| Message ID | 20230127165834.11387-1-tiwai@suse.de |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp939214wrn;
Fri, 27 Jan 2023 09:04:01 -0800 (PST)
X-Google-Smtp-Source:
AK7set/0cvSnr8MruAjpw+IkboKFtBiwcdGHf7dfwhtD12UsYmDuyqx4lpkMcbgySD5sWLts1d2J
X-Received: by 2002:a17:907:9625:b0:879:6abc:3bfc with SMTP id
gb37-20020a170907962500b008796abc3bfcmr5528503ejc.19.1674839040861;
Fri, 27 Jan 2023 09:04:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1674839040; cv=none;
d=google.com; s=arc-20160816;
b=FTXjDuJLO2vUt+z42+gHEa6lBUj9YmQndfq0hcf53pCe68Qwm58I7DIXC15/1YzQht
60oM17TL8DiXAwzp872WUxe3gvamjBsoALmkJ9bC0f4xymOt64OjwHSM9QD57uKr5q1D
seQsbgHuhMhsby6xBkBpdUWS2oF3xhx0wjc6V6B24si92gFeY+lHWRc7H1ViQ6kUsNGu
xnNUqnDV/sLHBpmy5yrR29AqxXA557Co48iGtNwKC+c4LEqdM9PSTLoOvzD3nJhHWhgZ
5uxTFv7UsTnSja4QHKnh4XkaPTd+9C1lmSldHQzVPndA6FUNhrASsjtUydEr3gqzvTOA
C++w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature:dkim-signature;
bh=ALfBJc/TQnM76erXqx3WFS5RKW2U4RiO2owBZHKVCn8=;
b=R9JpOem4wOQWLeP2boiwlrXFuUrwviIQzdo2UIH2PcdaBXTgH9WTluEUxn4J13Wkke
0t/Wv2mmOZvarDe3W0M539tZ2TP3G+m8LG7HraDfHEj8gAHXHXna55vSCpgvwSfKzGKJ
7PSkxjbNixN1WS2KpJ+Twl5B0DCdeAmm9XelNyLOw/ADSHBvAtlalKhSjx5D80/Oqdjs
qbCUdF0SuvoyjAaUMeGUze7xZ38e+xig77Yrs7+2fQVHFrzvGP2QBKGh6OAwCCTLDgOy
ZX1BhhMDyTj/xm3CP28vAzi4cGh2f75Gn96fiMmy/jgJXINeZgBSqqIdCk+NWhaDIbDO
ByQw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=eKjVXY6L;
dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
ex1-20020a170907954100b0087877581bfcsi3961771ejc.982.2023.01.27.09.03.37;
Fri, 27 Jan 2023 09:04:00 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=eKjVXY6L;
dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S234360AbjA0Q6s (ORCPT <rfc822;lekhanya01809@gmail.com>
+ 99 others); Fri, 27 Jan 2023 11:58:48 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53922 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S234309AbjA0Q6q (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 27 Jan 2023 11:58:46 -0500
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DAAE159C5;
Fri, 27 Jan 2023 08:58:45 -0800 (PST)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
[192.168.254.74])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-521) server-digest
SHA512)
(No client certificate requested)
by smtp-out2.suse.de (Postfix) with ESMTPS id 707D91F8A4;
Fri, 27 Jan 2023 16:58:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;
s=susede2_rsa;
t=1674838724;
h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding;
bh=ALfBJc/TQnM76erXqx3WFS5RKW2U4RiO2owBZHKVCn8=;
b=eKjVXY6L2bTaysy2dxZYGumxEmgbJgFFV9dWbg2XycKTSNuEReJucdlSDTY4AMPBhorrlL
ym3HZYuEHB8Np2ZCFuyBNkUOQ0ktCSNEwFFQhsuygKWszcutdYTfvyXwROWRawcYnBzjEY
ExQGRPzh4knFK7qzICuuvSWW3mFTehs=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
s=susede2_ed25519; t=1674838724;
h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding;
bh=ALfBJc/TQnM76erXqx3WFS5RKW2U4RiO2owBZHKVCn8=;
b=e0DErOEVvhfTZTI2/NwXWSWXpgYrK2/+9f6tnnXm8Yx6D8A5qtYNTf9vFajXiffEiZNcV3
nE8f0OOcl67HZYDA==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
[192.168.254.74])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-521) server-digest
SHA512)
(No client certificate requested)
by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 466AD1336F;
Fri, 27 Jan 2023 16:58:44 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
by imap2.suse-dmz.suse.de with ESMTPSA
id GyqPEMQC1GO1FwAAMHmgww
(envelope-from <tiwai@suse.de>); Fri, 27 Jan 2023 16:58:44 +0000
From: Takashi Iwai <tiwai@suse.de>
To: Helge Deller <deller@gmx.de>
Cc: linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org,
