[Intel-xe] ✓ CI.Patch_applied: success for drm/xe: Don't grab runtime PM ref in engine create IOCTL
Patchwork
patchwork at emeril.freedesktop.org
Mon Apr 10 21:36:27 UTC 2023
== Series Details ==
Series: drm/xe: Don't grab runtime PM ref in engine create IOCTL
URL : https://patchwork.freedesktop.org/series/116284/
State : success
== Summary ==
=== Applying kernel patches on branch 'drm-xe-next' with base: ===
commit 17b798712cb3b49de59b077c560e3195b12c8492
Author: Niranjana Vishwanathapura <niranjana.vishwanathapura at intel.com>
AuthorDate: Fri Apr 7 13:55:22 2023 -0700
Commit: Niranjana Vishwanathapura <niranjana.vishwanathapura at intel.com>
CommitDate: Fri Apr 7 22:13:56 2023 -0700
drm/xe: Fix memory use after free
The wait_event_timeout() on g2h_fence.wq which is declared on
stack can return before the wake_up() gets called, resulting in a
stack out of bound access when wake_up() accesses the g2h_fene.wq.
Do not declare g2h_fence related wait_queue_head_t on stack.
Fixes the below KASAN BUG and associated kernel crashes.
BUG: KASAN: stack-out-of-bounds in do_raw_spin_lock+0x6f/0x1e0
Read of size 4 at addr ffff88826252f4ac by task kworker/u128:5/467
CPU: 25 PID: 467 Comm: kworker/u128:5 Tainted: G U 6.3.0-rc4-xe #1
Workqueue: events_unbound g2h_worker_func [xe]
Call Trace:
<TASK>
dump_stack_lvl+0x64/0xb0
print_report+0xc2/0x600
kasan_report+0x96/0xc0
do_raw_spin_lock+0x6f/0x1e0
_raw_spin_lock_irqsave+0x47/0x60
__wake_up_common_lock+0xc0/0x150
dequeue_one_g2h+0x20f/0x6a0 [xe]
g2h_worker_func+0xa9/0x180 [xe]
process_one_work+0x527/0x990
worker_thread+0x2d1/0x640
kthread+0x174/0x1b0
ret_from_fork+0x29/0x50
</TASK>
Tested-by: Matt Roper <matthew.d.roper at intel.com>
Reviewed-by: Bruce Chang <yu.bruce.chang at intel.com>
Signed-off-by: Niranjana Vishwanathapura <niranjana.vishwanathapura at intel.com>
=== git am output follows ===
Applying: drm/xe: Don't grab runtime PM ref in engine create IOCTL
More information about the Intel-xe
mailing list