ops [vc4])
>> > >> [7.663415] vc4-drm soc:gpu: bound 3f807000.pixelvalve (ops 
>> > >> vc4_crtc_ops [vc4])
>> > >> [7.730580] vc4-drm soc:gpu: bound 3fc0.v3d (ops vc4_v3d_ops 
>> > >> [vc4])
>> > >> [7.743965] [drm] Initialized vc4 0.0.0 20140616 for soc:gpu on 
>> > >> minor 0
>> > >> [7.750841] [drm] Supports vblank timestamp caching Rev 2 
>> > >> (21.10.2013).
>> > >> [7.757620] [drm] Driver supports precise vblank timestamp query.
>> > >> [7.811775] [ cut here ]
>> > >> [7.811780] refcount_t: increment on 0; use-after-free.
>> > >> [7.811881] WARNING: CPU: 2 PID: 2188 at lib/refcount.c:153 
>> > >> refcount_inc+0x44/0x50
>> > >> [7.811884] Modules linked in: vc4(+) cfg80211 cec drm_kms_helper 
>> > >> smsc95xx usbnet drm rfkill brcmutil bcm2835_rng rng_core bcm2835_dma 
>> > >> crc32_ce i2c_bcm2835 pwm_bcm2835 ip_tables x_tables ipv6
>> > >> [7.811950] CPU: 2 PID: 2188 Comm: systemd-udevd Not tainted 
>> > >> 4.14.0-next-20171122 #1
>> > >> [7.811953] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
>> > >> [7.811958] task: 800036b91c00 task.stack: 0d6f
>> > >> [7.811967] pstate: 2005 (nzCv daif -PAN -UAO)
>> > >> [7.811974] pc : refcount_inc+0x44/0x50
>> > >> [7.811981] lr : refcount_inc+0x44/0x50
>> > >> [7.811984] sp : 0d6f3300
>> > >> [7.811988] x29: 0d6f3300 x28: 
>> > >> [7.811996] x27: 0003 x26: 800037107800
>> > >> [7.812004] x25: 0001 x24: 800035afdc00
>> > >> [7.812012] x23:  x22: 800035dfa600
>> > >> [7.812020] x21: 800035afd9b0 x20: 800035afd9a4
>> > >> [7.812027] x19:  x18: 
>> > >> [7.812034] x17: 0001 x16: 0019
>> > >> [7.812042] x15: 0001 x14: fff0
>> > >> [7.812049] x13: 090ae840 x12: 08fa2d50
>> > >> [7.812057] x11: 08fa2000 x10: 090ad000
>> > >> [7.812064] x9 :  x8 : 090b5c2f
>> > >> [7.812072] x7 :  x6 : 0015ee00
>> > >> [7.812079] x5 :  x4 : 
>> > >> [7.812087] x3 :  x2 : 800030047000
>> > >> [7.812094] x1 : 800036b91c00 x0 : 002b
>> > >> [7.812102] Call trace:
>> > >> [7.812109]  refcount_inc+0x44/0x50
>> > >> [7.812226]  vc4_bo_inc_usecnt+0x84/0x88 [vc4]
>> > >> [7.812310]  vc4_prepare_fb+0x40/0xf0 [vc4]
>> > >> [7.812460]  drm_atomic_helper_prepare_planes+0x54/0xf0 
>> > >> [drm_kms_helper]
>> > >> [7.812543]  vc4_atomic_commit+0x88/0x130 [vc4]
>> > >> [7.812868]  drm_atomic_commit+0x48/0x68 [drm]
>> > >> [7.813002]  restore_fbdev_mode_atomic+0x1d8/0x1e8 [drm_kms_helper]
>> > >> [7.813113]  restore_fbdev_mode+0x28/0x160 [drm_kms_helper]
>> > >> [7.813223]  
>> > >> drm_fb_helper_restore_fbdev_mode_unlocked.part.24+0x28/0x90 
>> > >> [drm_kms_helper]
>> > >> [7.813331]  drm_fb_helper_set_par+0x54/0xa8 [drm_kms_helper]
>> > >> [7.813346]  fbcon_init+0x4e8/0x538
>> > >> [7.813357]  visual_init+0xb4/0x108
>> > >> [7.813366]  do_bind_con_driver+0x1b8/0x3a0
>> > >> [7.813373]  do_take_over_console+0x150/0x1d0
>> > >> [7.813380]  do_fbcon_takeover+0x6c/0xf0
>> > >> [7.813387]  fbcon_event_notify+0x8fc/0x928
>> > >> [7.813399]  notifier_call_chain+0x50/0x90
>> > >> [7.813406]  __blocking_notifier_call_chain+0x4c/0x90
>> > >> [7.813413]  blocking_notifier_call_chain+0x14/0x20
>> > >> [7.813420]  fb_notifier_call_chain+0x1c/0x28
>> > >> [7.813426]  register_framebuffer+0x1d0/0x2d8
>> > >> [7.813533]  __drm_fb_helper_initial_config_and_unlock+0x1e8/0x350 
>> > >> [drm_kms_helper]
>> > >> [7.813639]

Re: [BUG] drm: vc4: refcount_t: increment on 0; use-after-free.