Patrik Jakobsson <pjakobsson@suse.de>,
Thomas Zimmermann <tzimmermann@suse.de>
Subject: [PATCH] fbdev: Fix invalid page access after closing deferred I/O
devices
Date: Fri, 27 Jan 2023 17:58:34 +0100
Message-Id: <20230127165834.11387-1-tiwai@suse.de>
X-Mailer: git-send-email 2.35.3
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1756196022033924341?=
X-GMAIL-MSGID: =?utf-8?q?1756196022033924341?=
|
| Series |
fbdev: Fix invalid page access after closing deferred I/O devices
|
|
Commit Message
Takashi Iwai
Jan. 27, 2023, 4:58 p.m. UTC
When a fbdev with deferred I/O is once opened and closed, the dirty
pages still remain queued in the pageref list, and eventually later
those may be processed in the delayed work. This may lead to a
corruption of pages, hitting an Oops.
This patch makes sure to cancel the delayed work and clean up the
pageref list at closing the device for addressing the bug. A part of
the cleanup code is factored out as a new helper function that is
called from the common fb_release().
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
drivers/video/fbdev/core/fb_defio.c | 10 +++++++++-
drivers/video/fbdev/core/fbmem.c | 2 ++
include/linux/fb.h | 1 +
3 files changed, 12 insertions(+), 1 deletion(-)
Comments
On Fri, Jan 27, 2023 at 05:58:34PM +0100, Takashi Iwai wrote: > When a fbdev with deferred I/O is once opened and closed, the dirty > pages still remain queued in the pageref list, and eventually later > those may be processed in the delayed work. This may lead to a > corruption of pages, hitting an Oops. > > This patch makes sure to cancel the delayed work and clean up the > pageref list at closing the device for addressing the bug. A part of > the cleanup code is factored out as a new helper function that is > called from the common fb_release(). > > Cc: <stable@vger.kernel.org> > Signed-off-by: Takashi Iwai <tiwai@suse.de> Reviewed-by: Patrik Jakobsson <pjakobsson@suse.de> > --- > drivers/video/fbdev/core/fb_defio.c | 10 +++++++++- > drivers/video/fbdev/core/fbmem.c | 2 ++ > include/linux/fb.h | 1 + > 3 files changed, 12 insertions(+), 1 deletion(-) > > diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c > index c730253ab85c..583cbcf09446 100644 > --- a/drivers/video/fbdev/core/fb_defio.c > +++ b/drivers/video/fbdev/core/fb_defio.c > @@ -313,7 +313,7 @@ void fb_deferred_io_open(struct fb_info *info, > } > EXPORT_SYMBOL_GPL(fb_deferred_io_open); > > -void fb_deferred_io_cleanup(struct fb_info *info) > +void fb_deferred_io_release(struct fb_info *info) > { > struct fb_deferred_io *fbdefio = info->fbdefio; > struct page *page; > @@ -327,6 +327,14 @@ void fb_deferred_io_cleanup(struct fb_info *info) > page = fb_deferred_io_page(info, i); > page->mapping = NULL; > } > +} > +EXPORT_SYMBOL_GPL(fb_deferred_io_release); > + > +void fb_deferred_io_cleanup(struct fb_info *info) > +{ > + struct fb_deferred_io *fbdefio = info->fbdefio; > + > + fb_deferred_io_release(info); > > kvfree(info->pagerefs); > mutex_destroy(&fbdefio->lock); > diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c > index 3a6c8458eb8d..78c4cb5ee7c9 100644 > --- a/drivers/video/fbdev/core/fbmem.c > +++ b/drivers/video/fbdev/core/fbmem.c > @@ -1454,6 +1454,8 @@ __releases(&info->lock) > struct fb_info * const info = file->private_data; > > lock_fb_info(info); > + if (info->fbdefio) > + fb_deferred_io_release(info); > if (info->fbops->fb_release) > info->fbops->fb_release(info,1); > module_put(info->fbops->owner); > diff --git a/include/linux/fb.h b/include/linux/fb.h > index 96b96323e9cb..73eb1f85ea8e 100644 > --- a/include/linux/fb.h > +++ b/include/linux/fb.h > @@ -662,6 +662,7 @@ extern int fb_deferred_io_init(struct fb_info *info); > extern void fb_deferred_io_open(struct fb_info *info, > struct inode *inode, > struct file *file); > +extern void fb_deferred_io_release(struct fb_info *info); > extern void fb_deferred_io_cleanup(struct fb_info *info); > extern int fb_deferred_io_fsync(struct file *file, loff_t start, > loff_t end, int datasync); > -- > 2.35.3 >
