linux-uconsole

History

Tommi Rantala e1cd17df94 drm/radeon: fix DRM_IOCTL_RADEON_CS oops commit `a28b2a47ed` upstream. Passing zeroed drm_radeon_cs struct to DRM_IOCTL_RADEON_CS produces the following oops. Fix by always calling INIT_LIST_HEAD() to avoid the crash in list_sort(). ---------------------------------- #include <stdint.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <drm/radeon_drm.h> static const struct drm_radeon_cs cs; int main(int argc, char **argv) { return ioctl(open(argv[1], O_RDWR), DRM_IOCTL_RADEON_CS, &cs); } ---------------------------------- [ttrantal@test2 ~]$ ./main /dev/dri/card0 [ 46.904650] BUG: unable to handle kernel NULL pointer dereference at (null) [ 46.905022] IP: [<ffffffff814d6df2>] list_sort+0x42/0x240 [ 46.905022] PGD 68f29067 PUD 688b5067 PMD 0 [ 46.905022] Oops: 0002 [#1] SMP [ 46.905022] CPU: 0 PID: 2413 Comm: main Not tainted 4.0.0-rc1+ #58 [ 46.905022] Hardware name: Hewlett-Packard HP Compaq dc5750 Small Form Factor/0A64h, BIOS 786E3 v02.10 01/25/2007 [ 46.905022] task: ffff880058e2bcc0 ti: ffff880058e64000 task.ti: ffff880058e64000 [ 46.905022] RIP: 0010:[<ffffffff814d6df2>] [<ffffffff814d6df2>] list_sort+0x42/0x240 [ 46.905022] RSP: 0018:ffff880058e67998 EFLAGS: 00010246 [ 46.905022] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 46.905022] RDX: ffffffff81644410 RSI: ffff880058e67b40 RDI: ffff880058e67a58 [ 46.905022] RBP: ffff880058e67a88 R08: 0000000000000000 R09: 0000000000000000 [ 46.905022] R10: ffff880058e2bcc0 R11: ffffffff828e6ca0 R12: ffffffff81644410 [ 46.905022] R13: ffff8800694b8018 R14: 0000000000000000 R15: ffff880058e679b0 [ 46.905022] FS: 00007fdc65a65700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000 [ 46.905022] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 46.905022] CR2: 0000000000000000 CR3: 0000000058dd9000 CR4: 00000000000006f0 [ 46.905022] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 46.905022] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400 [ 46.905022] Stack: [ 46.905022] ffff880058e67b40 ffff880058e2bcc0 ffff880058e67a78 0000000000000000 [ 46.905022] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 46.905022] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 46.905022] Call Trace: [ 46.905022] [<ffffffff81644a65>] radeon_cs_parser_fini+0x195/0x220 [ 46.905022] [<ffffffff81645069>] radeon_cs_ioctl+0xa9/0x960 [ 46.905022] [<ffffffff815e1f7c>] drm_ioctl+0x19c/0x640 [ 46.905022] [<ffffffff810f8fdd>] ? trace_hardirqs_on_caller+0xfd/0x1c0 [ 46.905022] [<ffffffff810f90ad>] ? trace_hardirqs_on+0xd/0x10 [ 46.905022] [<ffffffff8160c066>] radeon_drm_ioctl+0x46/0x80 [ 46.905022] [<ffffffff81211868>] do_vfs_ioctl+0x318/0x570 [ 46.905022] [<ffffffff81462ef6>] ? selinux_file_ioctl+0x56/0x110 [ 46.905022] [<ffffffff81211b41>] SyS_ioctl+0x81/0xa0 [ 46.905022] [<ffffffff81dc6312>] system_call_fastpath+0x12/0x17 [ 46.905022] Code: 48 89 b5 10 ff ff ff 0f 84 03 01 00 00 4c 8d bd 28 ff ff ff 31 c0 48 89 fb b9 15 00 00 00 49 89 d4 4c 89 ff f3 48 ab 48 8b 46 08 <48> c7 00 00 00 00 00 48 8b 0e 48 85 c9 0f 84 7d 00 00 00 c7 85 [ 46.905022] RIP [<ffffffff814d6df2>] list_sort+0x42/0x240 [ 46.905022] RSP <ffff880058e67998> [ 46.905022] CR2: 0000000000000000 [ 47.149253] ---[ end trace 09576b4e8b2c20b8 ]--- Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Tommi Rantala <tt.rantala@gmail.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2015-03-26 15:00:56 +01:00
..
