[3.13.y.z extended stable] Patch "drm/i915: Do not dereference pointers from ring buffer in evict event" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Thu May 1 19:17:19 UTC 2014


This is a note to let you know that I have just added a patch titled

    drm/i915: Do not dereference pointers from ring buffer in evict event

to the linux-3.13.y-queue branch of the 3.13.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.13.y-queue

This patch is scheduled to be released in version 3.13.11.1.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.13.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From bbb0dde0bfaccfef69d190e7f661450f10827714 Mon Sep 17 00:00:00 2001
From: Steven Rostedt <rostedt at goodmis.org>
Date: Tue, 18 Mar 2014 11:27:37 -0400
Subject: drm/i915: Do not dereference pointers from ring buffer in evict event

commit 9297ebf29ad9118edd6c0fedc84f03e35028827d upstream.

The TP_printk() should never dereference any pointers, because the ring
buffer can be read at some unknown time in the future. If a device no
longer exists, it can cause a kernel oops. This also makes this
event useless when saving the ring buffer in userspaces tools such as
perf and trace-cmd.

The i915_gem_evict_vm dereferences the vm pointer which may also not
exist when the ring buffer is read sometime in the future.

Link: http://lkml.kernel.org/r/1395095198-20034-3-git-send-email-artagnon@gmail.com
Reported-by: Ramkumar Ramachandra <artagnon at gmail.com>
Fixes: bcccff847d1f "drm/i915: trace vm eviction instead of everything"
Signed-off-by: Steven Rostedt <rostedt at goodmis.org>
[danvet: Try to make it actually compile]
Signed-off-by: Daniel Vetter <daniel.vetter at ffwll.ch>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 drivers/gpu/drm/i915/i915_trace.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/i915_trace.h b/drivers/gpu/drm/i915/i915_trace.h
index 6e580c9..783ae08 100644
--- a/drivers/gpu/drm/i915/i915_trace.h
+++ b/drivers/gpu/drm/i915/i915_trace.h
@@ -238,14 +238,16 @@ TRACE_EVENT(i915_gem_evict_vm,
 	    TP_ARGS(vm),

 	    TP_STRUCT__entry(
+			     __field(u32, dev)
 			     __field(struct i915_address_space *, vm)
 			    ),

 	    TP_fast_assign(
+			   __entry->dev = vm->dev->primary->index;
 			   __entry->vm = vm;
 			  ),

-	    TP_printk("dev=%d, vm=%p", __entry->vm->dev->primary->index, __entry->vm)
+	    TP_printk("dev=%d, vm=%p", __entry->dev, __entry->vm)
 );

 TRACE_EVENT(i915_gem_ring_sync_to,
--
1.9.1





More information about the kernel-team mailing list