Hi Takashi,
I love your patch! Yet something to improve:
[auto build test ERROR on drm-misc/drm-misc-next]
[also build test ERROR on linus/master v6.2-rc5 next-20230127]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Takashi-Iwai/fbdev-Fix-invalid-page-access-after-closing-deferred-I-O-devices/20230128-180330
base: git://anongit.freedesktop.org/drm/drm-misc drm-misc-next
patch link: https://lore.kernel.org/r/20230127165834.11387-1-tiwai%40suse.de
patch subject: [PATCH] fbdev: Fix invalid page access after closing deferred I/O devices
config: s390-defconfig (https://download.01.org/0day-ci/archive/20230129/202301290917.puRyNsug-lkp@intel.com/config)
compiler: s390-linux-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/f28e22b16f34068d07913fa5d4fb2c9683aa8dc4
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Takashi-Iwai/fbdev-Fix-invalid-page-access-after-closing-deferred-I-O-devices/20230128-180330
git checkout f28e22b16f34068d07913fa5d4fb2c9683aa8dc4
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=s390 olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=s390 SHELL=/bin/bash
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
drivers/video/fbdev/core/fbmem.c: In function 'fb_release':
>> drivers/video/fbdev/core/fbmem.c:1456:17: error: 'struct fb_info' has no member named 'fbdefio'
1456 | if (info->fbdefio)
| ^~
vim +1456 drivers/video/fbdev/core/fbmem.c
1447
1448 static int
1449 fb_release(struct inode *inode, struct file *file)
1450 __acquires(&info->lock)
1451 __releases(&info->lock)
1452 {
1453 struct fb_info * const info = file->private_data;
1454
1455 lock_fb_info(info);
> 1456 if (info->fbdefio)
1457 fb_deferred_io_release(info);
1458 if (info->fbops->fb_release)
1459 info->fbops->fb_release(info,1);
1460 module_put(info->fbops->owner);
1461 unlock_fb_info(info);
1462 put_fb_info(info);
1463 return 0;
1464 }
1465
On Fri, Jan 27, 2023 at 5:58 PM Takashi Iwai <tiwai@suse.de> wrote: > > When a fbdev with deferred I/O is once opened and closed, the dirty > pages still remain queued in the pageref list, and eventually later > those may be processed in the delayed work. This may lead to a > corruption of pages, hitting an Oops. > > This patch makes sure to cancel the delayed work and clean up the > pageref list at closing the device for addressing the bug. A part of > the cleanup code is factored out as a new helper function that is > called from the common fb_release(). > > Cc: <stable@vger.kernel.org> > Signed-off-by: Takashi Iwai <tiwai@suse.de> For some reason my first review didn't make it to the list. Trying again with my other email. As kernel test robot says, we need to check CONFIG_FB_DEFERRED_IO around access to info->fbdefio. With that fixed: Reviewed-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com> > --- > drivers/video/fbdev/core/fb_defio.c | 10 +++++++++- > drivers/video/fbdev/core/fbmem.c | 2 ++ > include/linux/fb.h | 1 + > 3 files changed, 12 insertions(+), 1 deletion(-) > > diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c > index c730253ab85c..583cbcf09446 100644 > --- a/drivers/video/fbdev/core/fb_defio.c > +++ b/drivers/video/fbdev/core/fb_defio.c > @@ -313,7 +313,7 @@ void fb_deferred_io_open(struct fb_info *info, > } > EXPORT_SYMBOL_GPL(fb_deferred_io_open); > > -void fb_deferred_io_cleanup(struct fb_info *info) > +void fb_deferred_io_release(struct fb_info *info) > { > struct fb_deferred_io *fbdefio = info->fbdefio; > struct page *page; > @@ -327,6 +327,14 @@ void fb_deferred_io_cleanup(struct fb_info *info) > page = fb_deferred_io_page(info, i); > page->mapping = NULL; > } > +} > +EXPORT_SYMBOL_GPL(fb_deferred_io_release); > + > +void fb_deferred_io_cleanup(struct fb_info *info) > +{ > + struct fb_deferred_io *fbdefio = info->fbdefio; > + > + fb_deferred_io_release(info); > > kvfree(info->pagerefs); > mutex_destroy(&fbdefio->lock); > diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c > index 3a6c8458eb8d..78c4cb5ee7c9 100644 > --- a/drivers/video/fbdev/core/fbmem.c > +++ b/drivers/video/fbdev/core/fbmem.c > @@ -1454,6 +1454,8 @@ __releases(&info->lock) > struct fb_info * const info = file->private_data; > > lock_fb_info(info); > + if (info->fbdefio) > + fb_deferred_io_release(info); > if (info->fbops->fb_release) > info->fbops->fb_release(info,1); > module_put(info->fbops->owner); > diff --git a/include/linux/fb.h b/include/linux/fb.h > index 96b96323e9cb..73eb1f85ea8e 100644 > --- a/include/linux/fb.h > +++ b/include/linux/fb.h > @@ -662,6 +662,7 @@ extern int fb_deferred_io_init(struct fb_info *info); > extern void fb_deferred_io_open(struct fb_info *info, > struct inode *inode, > struct file *file); > +extern void fb_deferred_io_release(struct fb_info *info); > extern void fb_deferred_io_cleanup(struct fb_info *info); > extern int fb_deferred_io_fsync(struct file *file, loff_t start, > loff_t end, int datasync); > -- > 2.35.3 >
diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c index c730253ab85c..583cbcf09446 100644 --- a/drivers/video/fbdev/core/fb_defio.c +++ b/drivers/video/fbdev/core/fb_defio.c @@ -313,7 +313,7 @@ void fb_deferred_io_open(struct fb_info *info, } EXPORT_SYMBOL_GPL(fb_deferred_io_open); -void fb_deferred_io_cleanup(struct fb_info *info) +void fb_deferred_io_release(struct fb_info *info) { struct fb_deferred_io *fbdefio = info->fbdefio; struct page *page; @@ -327,6 +327,14 @@ void fb_deferred_io_cleanup(struct fb_info *info) page = fb_deferred_io_page(info, i); page->mapping = NULL; } +} +EXPORT_SYMBOL_GPL(fb_deferred_io_release); + +void fb_deferred_io_cleanup(struct fb_info *info) +{ + struct fb_deferred_io *fbdefio = info->fbdefio; + + fb_deferred_io_release(info); kvfree(info->pagerefs); mutex_destroy(&fbdefio->lock); diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index 3a6c8458eb8d..78c4cb5ee7c9 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1454,6 +1454,8 @@ __releases(&info->lock) struct fb_info * const info = file->private_data; lock_fb_info(info); + if (info->fbdefio) + fb_deferred_io_release(info); if (info->fbops->fb_release) info->fbops->fb_release(info,1); module_put(info->fbops->owner); diff --git a/include/linux/fb.h b/include/linux/fb.h index 96b96323e9cb..73eb1f85ea8e 100644 --- a/include/linux/fb.h +++ b/include/linux/fb.h @@ -662,6 +662,7 @@ extern int fb_deferred_io_init(struct fb_info *info); extern void fb_deferred_io_open(struct fb_info *info, struct inode *inode, struct file *file); +extern void fb_deferred_io_release(struct fb_info *info); extern void fb_deferred_io_cleanup(struct fb_info *info); extern int fb_deferred_io_fsync(struct file *file, loff_t start, loff_t end, int datasync);