2017-11-26 Thread Eric Anholt

Boris Brezillon  writes:

> Hi Kees,
>
> On Sat, 25 Nov 2017 12:57:04 -0800
> Kees Cook  wrote:
>
>> On Wed, Nov 22, 2017 at 11:57 PM, Daniel Vetter  wrote:
>> > On Wed, Nov 22, 2017 at 07:21:00PM +0100, Boris Brezillon wrote:  
>> >> On Wed, 22 Nov 2017 19:13:09 +0100
>> >> Daniel Vetter  wrote:
>> >>  
>> >> > On Wed, Nov 22, 2017 at 6:51 PM, Boris Brezillon
>> >> >  wrote:  
>> >> > > Hi Stefan,
>> >> > >
>> >> > > On Wed, 22 Nov 2017 17:43:35 +0100 (CET)
>> >> > > Stefan Wahren  wrote:
>> >> > >  
>> >> > >> Hi Boris,
>> >> > >> if i boot Raspberry Pi 3 (ARM64, defconfig, linux-next-20171122) 
>> >> > >> with sufficient CMA memory (32 MB), i'll get this warning during 
>> >> > >> boot:
>> >> > >>
>> >> > >> [7.623510] vc4-drm soc:gpu: bound 3f902000.hdmi (ops 
>> >> > >> vc4_hdmi_ops [vc4])
>> >> > >> [7.632453] vc4-drm soc:gpu: bound 3f806000.vec (ops vc4_vec_ops 
>> >> > >> [vc4])
>> >> > >> [7.639707] vc4-drm soc:gpu: bound 3f40.hvs (ops vc4_hvs_ops 
>> >> > >> [vc4])
>> >> > >> [7.647364] vc4-drm soc:gpu: bound 3f206000.pixelvalve (ops 
>> >> > >> vc4_crtc_ops [vc4])
>> >> > >> [7.655451] vc4-drm soc:gpu: bound 3f207000.pixelvalve (ops 
>> >> > >> vc4_crtc_ops [vc4])
>> >> > >> [7.663415] vc4-drm soc:gpu: bound 3f807000.pixelvalve (ops 
>> >> > >> vc4_crtc_ops [vc4])
>> >> > >> [7.730580] vc4-drm soc:gpu: bound 3fc0.v3d (ops vc4_v3d_ops 
>> >> > >> [vc4])
>> >> > >> [7.743965] [drm] Initialized vc4 0.0.0 20140616 for soc:gpu on 
>> >> > >> minor 0
>> >> > >> [7.750841] [drm] Supports vblank timestamp caching Rev 2 
>> >> > >> (21.10.2013).
>> >> > >> [7.757620] [drm] Driver supports precise vblank timestamp query.
>> >> > >> [7.811775] [ cut here ]
>> >> > >> [7.811780] refcount_t: increment on 0; use-after-free.
>> >> > >> [7.811881] WARNING: CPU: 2 PID: 2188 at lib/refcount.c:153 
>> >> > >> refcount_inc+0x44/0x50
>> >> > >> [7.811884] Modules linked in: vc4(+) cfg80211 cec drm_kms_helper 
>> >> > >> smsc95xx usbnet drm rfkill brcmutil bcm2835_rng rng_core bcm2835_dma 
>> >> > >> crc32_ce i2c_bcm2835 pwm_bcm2835 ip_tables x_tables ipv6
>> >> > >> [7.811950] CPU: 2 PID: 2188 Comm: systemd-udevd Not tainted 
>> >> > >> 4.14.0-next-20171122 #1
>> >> > >> [7.811953] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
>> >> > >> [7.811958] task: 800036b91c00 task.stack: 0d6f
>> >> > >> [7.811967] pstate: 2005 (nzCv daif -PAN -UAO)
>> >> > >> [7.811974] pc : refcount_inc+0x44/0x50
>> >> > >> [7.811981] lr : refcount_inc+0x44/0x50
>> >> > >> [7.811984] sp : 0d6f3300
>> >> > >> [7.811988] x29: 0d6f3300 x28: 
>> >> > >> [7.811996] x27: 0003 x26: 800037107800
>> >> > >> [7.812004] x25: 0001 x24: 800035afdc00
>> >> > >> [7.812012] x23:  x22: 800035dfa600
>> >> > >> [7.812020] x21: 800035afd9b0 x20: 800035afd9a4
>> >> > >> [7.812027] x19:  x18: 
>> >> > >> [7.812034] x17: 0001 x16: 0019
>> >> > >> [7.812042] x15: 0001 x14: fff0
>> >> > >> [7.812049] x13: 090ae840 x12: 08fa2d50
>> >> > >> [7.812057] x11: 08fa2000 x10: 090ad000
>> >> > >> [7.812064] x9 :  x8 : 090b5c2f
>> >> > >> [7.812072] x7 :  x6 : 0015ee00
>> >> > >> [7.812079] x5 :  x4 : 
>> >> > >> [7.812087] x3 :  x2 : 800030047000
>> >> > >> [7.812094] x1 : 800036b91c00 x0 : 002b
>> >> > >> [7.812102] Call trace:
>> >> > >> [7.812109]  refcount_inc+0x44/0x50
>> >> > >> [7.812226]  vc4_bo_inc_usecnt+0x84/0x88 [vc4]
>> >> > >> [7.812310]  vc4_prepare_fb+0x40/0xf0 [vc4]
>> >> > >> [7.812460]  drm_atomic_helper_prepare_planes+0x54/0xf0 
>> >> > >> [drm_kms_helper]
>> >> > >> [7.812543]  vc4_atomic_commit+0x88/0x130 [vc4]
>> >> > >> [7.812868]  drm_atomic_commit+0x48/0x68 [drm]
>> >> > >> [7.813002]  restore_fbdev_mode_atomic+0x1d8/0x1e8 
>> >> > >> [drm_kms_helper]
>> >> > >> [7.813113]  restore_fbdev_mode+0x28/0x160 [drm_kms_helper]
>> >> > >> [7.813223]  
>> >> > >> drm_fb_helper_restore_fbdev_mode_unlocked.part.24+0x28/0x90 
>> >> > >> [drm_kms_helper]
>> >> > >> [7.813331]  drm_fb_helper_set_par+0x54/0xa8 [drm_kms_helper]
>> >> > >> [7.813346]  fbcon_init+0x4e8/0x538
>> >> > >> [7.813357]  visual_init+0xb4/0x108
>> >> > >> [7.813366]  do_bind_con_driver+0x1b8/0x3a0
>> >> > >> [7.813373]  do_take_over_console+0x150/0x1d0
>> >> > >> [7.813380]  do_fbcon_takeover+0x6c/0xf0
>> >> > >> [7.813387]  fbcon_event_notify+0x8fc/0x928
>> >>

Re: [BUG] drm: vc4: refcount_t: increment on 0; use-after-free.