accessibility
acpi	ACPI / video: Load the module even if ACPI is disabled	2015-03-18 13:22:35 +01:00
amba
ata	sata_dwc_460ex: fix resource leak on error path	2015-01-29 17:40:56 -08:00
atm	atm: idt77252: fix dev refcnt leak	2013-12-08 07:29:25 -08:00
auxdisplay
base	driver core: Fix unbalanced device reference in drivers_probe	2015-01-16 06:59:01 -08:00
bcma
block	rbd: drop an unsafe assertion	2015-02-26 17:48:49 -08:00
bluetooth	Bluetooth: ath3k: workaround the compatibility issue with xHCI controller	2015-03-06 14:40:47 -08:00
bus	bus: mvebu-mbus: fix support of MBus window 13	2015-01-29 17:40:56 -08:00
cdrom
char	Added Little Endian support to vtpm module	2015-03-06 14:40:50 -08:00
clk	clk: sunxi: Support factor clocks with N factor starting not from 0	2015-03-18 13:22:34 +01:00
clocksource	clocksource: exynos_mct: Fix bitmask regression for exynos4_mct_write	2015-01-29 17:40:56 -08:00
connector	net: Use netlink_ns_capable to verify the permisions of netlink messages	2014-06-26 15:12:37 -04:00
cpufreq	cpufreq: speedstep-smi: enable interrupts when waiting	2015-03-06 14:40:48 -08:00
cpuidle	cpuidle: Check the result of cpuidle_get_driver() against NULL	2014-04-14 06:42:15 -07:00
crypto	crypto: prefix module autoloading with "crypto-"	2015-01-29 17:40:57 -08:00
dca
devfreq
dio
dma	ioat: fix tasklet tear down	2014-03-06 21:30:14 -08:00
edac	cpc925_edac: Report UE events properly	2014-11-14 08:48:00 -08:00
eisa	Revert "EISA: Initialize device before its resources"	2014-02-13 13:47:59 -08:00
extcon	extcon: max77693: Fix two NULL pointer exceptions on missing pdata	2014-07-06 18:54:15 -07:00
firewire	firewire: cdev: prevent kernel stack leaking into ioctl arguments	2014-11-21 09:22:53 -08:00
firmware	efi-pstore: Make efi-pstore return a unique id	2015-02-05 22:35:40 -08:00
gpio	gpio: tps65912: fix wrong container_of arguments	2015-03-06 14:40:52 -08:00
gpu	drm/radeon: fix DRM_IOCTL_RADEON_CS oops	2015-03-26 15:00:56 +01:00
hid	HID: fixup the conflicting keyboard mappings quirk	2015-03-18 13:22:35 +01:00
hsi
hv	Drivers: hv: vmbus: incorrect device name is printed when child device is unregistered	2015-03-18 13:22:35 +01:00
hwmon	hwmon: (dme1737) Prevent overflow problem when writing large limits	2014-09-05 16:28:35 -07:00
hwspinlock
i2c	i2c: davinci: generate STP always when NACK is received	2014-12-16 09:09:42 -08:00
ide
idle	x86 idle: Repair large-server 50-watt idle-power regression	2014-01-09 12:24:21 -08:00
iio	iio: imu: adis16400: Fix sign extension	2015-03-18 13:22:29 +01:00
infiniband	IB/qib: Do not write EEPROM	2015-03-18 13:22:34 +01:00
input	Input: i8042 - add noloop quirk for Medion Akoya E7225 (MD98857)	2015-02-05 22:35:36 -08:00
iommu	iommu/vt-d: Fix an off-by-one bug in __domain_mapping()	2015-01-16 06:59:01 -08:00
ipack
irqchip	irqchip: gic: Fix core ID calculation when topology is read from DT	2014-07-28 08:00:06 -07:00
isdn	isdnloop: several buffer overflows	2014-04-14 06:42:18 -07:00
leds	leds: leds-pwm: properly clean up after probe failure	2014-06-07 13:25:34 -07:00
lguest	x86, flags: Rename X86_EFLAGS_BIT1 to X86_EFLAGS_FIXED	2014-11-14 08:47:54 -08:00
macintosh
mailbox
md	dm snapshot: fix a possible invalid memory access on unload	2015-03-18 13:22:34 +01:00
media	lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in interrupt urb	2015-03-06 14:40:48 -08:00
