linux/drivers/gpu/drm
Huacai Chen b7ea85a4fe drm: fix a use-after-free when GPU acceleration disabled
When GPU acceleration is disabled, drm_vblank_cleanup() will free the
vblank-related data, such as vblank_refcount, vblank_inmodeset, etc.
But we found that drm_vblank_post_modeset() may be called after the
cleanup, which use vblank_refcount and vblank_inmodeset. And this will
cause a kernel panic.

Fix this by return immediately if dev->num_crtcs is zero. This is the
same thing that drm_vblank_pre_modeset() does.

Call trace of a drm_vblank_post_modeset() after drm_vblank_cleanup():
[   62.628906] [<ffffffff804868d0>] drm_vblank_post_modeset+0x34/0xb4
[   62.628906] [<ffffffff804c7008>] atombios_crtc_dpms+0xb4/0x174
[   62.628906] [<ffffffff804c70e0>] atombios_crtc_commit+0x18/0x38
[   62.628906] [<ffffffff8047f038>] drm_crtc_helper_set_mode+0x304/0x3cc
[   62.628906] [<ffffffff8047f92c>] drm_crtc_helper_set_config+0x6d8/0x988
[   62.628906] [<ffffffff8047dd40>] drm_fb_helper_set_par+0x94/0x104
[   62.628906] [<ffffffff80439d14>] fbcon_init+0x424/0x57c
[   62.628906] [<ffffffff8046a638>] visual_init+0xb8/0x118
[   62.628906] [<ffffffff8046b9f8>] take_over_console+0x238/0x384
[   62.628906] [<ffffffff80436df8>] fbcon_takeover+0x7c/0xdc
[   62.628906] [<ffffffff8024fa20>] notifier_call_chain+0x44/0x94
[   62.628906] [<ffffffff8024fcbc>] __blocking_notifier_call_chain+0x48/0x68
[   62.628906] [<ffffffff8042d990>] register_framebuffer+0x228/0x260
[   62.628906] [<ffffffff8047e010>] drm_fb_helper_single_fb_probe+0x260/0x314
[   62.628906] [<ffffffff8047e2c4>] drm_fb_helper_initial_config+0x200/0x234
[   62.628906] [<ffffffff804e5560>] radeon_fbdev_init+0xd4/0xf4
[   62.628906] [<ffffffff804e0e08>] radeon_modeset_init+0x9bc/0xa18
[   62.628906] [<ffffffff804bfc14>] radeon_driver_load_kms+0xdc/0x12c
[   62.628906] [<ffffffff8048b548>] drm_get_pci_dev+0x148/0x238
[   62.628906] [<ffffffff80423564>] local_pci_probe+0x5c/0xd0
[   62.628906] [<ffffffff80241ac4>] work_for_cpu_fn+0x1c/0x30
[   62.628906] [<ffffffff802427c8>] process_one_work+0x274/0x3bc
[   62.628906] [<ffffffff80242934>] process_scheduled_works+0x24/0x44
[   62.628906] [<ffffffff8024515c>] worker_thread+0x31c/0x3f4
[   62.628906] [<ffffffff802497a8>] kthread+0x88/0x90
[   62.628906] [<ffffffff80206794>] kernel_thread_helper+0x10/0x18