2017-11-26 Thread Boris Brezillon

Hi Kees,

On Sat, 25 Nov 2017 12:57:04 -0800
Kees Cook  wrote:

> On Wed, Nov 22, 2017 at 11:57 PM, Daniel Vetter  wrote:
> > On Wed, Nov 22, 2017 at 07:21:00PM +0100, Boris Brezillon wrote:  
> >> On Wed, 22 Nov 2017 19:13:09 +0100
> >> Daniel Vetter  wrote:
> >>  
> >> > On Wed, Nov 22, 2017 at 6:51 PM, Boris Brezillon
> >> >  wrote:  
> >> > > Hi Stefan,
> >> > >
> >> > > On Wed, 22 Nov 2017 17:43:35 +0100 (CET)
> >> > > Stefan Wahren  wrote:
> >> > >  
> >> > >> Hi Boris,
> >> > >> if i boot Raspberry Pi 3 (ARM64, defconfig, linux-next-20171122) with 
> >> > >> sufficient CMA memory (32 MB), i'll get this warning during boot:
> >> > >>
> >> > >> [7.623510] vc4-drm soc:gpu: bound 3f902000.hdmi (ops vc4_hdmi_ops 
> >> > >> [vc4])
> >> > >> [7.632453] vc4-drm soc:gpu: bound 3f806000.vec (ops vc4_vec_ops 
> >> > >> [vc4])
> >> > >> [7.639707] vc4-drm soc:gpu: bound 3f40.hvs (ops vc4_hvs_ops 
> >> > >> [vc4])
> >> > >> [7.647364] vc4-drm soc:gpu: bound 3f206000.pixelvalve (ops 
> >> > >> vc4_crtc_ops [vc4])
> >> > >> [7.655451] vc4-drm soc:gpu: bound 3f207000.pixelvalve (ops 
> >> > >> vc4_crtc_ops [vc4])
> >> > >> [7.663415] vc4-drm soc:gpu: bound 3f807000.pixelvalve (ops 
> >> > >> vc4_crtc_ops [vc4])
> >> > >> [7.730580] vc4-drm soc:gpu: bound 3fc0.v3d (ops vc4_v3d_ops 
> >> > >> [vc4])
> >> > >> [7.743965] [drm] Initialized vc4 0.0.0 20140616 for soc:gpu on 
> >> > >> minor 0
> >> > >> [7.750841] [drm] Supports vblank timestamp caching Rev 2 
> >> > >> (21.10.2013).
> >> > >> [7.757620] [drm] Driver supports precise vblank timestamp query.
> >> > >> [7.811775] [ cut here ]
> >> > >> [7.811780] refcount_t: increment on 0; use-after-free.
> >> > >> [7.811881] WARNING: CPU: 2 PID: 2188 at lib/refcount.c:153 
> >> > >> refcount_inc+0x44/0x50
> >> > >> [7.811884] Modules linked in: vc4(+) cfg80211 cec drm_kms_helper 
> >> > >> smsc95xx usbnet drm rfkill brcmutil bcm2835_rng rng_core bcm2835_dma 
> >> > >> crc32_ce i2c_bcm2835 pwm_bcm2835 ip_tables x_tables ipv6
> >> > >> [7.811950] CPU: 2 PID: 2188 Comm: systemd-udevd Not tainted 
> >> > >> 4.14.0-next-20171122 #1
> >> > >> [7.811953] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
> >> > >> [7.811958] task: 800036b91c00 task.stack: 0d6f
> >> > >> [7.811967] pstate: 2005 (nzCv daif -PAN -UAO)
> >> > >> [7.811974] pc : refcount_inc+0x44/0x50
> >> > >> [7.811981] lr : refcount_inc+0x44/0x50
> >> > >> [7.811984] sp : 0d6f3300
> >> > >> [7.811988] x29: 0d6f3300 x28: 
> >> > >> [7.811996] x27: 0003 x26: 800037107800
> >> > >> [7.812004] x25: 0001 x24: 800035afdc00
> >> > >> [7.812012] x23:  x22: 800035dfa600
> >> > >> [7.812020] x21: 800035afd9b0 x20: 800035afd9a4
> >> > >> [7.812027] x19:  x18: 
> >> > >> [7.812034] x17: 0001 x16: 0019
> >> > >> [7.812042] x15: 0001 x14: fff0
> >> > >> [7.812049] x13: 090ae840 x12: 08fa2d50
> >> > >> [7.812057] x11: 08fa2000 x10: 090ad000
> >> > >> [7.812064] x9 :  x8 : 090b5c2f
> >> > >> [7.812072] x7 :  x6 : 0015ee00
> >> > >> [7.812079] x5 :  x4 : 
> >> > >> [7.812087] x3 :  x2 : 800030047000
> >> > >> [7.812094] x1 : 800036b91c00 x0 : 002b
> >> > >> [7.812102] Call trace:
> >> > >> [7.812109]  refcount_inc+0x44/0x50
> >> > >> [7.812226]  vc4_bo_inc_usecnt+0x84/0x88 [vc4]
> >> > >> [7.812310]  vc4_prepare_fb+0x40/0xf0 [vc4]
> >> > >> [7.812460]  drm_atomic_helper_prepare_planes+0x54/0xf0 
> >> > >> [drm_kms_helper]
> >> > >> [7.812543]  vc4_atomic_commit+0x88/0x130 [vc4]
> >> > >> [7.812868]  drm_atomic_commit+0x48/0x68 [drm]
> >> > >> [7.813002]  restore_fbdev_mode_atomic+0x1d8/0x1e8 [drm_kms_helper]
> >> > >> [7.813113]  restore_fbdev_mode+0x28/0x160 [drm_kms_helper]
> >> > >> [7.813223]  
> >> > >> drm_fb_helper_restore_fbdev_mode_unlocked.part.24+0x28/0x90 
> >> > >> [drm_kms_helper]
> >> > >> [7.813331]  drm_fb_helper_set_par+0x54/0xa8 [drm_kms_helper]
> >> > >> [7.813346]  fbcon_init+0x4e8/0x538
> >> > >> [7.813357]  visual_init+0xb4/0x108
> >> > >> [7.813366]  do_bind_con_driver+0x1b8/0x3a0
> >> > >> [7.813373]  do_take_over_console+0x150/0x1d0
> >> > >> [7.813380]  do_fbcon_takeover+0x6c/0xf0
> >> > >> [7.813387]  fbcon_event_notify+0x8fc/0x928
> >> > >> [7.813399]  notifier_call_chain+0x50/0x90
> >> > >> [7.813406]  __blocking_notifier_call_chain+0x4c/0x90
> >> > >> [7.813413]

Re: [BUG] drm: vc4: refcount_t: increment on 0; use-after-free.