memory
memstick
message	mptfusion: enable no_write_same for vmware scsi disks	2014-10-30 09:35:10 -07:00
mfd	mfd: tc6393xb: Fail ohci suspend if full state restore is required	2015-01-08 09:58:15 -08:00
misc	mei: bus: fix possible boundaries violation	2014-11-21 09:22:55 -08:00
mmc	mmc: sdhci-pxav3: fix setting of pdata->clk_delay_cycles	2015-03-06 14:40:49 -08:00
mtd	UBI: Fix double free after do_sync_erase()	2015-01-16 06:59:01 -08:00
net	Revert "net: cx82310_eth: use common match macro"	2015-03-26 15:00:56 +01:00
nfc	NFC: microread: Potential overflows in microread_target_discovered()	2014-10-05 14:54:12 -07:00
ntb	NTB: Correct debugfs to work with more than 1 NTB Device	2013-11-13 12:05:35 +09:00
nubus
of	of/base: Fix PowerPC address parsing hack	2014-12-06 15:05:47 -08:00
oprofile
parisc
parport	parport: parport_pc: remove double PCI ID for NetMos	2014-02-06 11:08:15 -08:00
pci	PCI: Fix infinite loop with ROM image of size 0	2015-03-06 14:40:48 -08:00
pcmcia
pinctrl	pinctrl: Fix two deadlocks	2015-01-29 17:40:55 -08:00
platform	hp_accel: Add support for HP ZBook 15	2015-01-27 07:52:31 -08:00
pnp	PNP / ACPI: proper handling of ACPI IO/Memory resource parsing failures	2014-03-23 21:38:22 -07:00
power	power_supply: 88pm860x: Fix leaked power supply on probe fail	2015-03-06 14:40:49 -08:00
pps
ps3
ptp
pwm
rapidio	rapidio/tsi721_dma: fix failure to obtain transaction descriptor	2014-08-07 14:30:25 -07:00
regulator	regulator: core: fix race condition in regulator_put()	2015-02-05 22:35:37 -08:00
remoteproc
reset
rpmsg
rtc	rtc: rtc-at91rm9200: fix infinite wait for ACKUPD irq	2014-06-26 15:12:37 -04:00
s390	crypto: prefix module autoloading with "crypto-"	2015-01-29 17:40:57 -08:00
sbus	bbc-i2c: Fix BBC I2C envctrl on SunBlade 2000	2014-08-14 09:24:16 +08:00
scsi	fixed invalid assignment of 64bit mask to host dma_boundary for scatter gather segment boundary limit.	2015-03-18 13:22:34 +01:00
sfi
sh
sn
spi	spi/pxa2xx: Clear cur_chip pointer before starting next message	2015-02-05 22:35:37 -08:00
ssb
ssbi
staging	staging: comedi: cb_pcidas64: fix incorrect AI range code handling	2015-03-18 13:22:34 +01:00
target	target: Check for LBA + sectors wrap-around in sbc_parse_cdb	2015-03-18 13:22:28 +01:00
tc
thermal
tty	tty: fix up atime/mtime mess, take four	2015-03-18 13:22:33 +01:00
uio	Fix a few incorrectly checked [io_]remap_pfn_range() calls	2013-11-13 12:05:33 +09:00
usb	USB: serial: fix potential use-after-free after failed probe	2015-03-18 13:22:31 +01:00
uwb
vfio	vfio-pci: Fix the check on pci device type in vfio_pci_probe()	2015-01-27 07:52:32 -08:00
vhost	vhost-scsi: Add missing virtio-scsi -> TCM attribute conversion	2015-02-05 22:35:40 -08:00
video	video/logo: prevent use of logos after they have been freed	2015-01-27 07:52:31 -08:00
virt
virtio	virtio_pci: fix virtio spec compliance on restore	2014-11-14 08:47:55 -08:00
vlynq
vme	VME: Correct read/write alignment algorithm	2014-02-22 12:41:28 -08:00
w1	w1: fix w1_send_slave dropping a slave id	2014-05-06 07:55:28 -07:00
watchdog	watchdog: ath79_wdt: avoid spurious restarts on AR934x	2014-07-06 18:54:14 -07:00
xen	Revert "swiotlb-xen: pass dev_addr to swiotlb_tbl_unmap_single"	2015-01-29 17:40:57 -08:00
zorro
Kconfig
Makefile