Signed-off-by: Huacai Chen <chenhc@lemote.com>
Signed-off-by: Binbin Zhou <zhoubb@lemote.com>
Cc: <stable@vger.kernel.org>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Acked-by: Paul Menzel <paulepanter@users.sourceforge.net>
Signed-off-by: Dave Airlie <airlied@gmail.com>
2013-06-03 19:12:04 +10:00
..
ast drm/ast: deal with bo reserve fail in dirty update path 2013-05-02 12:46:47 +10:00
cirrus drm/cirrus: deal with bo reserve fail in dirty update path 2013-05-02 12:46:56 +10:00
exynos Merge branch 'exynos-drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos into drm-next 2013-05-24 10:14:57 +10:00
gma500 Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2013-05-02 19:40:34 -07:00
i2c drm/i2c: nxp-tda998x (v3) 2013-02-19 17:57:44 -05:00
i810
i915 drm/i915: avoid premature DP AUX timeouts 2013-05-22 13:51:26 +02:00
mga
mgag200 Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2013-05-13 07:59:59 -07:00
nouveau Merge remote-tracking branch 'pfdo/drm-fixes' into drm-next 2013-05-24 10:12:22 +10:00
omapdrm drm: prime: fix refcounting on the dmabuf import error path 2013-05-01 09:40:21 +10:00
qxl drm/qxl: fix build warnings on 32-bit 2013-05-31 12:45:09 +10:00
r128
radeon radeon: use max_bus_speed to activate gen2 speeds 2013-05-29 12:36:12 -04:00
savage
shmobile drm/shmob: use drm_send_vblank_event() helper 2013-05-22 09:13:41 +10:00
sis drm/sis: convert to idr_alloc() 2013-02-27 19:10:16 -08:00
tdfx
tilcdc Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2013-05-02 19:40:34 -07:00
ttm drm: use vma_pages() to replace (vm_end - vm_start) >> PAGE_SHIFT 2013-04-16 13:14:00 +10:00
udl Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2013-05-02 19:40:34 -07:00
via drm/via: convert to idr_alloc() 2013-02-27 19:10:16 -08:00
vmwgfx drm/vmwgfx: convert to idr_alloc() 2013-02-27 19:10:16 -08:00
ati_pcigart.c
drm_agpsupport.c
drm_auth.c
drm_buffer.c
drm_bufs.c
drm_cache.c lib/scatterlist: sg_page_iter: support sg lists w/o backing pages 2013-03-27 17:13:44 +01:00
drm_context.c drm: convert to idr_alloc() 2013-02-27 19:10:15 -08:00
drm_crtc_helper.c drm: Only print a debug message when the polled connector has changed 2013-05-13 12:13:06 +10:00
drm_crtc.c drm: Make the HPD status updates debug logs more readable 2013-05-13 12:12:57 +10:00
drm_debugfs.c
drm_dma.c
drm_dp_helper.c drm/doc: add new dp helpers into drm DocBook 2012-11-28 20:26:53 +10:00
drm_drv.c drm: Use names of ioctls in debug traces 2013-05-10 14:46:50 +10:00
drm_edid_load.c drm: Add 1600x1200 (UXGA) screen resolution to the built-in EDIDs 2013-04-12 14:06:16 +10:00
drm_edid.c drm/edid: Check both 60Hz and 59.94Hz when looking for a CEA mode 2013-04-26 10:25:54 +10:00
drm_encoder_slave.c drm: refactor call to request_module 2013-05-10 14:46:03 +10:00
drm_fb_cma_helper.c Merge branch 'tilcdc-next' of git://people.freedesktop.org/~robclark/linux into drm-next 2013-02-21 09:31:47 +10:00
drm_fb_helper.c Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2013-05-02 19:40:34 -07:00
drm_fops.c drm: correctly restore mappings if drm_open fails 2013-04-03 06:44:38 +10:00
drm_gem_cma_helper.c drm/cma: add debugfs helpers 2013-02-17 17:55:42 -05:00
drm_gem.c drm/prime: keep a reference from the handle to exported dma-buf (v6) 2013-05-01 09:30:15 +10:00
drm_global.c
drm_hashtab.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
drm_info.c
drm_ioc32.c
drm_ioctl.c drm: add support for monotonic vblank timestamps 2012-11-20 16:06:16 +10:00
drm_irq.c drm: fix a use-after-free when GPU acceleration disabled 2013-06-03 19:12:04 +10:00
drm_lock.c
drm_memory.c
drm_mm.c drm/mm: fix dump table BUG 2013-04-30 15:15:58 +02:00
drm_modes.c Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2013-05-13 07:59:59 -07:00
drm_pci.c drm: Silence some sparse warnings 2013-04-30 10:02:25 +10:00
drm_platform.c
drm_prime.c drm/prime: warn for non-empty handle lookup list during drm file release 2013-05-01 16:08:18 +10:00
drm_proc.c drm: proc: Use remove_proc_subtree() 2013-05-01 17:29:44 -04:00
drm_scatter.c
drm_stub.c drm: proc: Use minor->index to label things, not PDE->name 2013-05-01 17:29:44 -04:00
drm_sysfs.c drm: remove legacy drm_connector_property fxns 2012-11-30 10:30:48 -06:00
drm_trace_points.c
drm_trace.h
drm_usb.c drm/usb: bind driver to correct device 2013-02-07 12:37:41 +10:00
drm_vm.c drm: export drm_vm_open_locked 2013-04-26 10:20:00 +10:00
Kconfig drm/tegra: Move drm to live under host1x 2013-04-22 12:39:11 +02:00
Makefile drm/tegra: Move drm to live under host1x 2013-04-22 12:39:11 +02:00
README.drm

************************************************************
* For the very latest on DRI development, please see:      *
*     http://dri.freedesktop.org/                          *
************************************************************

The Direct Rendering Manager (drm) is a device-independent kernel-level
device driver that provides support for the XFree86 Direct Rendering
Infrastructure (DRI).

The DRM supports the Direct Rendering Infrastructure (DRI) in four major
ways:

    1. The DRM provides synchronized access to the graphics hardware via
       the use of an optimized two-tiered lock.

    2. The DRM enforces the DRI security policy for access to the graphics
       hardware by only allowing authenticated X11 clients access to
       restricted regions of memory.

    3. The DRM provides a generic DMA engine, complete with multiple
       queues and the ability to detect the need for an OpenGL context
       switch.

    4. The DRM is extensible via the use of small device-specific modules
       that rely extensively on the API exported by the DRM module.


Documentation on the DRI is available from:
    http://dri.freedesktop.org/wiki/Documentation
    http://sourceforge.net/project/showfiles.php?group_id=387
    http://dri.sourceforge.net/doc/

For specific information about kernel-level support, see:

    The Direct Rendering Manager, Kernel Support for the Direct Rendering
    Infrastructure
    http://dri.sourceforge.net/doc/drm_low_level.html

    Hardware Locking for the Direct Rendering Infrastructure
    http://dri.sourceforge.net/doc/hardware_locking_low_level.html

    A Security Analysis of the Direct Rendering Infrastructure
    http://dri.sourceforge.net/doc/security_low_level.html