2017-11-23 Thread Stefan Wahren

Hi Boris,

> Boris Brezillon  hat am 22. November 2017 
> um 18:51 geschrieben:
> 
> 
> Hi Stefan,
> 
> On Wed, 22 Nov 2017 17:43:35 +0100 (CET)
> Stefan Wahren  wrote:
> ...
> 
> Looks like I didn't test this code with CONFIG_REFCOUNT_FULL enabled :-/.
> 
> Anyway, can you try to apply the following diff and let me know if it
> fixes the problem?

yes, this fixes the problem.

> 
> Thanks,
> 
> Boris
> 
> --->8---
> diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c
> index 4ae45d7dac42..2decc8e2c79f 100644
> --- a/drivers/gpu/drm/vc4/vc4_bo.c
> +++ b/drivers/gpu/drm/vc4/vc4_bo.c
> @@ -637,7 +637,8 @@ int vc4_bo_inc_usecnt(struct vc4_bo *bo)
> mutex_lock(>madv_lock);
> switch (bo->madv) {
> case VC4_MADV_WILLNEED:
> -   refcount_inc(>usecnt);
> +   if (!refcount_inc_not_zero(>usecnt))
> +   refcount_set(>usecnt, 1);
> ret = 0;
> break;
> case VC4_MADV_DONTNEED:
>
___
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

Re: [BUG] drm: vc4: refcount_t: increment on 0; use-after-free.

2017-11-22 Thread Daniel Vetter

On Wed, Nov 22, 2017 at 07:21:00PM +0100, Boris Brezillon wrote:
> On Wed, 22 Nov 2017 19:13:09 +0100
> Daniel Vetter  wrote:
> 
> > On Wed, Nov 22, 2017 at 6:51 PM, Boris Brezillon
> >  wrote:
> > > Hi Stefan,
> > >
> > > On Wed, 22 Nov 2017 17:43:35 +0100 (CET)
> > > Stefan Wahren  wrote:
> > >  
> > >> Hi Boris,
> > >> if i boot Raspberry Pi 3 (ARM64, defconfig, linux-next-20171122) with 
> > >> sufficient CMA memory (32 MB), i'll get this warning during boot:
> > >>
> > >> [7.623510] vc4-drm soc:gpu: bound 3f902000.hdmi (ops vc4_hdmi_ops 
> > >> [vc4])
> > >> [7.632453] vc4-drm soc:gpu: bound 3f806000.vec (ops vc4_vec_ops 
> > >> [vc4])
> > >> [7.639707] vc4-drm soc:gpu: bound 3f40.hvs (ops vc4_hvs_ops 
> > >> [vc4])
> > >> [7.647364] vc4-drm soc:gpu: bound 3f206000.pixelvalve (ops 
> > >> vc4_crtc_ops [vc4])
> > >> [7.655451] vc4-drm soc:gpu: bound 3f207000.pixelvalve (ops 
> > >> vc4_crtc_ops [vc4])
> > >> [7.663415] vc4-drm soc:gpu: bound 3f807000.pixelvalve (ops 
> > >> vc4_crtc_ops [vc4])
> > >> [7.730580] vc4-drm soc:gpu: bound 3fc0.v3d (ops vc4_v3d_ops 
> > >> [vc4])
> > >> [7.743965] [drm] Initialized vc4 0.0.0 20140616 for soc:gpu on minor > > >> 0
> > >> [7.750841] [drm] Supports vblank timestamp caching Rev 2 
> > >> (21.10.2013).
> > >> [7.757620] [drm] Driver supports precise vblank timestamp query.
> > >> [7.811775] [ cut here ]
> > >> [7.811780] refcount_t: increment on 0; use-after-free.
> > >> [7.811881] WARNING: CPU: 2 PID: 2188 at lib/refcount.c:153 
> > >> refcount_inc+0x44/0x50
> > >> [7.811884] Modules linked in: vc4(+) cfg80211 cec drm_kms_helper 
