[Intel-gfx] [PATCH] drm: Reorder set_property_atomic to avoid returning with an active ww_ctx
Chris Wilson
chris at chris-wilson.co.uk
Thu Jan 3 10:16:54 UTC 2019
Quoting Maarten Lankhorst (2019-01-03 09:03:27)
> Op 30-12-2018 om 13:28 schreef Chris Wilson:
> > Delay the drm_modeset_acquire_init() until after we check for an
> > allocation failure so that we can return immediately upon error without
> > having to unwind.
> >
> > WARNING: lock held when returning to user space!
> > 4.20.0+ #174 Not tainted
> > ------------------------------------------------
> > syz-executor556/8153 is leaving the kernel with locks still held!
> > 1 lock held by syz-executor556/8153:
> > #0: 000000005100c85c (crtc_ww_class_acquire){+.+.}, at:
> > set_property_atomic+0xb3/0x330 drivers/gpu/drm/drm_mode_object.c:462
> >
> > Reported-by: syzbot+6ea337c427f5083ebdf2 at syzkaller.appspotmail.com
> > Fixes: 144a7999d633 ("drm: Handle properties in the core for atomic drivers")
> > Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
> > Cc: Daniel Vetter <daniel.vetter at ffwll.ch>
> > Cc: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>
> > Cc: Sean Paul <sean at poorly.run>
> > Cc: David Airlie <airlied at linux.ie>
> > Cc: <stable at vger.kernel.org> # v4.14+
> > ---
> > drivers/gpu/drm/drm_mode_object.c | 5 +++--
> > 1 file changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/drm_mode_object.c b/drivers/gpu/drm/drm_mode_object.c
> > index bb1dd46496cd..a9005c1c2384 100644
> > --- a/drivers/gpu/drm/drm_mode_object.c
> > +++ b/drivers/gpu/drm/drm_mode_object.c
> > @@ -459,12 +459,13 @@ static int set_property_atomic(struct drm_mode_object *obj,
> > struct drm_modeset_acquire_ctx ctx;
> > int ret;
> >
> > - drm_modeset_acquire_init(&ctx, 0);
> > -
> > state = drm_atomic_state_alloc(dev);
> > if (!state)
> > return -ENOMEM;
> > +
> > + drm_modeset_acquire_init(&ctx, 0);
> > state->acquire_ctx = &ctx;
> > +
> > retry:
> > if (prop == state->dev->mode_config.dpms_property) {
> > if (obj->type != DRM_MODE_OBJECT_CONNECTOR) {
>
> Woops only now see you did the same.. :)
I'm impressed that syszbot managed to hit it! Afaict, it is only a
debugging faux pas with no real user impact, so perhaps the stable is
overkill.
> Reviewed-by: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>
Ta, pushed to drm-misc-next
-Chris
More information about the Intel-gfx
mailing list