[PATCH 46/48] staging: etnaviv: rewrite submit interface to use copy from user

Russell King - ARM Linux linux at arm.linux.org.uk
Mon Oct 26 13:48:32 PDT 2015 

On Fri, Sep 25, 2015 at 01:57:58PM +0200, Lucas Stach wrote:
> +void etnaviv_gpu_cmdbuf_free(struct etnaviv_cmdbuf *cmdbuf)
> +{
> +	dma_free_writecombine(cmdbuf->gpu->dev, cmdbuf->size,
> +			      cmdbuf->vaddr, cmdbuf->paddr);
> +	kfree(cmdbuf);
> +}
...
> @@ -885,6 +914,14 @@ static void retire_worker(struct work_struct *work)
> +	list_for_each_entry_safe(cmdbuf, tmp, &gpu->active_cmd_list,
> +				 gpu_active_list) {
> +		if (fence_after_eq(fence, cmdbuf->fence)) {
> +			etnaviv_gpu_cmdbuf_free(cmdbuf);
> +			list_del(&cmdbuf->gpu_active_list);

I mentioned that I'd left one of my machines on a soak test - with vlc
running with a video clip, but in pause mode.  vlc continues writing
frames to the etnaviv Xv GPU backend, thereby exercising these code
paths.  After about 39 hours, the above provoked the oops below, which
is a use-after-free bug.  Fix on its way to my git branch once builds
and reboots are complete.

Unable to handle kernel NULL pointer dereference at virtual address 00000004
pgd = c0004000
[00000004] *pgd=00000000
Internal error: Oops: 817 [#1] SMP ARM
Modules linked in: bnep rfcomm bluetooth algif_hash af_alg nfsd exportfs caam_jr rc_cec coda snd_soc_fsl_spdif imx_pcm_dma imx_sdma v4l2_mem2mem videobuf2_dma_contig cecd_dw_hdmi caam videobuf2_vmalloc videobuf2_memops imx2_wdt imx_thermal snd_soc_imx_spdif
CPU: 0 PID: 9381 Comm: kworker/u8:0 Not tainted 4.3.0-rc6+ #1862[140431.268864] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
Workqueue: etnaviv retire_worker
task: ea478000 ti: ea638000 task.ti: ea638000
PC is at retire_worker+0x108/0x158
LR is at mark_held_locks+0x74/0x98
pc : [<c0544134>]    lr : [<c0077838>]    psr: 200f0013
sp : ea639e58  ip : 0000022e  fp : ea639e8c
r10: 00000200  r9 : 00000100  r8 : ee28b5b0
r7 : ee28b5f0  r6 : 00385989  r5 : ee28b598  r4 : ed0eeb40
r3 : c05439f0  r2 : 00000080  r1 : 00000000  r0 : 00000001
Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 10c5387d  Table: 3d02804a  DAC: 00000051
Process kworker/u8:0 (pid: 9381, stack limit = 0xea638210)
Stack: (0xea639e58 to 0xea63a000)
9e40:                                                       ea639e74 ee2b2834
9e60: c0077a58 ee28b5f0 e9595880 ee822000 ea639eb0 00000000 c09f40f8 ee1a4600
9e80: ea639eec ea639e90 c0047b4c c0544038 00000001 00000000 c0047ab8 ee822000
...
Backtrace:
[<c054402c>] (retire_worker) from [<c0047b4c>] (process_one_work+0x1c4/0x4b0)
 r10:ee1a4600 r9:c09f40f8 r8:00000000 r7:ea639eb0 r6:ee822000 r5:e9595880
 r4:ee28b5f0
[<c0047988>] (process_one_work) from [<c0047ea8>] (worker_thread+0x34/0x4b0)
 r10:ee822000 r9:ee822000 r8:00000088 r7:e9595898 r6:e9595880 r5:00000001
 r4:ee822030
[<c0047e74>] (worker_thread) from [<c004e0f4>] (kthread+0xe0/0xfc)
 r10:00000000 r9:00000000 r8:00000000 r7:c0047e74 r6:e9595880 r5:00000000
 r4:e1fdc800
[<c004e014>] (kthread) from [<c000fcf0>] (ret_from_fork+0x14/0x24)
 r7:00000000 r6:00000000 r5:c004e014 r4:e1fdc800
Code: ba000006 ebffff50 e594301c e5941018 (e5813004)
 ---[ end trace d430e2a4bd7d6777 ]---

-- 
FTTC broadband for 0.8mile line: currently at 9.6Mbps down 400kbps up
according to speedtest.net.

More information about the dri-devel mailing list