> > >> smsc95xx usbnet drm rfkill brcmutil bcm2835_rng rng_core bcm2835_dma 
> > >> crc32_ce i2c_bcm2835 pwm_bcm2835 ip_tables x_tables ipv6
> > >> [7.811950] CPU: 2 PID: 2188 Comm: systemd-udevd Not tainted 
> > >> 4.14.0-next-20171122 #1
> > >> [7.811953] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
> > >> [7.811958] task: 800036b91c00 task.stack: 0d6f
> > >> [7.811967] pstate: 2005 (nzCv daif -PAN -UAO)
> > >> [7.811974] pc : refcount_inc+0x44/0x50
> > >> [7.811981] lr : refcount_inc+0x44/0x50
> > >> [7.811984] sp : 0d6f3300
> > >> [7.811988] x29: 0d6f3300 x28: 
> > >> [7.811996] x27: 0003 x26: 800037107800
> > >> [7.812004] x25: 0001 x24: 800035afdc00
> > >> [7.812012] x23:  x22: 800035dfa600
> > >> [7.812020] x21: 800035afd9b0 x20: 800035afd9a4
> > >> [7.812027] x19:  x18: 
> > >> [7.812034] x17: 0001 x16: 0019
> > >> [7.812042] x15: 0001 x14: fff0
> > >> [7.812049] x13: 090ae840 x12: 08fa2d50
> > >> [7.812057] x11: 08fa2000 x10: 090ad000
> > >> [7.812064] x9 :  x8 : 090b5c2f
> > >> [7.812072] x7 :  x6 : 0015ee00
> > >> [7.812079] x5 :  x4 : 
> > >> [7.812087] x3 :  x2 : 800030047000
> > >> [7.812094] x1 : 800036b91c00 x0 : 002b
> > >> [7.812102] Call trace:
> > >> [7.812109]  refcount_inc+0x44/0x50
> > >> [7.812226]  vc4_bo_inc_usecnt+0x84/0x88 [vc4]
> > >> [7.812310]  vc4_prepare_fb+0x40/0xf0 [vc4]
> > >> [7.812460]  drm_atomic_helper_prepare_planes+0x54/0xf0 
> > >> [drm_kms_helper]
> > >> [7.812543]  vc4_atomic_commit+0x88/0x130 [vc4]
> > >> [7.812868]  drm_atomic_commit+0x48/0x68 [drm]
> > >> [7.813002]  restore_fbdev_mode_atomic+0x1d8/0x1e8 [drm_kms_helper]
> > >> [7.813113]  restore_fbdev_mode+0x28/0x160 [drm_kms_helper]
> > >> [7.813223]  
> > >> drm_fb_helper_restore_fbdev_mode_unlocked.part.24+0x28/0x90 
> > >> [drm_kms_helper]
> > >> [7.813331]  drm_fb_helper_set_par+0x54/0xa8 [drm_kms_helper]
> > >> [7.813346]  fbcon_init+0x4e8/0x538
> > >> [7.813357]  visual_init+0xb4/0x108
> > >> [7.813366]  do_bind_con_driver+0x1b8/0x3a0
> > >> [7.813373]  do_take_over_console+0x150/0x1d0
> > >> [7.813380]  do_fbcon_takeover+0x6c/0xf0
> > >> [7.813387]  fbcon_event_notify+0x8fc/0x928
> > >> [7.813399]  notifier_call_chain+0x50/0x90
> > >> [7.813406]  __blocking_notifier_call_chain+0x4c/0x90
> > >> [7.813413]  blocking_notifier_call_chain+0x14/0x20
> > >> [7.813420]  fb_notifier_call_chain+0x1c/0x28
> > >> [7.813426]  register_framebuffer+0x1d0/0x2d8
> > >> [7.813533]  __drm_fb_helper_initial_config_and_unlock+0x1e8/0x350 
> > >> [drm_kms_helper]
> > >> [7.813639]  drm_fb_helper_initial_config+0x40/0x58 [drm_kms_helper]
> > >> [7.813747]  drm_fbdev_cma_init_with_funcs+0x88/0x158 [drm_kms_helper]
> > >> [7.813855]  drm_fbdev_cma_init+0x14/0x28

