[Bug 198221] nouveau DRM driver scheduling invalid work
bugzilla-daemon at bugzilla.kernel.org
bugzilla-daemon at bugzilla.kernel.org
Thu Dec 21 04:32:00 UTC 2017
https://bugzilla.kernel.org/show_bug.cgi?id=198221
Petr Vandrovec (petr at vandrovec.name) changed:
What |Removed |Added
----------------------------------------------------------------------------
Regression|No |Yes
--- Comment #2 from Petr Vandrovec (petr at vandrovec.name) ---
I've built kernel with the change and give it some time, but I don't think that
it is a culprit.
I think that there is a race in how nouveau handles scheduled work:
This work being scheduled has func callback set to
nouveau_gem_object_delete_work(), which does its job, and then frees the work.
Now nouveau_cli_work_queue sets some work properties, adds work to the
cli->worker queue, and schedules work->cli->work.
But nouveau_cli_work might run between the moment work is added to cli->worker
queue and moment schedule_work(&work->cli->work) is issued.
In that case work dereference in nouveau_cli_work_fence will access freed work
memory, read garbage (0x00010000 in this case), add offsetof(cli, work) of
0x1f8, and pass this garbage pointer into schedule_work().
I'm not entirely sure what are expectations for the work, but perhaps work
should be added to the cli->worker list from nouveau_cli_work_fence, rather
than by nouveau_cli_work_queue.
Regression seems to be introduced by 814a23243bd2aaa9aafe03d85d0502a73be42b58,
"drm/nouveau: implement per-client delayed workqueue with fence support"
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the dri-devel
mailing list