drm/xe: Fix memory use after free
The wait_event_timeout() on g2h_fence.wq which is declared on
stack can return before the wake_up() gets called, resulting in a
stack out of bound access when wake_up() accesses the g2h_fene.wq.
Do not declare g2h_fence related wait_queue_head_t on stack.
Fixes the below KASAN BUG and associated kernel crashes.
BUG: KASAN: stack-out-of-bounds in do_raw_spin_lock+0x6f/0x1e0
Read of size 4 at addr
ffff88826252f4ac by task kworker/u128:5/467
CPU: 25 PID: 467 Comm: kworker/u128:5 Tainted: G U 6.3.0-rc4-xe #1
Workqueue: events_unbound g2h_worker_func [xe]
Call Trace:
<TASK>
dump_stack_lvl+0x64/0xb0
print_report+0xc2/0x600
kasan_report+0x96/0xc0
do_raw_spin_lock+0x6f/0x1e0
_raw_spin_lock_irqsave+0x47/0x60
__wake_up_common_lock+0xc0/0x150
dequeue_one_g2h+0x20f/0x6a0 [xe]
g2h_worker_func+0xa9/0x180 [xe]
process_one_work+0x527/0x990
worker_thread+0x2d1/0x640
kthread+0x174/0x1b0
ret_from_fork+0x29/0x50
</TASK>
Tested-by: Matt Roper <matthew.d.roper@intel.com>
Reviewed-by: Bruce Chang <yu.bruce.chang@intel.com>
Signed-off-by: Niranjana Vishwanathapura <niranjana.vishwanathapura@intel.com>
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
projects / linux-2.6-microblaze.git / commit