Re: [BUG] drm: vc4: refcount_t: increment on 0; use-after-free.

2017-11-22 Thread Boris Brezillon

On Wed, 22 Nov 2017 19:13:09 +0100
Daniel Vetter  wrote:

> On Wed, Nov 22, 2017 at 6:51 PM, Boris Brezillon
>  wrote:
> > Hi Stefan,
> >
> > On Wed, 22 Nov 2017 17:43:35 +0100 (CET)
> > Stefan Wahren  wrote:
> >  
> >> Hi Boris,
> >> if i boot Raspberry Pi 3 (ARM64, defconfig, linux-next-20171122) with 
> >> sufficient CMA memory (32 MB), i'll get this warning during boot:
> >>
> >> [7.623510] vc4-drm soc:gpu: bound 3f902000.hdmi (ops vc4_hdmi_ops 
> >> [vc4])
> >> [7.632453] vc4-drm soc:gpu: bound 3f806000.vec (ops vc4_vec_ops [vc4])
> >> [7.639707] vc4-drm soc:gpu: bound 3f40.hvs (ops vc4_hvs_ops [vc4])
> >> [7.647364] vc4-drm soc:gpu: bound 3f206000.pixelvalve (ops 
> >> vc4_crtc_ops [vc4])
> >> [7.655451] vc4-drm soc:gpu: bound 3f207000.pixelvalve (ops 
> >> vc4_crtc_ops [vc4])
> >> [7.663415] vc4-drm soc:gpu: bound 3f807000.pixelvalve (ops 
> >> vc4_crtc_ops [vc4])
> >> [7.730580] vc4-drm soc:gpu: bound 3fc0.v3d (ops vc4_v3d_ops [vc4])
> >> [7.743965] [drm] Initialized vc4 0.0.0 20140616 for soc:gpu on minor 0
> >> [7.750841] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
> >> [7.757620] [drm] Driver supports precise vblank timestamp query.
> >> [7.811775] [ cut here ]
> >> [7.811780] refcount_t: increment on 0; use-after-free.
> >> [7.811881] WARNING: CPU: 2 PID: 2188 at lib/refcount.c:153 
> >> refcount_inc+0x44/0x50
> >> [7.811884] Modules linked in: vc4(+) cfg80211 cec drm_kms_helper 
> >> smsc95xx usbnet drm rfkill brcmutil bcm2835_rng rng_core bcm2835_dma 
> >> crc32_ce i2c_bcm2835 pwm_bcm2835 ip_tables x_tables ipv6
> >> [7.811950] CPU: 2 PID: 2188 Comm: systemd-udevd Not tainted 
> >> 4.14.0-next-20171122 #1
> >> [7.811953] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
> >> [7.811958] task: 800036b91c00 task.stack: 0d6f
> >> [7.811967] pstate: 2005 (nzCv daif -PAN -UAO)
> >> [7.811974] pc : refcount_inc+0x44/0x50
> >> [7.811981] lr : refcount_inc+0x44/0x50
> >> [7.811984] sp : 0d6f3300
> >> [7.811988] x29: 0d6f3300 x28: 
> >> [7.811996] x27: 0003 x26: 800037107800
> >> [7.812004] x25: 0001 x24: 800035afdc00
> >> [7.812012] x23:  x22: 800035dfa600
> >> [7.812020] x21: 800035afd9b0 x20: 800035afd9a4
> >> [7.812027] x19:  x18: 
> >> [7.812034] x17: 0001 x16: 0019
> >> [7.812042] x15: 0001 x14: fff0
> >> [7.812049] x13: 090ae840 x12: 08fa2d50
> >> [7.812057] x11: 08fa2000 x10: 090ad000
> >> [7.812064] x9 :  x8 : 090b5c2f
> >> [7.812072] x7 :  x6 : 0015ee00
> >> [7.812079] x5 :  x4 : 
> >> [7.812087] x3 :  x2 : 800030047000
> >> [7.812094] x1 : 800036b91c00 x0 : 002b
> >> [7.812102] Call trace:
> >> [7.812109]  refcount_inc+0x44/0x50
> >> [7.812226]  vc4_bo_inc_usecnt+0x84/0x88 [vc4]
> >> [7.812310]  vc4_prepare_fb+0x40/0xf0 [vc4]
> >> [7.812460]  drm_atomic_helper_prepare_planes+0x54/0xf0 [drm_kms_helper]
> >> [7.812543]  vc4_atomic_commit+0x88/0x130 [vc4]
> >> [7.812868]  drm_atomic_commit+0x48/0x68 [drm]
> >> [7.813002]  restore_fbdev_mode_atomic+0x1d8/0x1e8 [drm_kms_helper]
> >> [7.813113]  restore_fbdev_mode+0x28/0x160 [drm_kms_helper]
> >> [7.813223]  
> >> drm_fb_helper_restore_fbdev_mode_unlocked.part.24+0x28/0x90 
> >> [drm_kms_helper]
> >> [7.813331]  drm_fb_helper_set_par+0x54/0xa8 [drm_kms_helper]
> >> [7.813346]  fbcon_init+0x4e8/0x538
> >> [7.813357]  visual_init+0xb4/0x108
> >> [7.813366]  do_bind_con_driver+0x1b8/0x3a0
> >> [7.813373]  do_take_over_console+0x150/0x1d0
> >> [7.813380]  do_fbcon_takeover+0x6c/0xf0
> >> [7.813387]  fbcon_event_notify+0x8fc/0x928
> >> [7.813399]  notifier_call_chain+0x50/0x90
> >> [7.813406]  __blocking_notifier_call_chain+0x4c/0x90
> >> [7.813413]  blocking_notifier_call_chain+0x14/0x20
> >> [7.813420]  fb_notifier_call_chain+0x1c/0x28
> >> [7.813426]  register_framebuffer+0x1d0/0x2d8
> >> [7.813533]  __drm_fb_helper_initial_config_and_unlock+0x1e8/0x350 
> >> [drm_kms_helper]
> >> [7.813639]  drm_fb_helper_initial_config+0x40/0x58 [drm_kms_helper]
> >> [7.813747]  drm_fbdev_cma_init_with_funcs+0x88/0x158 [drm_kms_helper]
> >> [7.813855]  drm_fbdev_cma_init+0x14/0x28 [drm_kms_helper]
> >> [7.813943]  vc4_kms_load+0xa4/0xf0 [vc4]
> >> [7.814026]  vc4_drm_bind+0x100/0x168 [vc4]
> >> [7.814038]  try_to_bring_up_master+0x144/0x1a8
> >> [7.814044]  component_master_add_with_match+0x9c/0xe0
> >> [7.814128]

Re: [BUG] drm: vc4: refcount_t: increment on 0; use-after-free.

