From: Greg Kroah-Hartman Date: Mon, 13 Feb 2017 13:02:07 +0000 (-0800) Subject: 4.4-stable patches X-Git-Tag: v4.9.10~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7ad41f45ebbde2f2126106525c1f4c1fffba4308;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: drm-i915-fix-use-after-free-in-page_flip_completed.patch --- diff --git a/queue-4.4/drm-i915-fix-use-after-free-in-page_flip_completed.patch b/queue-4.4/drm-i915-fix-use-after-free-in-page_flip_completed.patch new file mode 100644 index 00000000000..adc37c7a2be --- /dev/null +++ b/queue-4.4/drm-i915-fix-use-after-free-in-page_flip_completed.patch @@ -0,0 +1,67 @@ +From 5351fbb1bf1413f6024892093528280769ca852f Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin +Date: Thu, 26 Jan 2017 17:32:11 +0300 +Subject: drm/i915: fix use-after-free in page_flip_completed() + +From: Andrey Ryabinin + +commit 5351fbb1bf1413f6024892093528280769ca852f upstream. + +page_flip_completed() dereferences 'work' variable after executing +queue_work(). This is not safe as the 'work' item might be already freed +by queued work: + + BUG: KASAN: use-after-free in page_flip_completed+0x3ff/0x490 at addr ffff8803dc010f90 + Call Trace: + __asan_report_load8_noabort+0x59/0x80 + page_flip_completed+0x3ff/0x490 + intel_finish_page_flip_mmio+0xe3/0x130 + intel_pipe_handle_vblank+0x2d/0x40 + gen8_irq_handler+0x4a7/0xed0 + __handle_irq_event_percpu+0xf6/0x860 + handle_irq_event_percpu+0x6b/0x160 + handle_irq_event+0xc7/0x1b0 + handle_edge_irq+0x1f4/0xa50 + handle_irq+0x41/0x70 + do_IRQ+0x9a/0x200 + common_interrupt+0x89/0x89 + + Freed: + kfree+0x113/0x4d0 + intel_unpin_work_fn+0x29a/0x3b0 + process_one_work+0x79e/0x1b70 + worker_thread+0x611/0x1460 + kthread+0x241/0x3a0 + ret_from_fork+0x27/0x40 + +Move queue_work() after trace_i915_flip_complete() to fix this. + +Fixes: e5510fac98a7 ("drm/i915: add tracepoints for flip requests & completions") +Signed-off-by: Andrey Ryabinin +Reviewed-by: Chris Wilson +Signed-off-by: Daniel Vetter +Link: http://patchwork.freedesktop.org/patch/msgid/20170126143211.24013-1-aryabinin@virtuozzo.com +(cherry picked from commit 05c41f926fcc7ef838c80a6a99d84f67b4e0b824) +Signed-off-by: Jani Nikula +Signed-off-by: Andrey Ryabinin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_display.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -3948,10 +3948,10 @@ static void page_flip_completed(struct i + drm_crtc_vblank_put(&intel_crtc->base); + + wake_up_all(&dev_priv->pending_flip_queue); +- queue_work(dev_priv->wq, &work->work); +- + trace_i915_flip_complete(intel_crtc->plane, + work->pending_flip_obj); ++ ++ queue_work(dev_priv->wq, &work->work); + } + + void intel_crtc_wait_for_pending_flips(struct drm_crtc *crtc) diff --git a/queue-4.4/series b/queue-4.4/series index ec88aacca9b..424d9c41fb6 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -17,3 +17,4 @@ scsi-mpt3sas-disable-aspm-for-mpi2-controllers.patch xen-netfront-delete-rx_refill_timer-in-xennet_disconnect_backend.patch alsa-seq-fix-race-at-creating-a-queue.patch alsa-seq-don-t-handle-loop-timeout-at-snd_seq_pool_done.patch +drm-i915-fix-use-after-free-in-page_flip_completed.patch