[Bug 198221] nouveau DRM driver scheduling invalid work

Thu Dec 21 04:32:00 UTC 2017

https://bugzilla.kernel.org/show_bug.cgi?id=198221

Petr Vandrovec (petr at vandrovec.name) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Regression|No                          |Yes

--- Comment #2 from Petr Vandrovec (petr at vandrovec.name) ---
I've built kernel with the change and give it some time, but I don't think that
it is a culprit.

I think that there is a race in how nouveau handles scheduled work:

This work being scheduled has func callback set to
nouveau_gem_object_delete_work(), which does its job, and then frees the work.

Now nouveau_cli_work_queue sets some work properties, adds work to the
cli->worker queue, and schedules work->cli->work.

But nouveau_cli_work might run between the moment work is added to cli->worker
queue and moment schedule_work(&work->cli->work) is issued.

In that case work dereference in nouveau_cli_work_fence will access freed work
memory, read garbage (0x00010000 in this case), add offsetof(cli, work) of
0x1f8, and pass this garbage pointer into schedule_work().

I'm not entirely sure what are expectations for the work, but perhaps work
should be added to the cli->worker list from nouveau_cli_work_fence, rather
than by nouveau_cli_work_queue. 

Regression seems to be introduced by 814a23243bd2aaa9aafe03d85d0502a73be42b58,
"drm/nouveau: implement per-client delayed workqueue with fence support"

-- 
You are receiving this mail because:
You are watching the assignee of the bug.