2017-11-22 Thread Daniel Vetter

On Wed, Nov 22, 2017 at 6:51 PM, Boris Brezillon
 wrote:
> Hi Stefan,
>
> On Wed, 22 Nov 2017 17:43:35 +0100 (CET)
> Stefan Wahren  wrote:
>
>> Hi Boris,
>> if i boot Raspberry Pi 3 (ARM64, defconfig, linux-next-20171122) with 
>> sufficient CMA memory (32 MB), i'll get this warning during boot:
>>
>> [7.623510] vc4-drm soc:gpu: bound 3f902000.hdmi (ops vc4_hdmi_ops [vc4])
>> [7.632453] vc4-drm soc:gpu: bound 3f806000.vec (ops vc4_vec_ops [vc4])
>> [7.639707] vc4-drm soc:gpu: bound 3f40.hvs (ops vc4_hvs_ops [vc4])
>> [7.647364] vc4-drm soc:gpu: bound 3f206000.pixelvalve (ops vc4_crtc_ops 
>> [vc4])
>> [7.655451] vc4-drm soc:gpu: bound 3f207000.pixelvalve (ops vc4_crtc_ops 
>> [vc4])
>> [7.663415] vc4-drm soc:gpu: bound 3f807000.pixelvalve (ops vc4_crtc_ops 
>> [vc4])
>> [7.730580] vc4-drm soc:gpu: bound 3fc0.v3d (ops vc4_v3d_ops [vc4])
>> [7.743965] [drm] Initialized vc4 0.0.0 20140616 for soc:gpu on minor 0
>> [7.750841] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
>> [7.757620] [drm] Driver supports precise vblank timestamp query.
>> [7.811775] [ cut here ]
>> [7.811780] refcount_t: increment on 0; use-after-free.
>> [7.811881] WARNING: CPU: 2 PID: 2188 at lib/refcount.c:153 
>> refcount_inc+0x44/0x50
>> [7.811884] Modules linked in: vc4(+) cfg80211 cec drm_kms_helper 
>> smsc95xx usbnet drm rfkill brcmutil bcm2835_rng rng_core bcm2835_dma 
>> crc32_ce i2c_bcm2835 pwm_bcm2835 ip_tables x_tables ipv6
>> [7.811950] CPU: 2 PID: 2188 Comm: systemd-udevd Not tainted 
>> 4.14.0-next-20171122 #1
>> [7.811953] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
>> [7.811958] task: 800036b91c00 task.stack: 0d6f
>> [7.811967] pstate: 2005 (nzCv daif -PAN -UAO)
>> [7.811974] pc : refcount_inc+0x44/0x50
>> [7.811981] lr : refcount_inc+0x44/0x50
>> [7.811984] sp : 0d6f3300
>> [7.811988] x29: 0d6f3300 x28: 
>> [7.811996] x27: 0003 x26: 800037107800
>> [7.812004] x25: 0001 x24: 800035afdc00
>> [7.812012] x23:  x22: 800035dfa600
>> [7.812020] x21: 800035afd9b0 x20: 800035afd9a4
>> [7.812027] x19:  x18: 
>> [7.812034] x17: 0001 x16: 0019
>> [7.812042] x15: 0001 x14: fff0
>> [7.812049] x13: 090ae840 x12: 08fa2d50
>> [7.812057] x11: 08fa2000 x10: 090ad000
>> [7.812064] x9 :  x8 : 090b5c2f
>> [7.812072] x7 :  x6 : 0015ee00
>> [7.812079] x5 :  x4 : 
>> [7.812087] x3 :  x2 : 800030047000
>> [7.812094] x1 : 800036b91c00 x0 : 002b
>> [7.812102] Call trace:
>> [7.812109]  refcount_inc+0x44/0x50
>> [7.812226]  vc4_bo_inc_usecnt+0x84/0x88 [vc4]
>> [7.812310]  vc4_prepare_fb+0x40/0xf0 [vc4]
>> [7.812460]  drm_atomic_helper_prepare_planes+0x54/0xf0 [drm_kms_helper]
>> [7.812543]  vc4_atomic_commit+0x88/0x130 [vc4]
>> [7.812868]  drm_atomic_commit+0x48/0x68 [drm]
>> [7.813002]  restore_fbdev_mode_atomic+0x1d8/0x1e8 [drm_kms_helper]
>> [7.813113]  restore_fbdev_mode+0x28/0x160 [drm_kms_helper]
>> [7.813223]  drm_fb_helper_restore_fbdev_mode_unlocked.part.24+0x28/0x90 
>> [drm_kms_helper]
>> [7.813331]  drm_fb_helper_set_par+0x54/0xa8 [drm_kms_helper]
>> [7.813346]  fbcon_init+0x4e8/0x538
>> [7.813357]  visual_init+0xb4/0x108
>> [7.813366]  do_bind_con_driver+0x1b8/0x3a0
>> [7.813373]  do_take_over_console+0x150/0x1d0
>> [7.813380]  do_fbcon_takeover+0x6c/0xf0
>> [7.813387]  fbcon_event_notify+0x8fc/0x928
>> [7.813399]  notifier_call_chain+0x50/0x90
>> [7.813406]  __blocking_notifier_call_chain+0x4c/0x90
>> [7.813413]  blocking_notifier_call_chain+0x14/0x20
>> [7.813420]  fb_notifier_call_chain+0x1c/0x28
>> [7.813426]  register_framebuffer+0x1d0/0x2d8
>> [7.813533]  __drm_fb_helper_initial_config_and_unlock+0x1e8/0x350 
>> [drm_kms_helper]
>> [7.813639]  drm_fb_helper_initial_config+0x40/0x58 [drm_kms_helper]
>> [7.813747]  drm_fbdev_cma_init_with_funcs+0x88/0x158 [drm_kms_helper]
>> [7.813855]  drm_fbdev_cma_init+0x14/0x28 [drm_kms_helper]
>> [7.813943]  vc4_kms_load+0xa4/0xf0 [vc4]
>> [7.814026]  vc4_drm_bind+0x100/0x168 [vc4]
>> [7.814038]  try_to_bring_up_master+0x144/0x1a8
>> [7.814044]  component_master_add_with_match+0x9c/0xe0
>> [7.814128]  vc4_platform_drm_probe+0xb4/0xf0 [vc4]
>> [7.814137]  platform_drv_probe+0x58/0xc0
>> [7.814146]  driver_probe_device+0x224/0x308
>> [7.814153]  __driver_attach+0xac/0xb0
>> [7.814161]  bus_for_each_dev+0x64/0xa0
>> [7.814169]  driver_attach+0x20/0x28
>> [7.814177]

Re: [BUG] drm: vc4: refcount_t: increment on 0; use-after-free.

2017-11-22 Thread Boris Brezillon

Hi Stefan,

On Wed, 22 Nov 2017 17:43:35 +0100 (CET)
Stefan Wahren  wrote:

> Hi Boris,
> if i boot Raspberry Pi 3 (ARM64, defconfig, linux-next-20171122) with 
> sufficient CMA memory (32 MB), i'll get this warning during boot:
> 
> [7.623510] vc4-drm soc:gpu: bound 3f902000.hdmi (ops vc4_hdmi_ops [vc4])
> [7.632453] vc4-drm soc:gpu: bound 3f806000.vec (ops vc4_vec_ops [vc4])
> [7.639707] vc4-drm soc:gpu: bound 3f40.hvs (ops vc4_hvs_ops [vc4])
> [7.647364] vc4-drm soc:gpu: bound 3f206000.pixelvalve (ops vc4_crtc_ops 
> [vc4])
> [7.655451] vc4-drm soc:gpu: bound 3f207000.pixelvalve (ops vc4_crtc_ops 
> [vc4])
> [7.663415] vc4-drm soc:gpu: bound 3f807000.pixelvalve (ops vc4_crtc_ops 
> [vc4])
> [7.730580] vc4-drm soc:gpu: bound 3fc0.v3d (ops vc4_v3d_ops [vc4])
> [7.743965] [drm] Initialized vc4 0.0.0 20140616 for soc:gpu on minor 0
> [7.750841] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
> [7.757620] [drm] Driver supports precise vblank timestamp query.
> [7.811775] [ cut here ]
> [7.811780] refcount_t: increment on 0; use-after-free.
> [7.811881] WARNING: CPU: 2 PID: 2188 at lib/refcount.c:153 
> refcount_inc+0x44/0x50
> [7.811884] Modules linked in: vc4(+) cfg80211 cec drm_kms_helper smsc95xx 
> usbnet drm rfkill brcmutil bcm2835_rng rng_core bcm2835_dma crc32_ce 
> i2c_bcm2835 pwm_bcm2835 ip_tables x_tables ipv6
> [7.811950] CPU: 2 PID: 2188 Comm: systemd-udevd Not tainted 
> 4.14.0-next-20171122 #1
> [7.811953] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
> [7.811958] task: 800036b91c00 task.stack: 0d6f
> [7.811967] pstate: 2005 (nzCv daif -PAN -UAO)
> [7.811974] pc : refcount_inc+0x44/0x50
> [7.811981] lr : refcount_inc+0x44/0x50
> [7.811984] sp : 0d6f3300
> [7.811988] x29: 0d6f3300 x28:  
> [7.811996] x27: 0003 x26: 800037107800 
> [7.812004] x25: 0001 x24: 800035afdc00 
> [7.812012] x23:  x22: 800035dfa600 
> [7.812020] x21: 800035afd9b0 x20: 800035afd9a4 
> [7.812027] x19:  x18:  
> [7.812034] x17: 0001 x16: 0019 
> [7.812042] x15: 0001 x14: fff0 
> [7.812049] x13: 090ae840 x12: 08fa2d50 
> [7.812057] x11: 08fa2000 x10: 090ad000 
> [7.812064] x9 :  x8 : 090b5c2f 
> [7.812072] x7 :  x6 : 0015ee00 
> [7.812079] x5 :  x4 :  
> [7.812087] x3 :  x2 : 800030047000 
> [7.812094] x1 : 800036b91c00 x0 : 002b 
> [7.812102] Call trace:
> [7.812109]  refcount_inc+0x44/0x50
> [7.812226]  vc4_bo_inc_usecnt+0x84/0x88 [vc4]
> [7.812310]  vc4_prepare_fb+0x40/0xf0 [vc4]
> [7.812460]  drm_atomic_helper_prepare_planes+0x54/0xf0 [drm_kms_helper]
> [7.812543]  vc4_atomic_commit+0x88/0x130 [vc4]
> [7.812868]  drm_atomic_commit+0x48/0x68 [drm]
> [7.813002]  restore_fbdev_mode_atomic+0x1d8/0x1e8 [drm_kms_helper]
> [7.813113]  restore_fbdev_mode+0x28/0x160 [drm_kms_helper]
> [7.813223]  drm_fb_helper_restore_fbdev_mode_unlocked.part.24+0x28/0x90 
> [drm_kms_helper]
> [7.813331]  drm_fb_helper_set_par+0x54/0xa8 [drm_kms_helper]
> [7.813346]  fbcon_init+0x4e8/0x538
> [7.813357]  visual_init+0xb4/0x108
> [7.813366]  do_bind_con_driver+0x1b8/0x3a0
> [7.813373]  do_take_over_console+0x150/0x1d0
> [7.813380]  do_fbcon_takeover+0x6c/0xf0
> [7.813387]  fbcon_event_notify+0x8fc/0x928
> [7.813399]  notifier_call_chain+0x50/0x90
> [7.813406]  __blocking_notifier_call_chain+0x4c/0x90
> [7.813413]  blocking_notifier_call_chain+0x14/0x20
> [7.813420]  fb_notifier_call_chain+0x1c/0x28
> [7.813426]  register_framebuffer+0x1d0/0x2d8
> [7.813533]  __drm_fb_helper_initial_config_and_unlock+0x1e8/0x350 
> [drm_kms_helper]
> [7.813639]  drm_fb_helper_initial_config+0x40/0x58 [drm_kms_helper]
> [7.813747]  drm_fbdev_cma_init_with_funcs+0x88/0x158 [drm_kms_helper]
> [7.813855]  drm_fbdev_cma_init+0x14/0x28 [drm_kms_helper]
> [7.813943]  vc4_kms_load+0xa4/0xf0 [vc4]
> [7.814026]  vc4_drm_bind+0x100/0x168 [vc4]
> [7.814038]  try_to_bring_up_master+0x144/0x1a8
> [7.814044]  component_master_add_with_match+0x9c/0xe0
> [7.814128]  vc4_platform_drm_probe+0xb4/0xf0 [vc4]
> [7.814137]  platform_drv_probe+0x58/0xc0
> [7.814146]  driver_probe_device+0x224/0x308
> [7.814153]  __driver_attach+0xac/0xb0
> [7.814161]  bus_for_each_dev+0x64/0xa0
> [7.814169]  driver_attach+0x20/0x28
> [7.814177]  bus_add_driver+0x108/0x228
> [7.814184]  driver_register+0x60/0xf8
> [7.814190]  __platform_driver_register+0x40/0x48
> [7.814274]

RE: [BUG] drm: vc4: refcount_t: increment on 0; use-after-free.

Re: [BUG] drm: vc4: refcount_t: increment on 0; use-after-free.

Re: [BUG] drm: vc4: refcount_t: increment on 0; use-after-free.

Re: [BUG] drm: vc4: refcount_t: increment on 0; use-after-free.

Re: [BUG] drm: vc4: refcount_t: increment on 0; use-after-free.

Re: [BUG] drm: vc4: refcount_t: increment on 0; use-after-free.

Re: [BUG] drm: vc4: refcount_t: increment on 0; use-after-free.

Re: [BUG] drm: vc4: refcount_t: increment on 0; use-after-free.

Re: [BUG] drm: vc4: refcount_t: increment on 0; use-after-free.

9 matches

Site Navigation

Mail list logo

Footer information