gpu-viv: Fix crash in gckGALDEVICE_Destroy() #29
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The memory pointed to by gal_device->devices[devIndex] was freed via gcmkVERIFY_OK(gckDEVICE_Destroy(device->os, device)), but the pointer was still pointing to same location. This left a dangling pointer. Later, dereferencing gal_device->devices[devIndex] in _DebugfsCleanup() caused a kernel crash due to invalid memory access. Fix this by setting gal_device->devices[devIndex] = gcvNULL immediately after the memory is freed. Crash log summary: - Unable to handle kernel paging request at virtual address ffff800081b06298 - Kernel paging request at ffff800081b06298 with no valid PTE. [ffff800081b06298] pgd=100000013ffff003,p4d=100000013ffff003, pud=100000013fffe003, pmd=100000010002a003,pte=0000000000000000 - Faulting instruction: `ldr x20, [x0, #0x12a8]`. Code: aa1803e0 528166e2 97d3ba1 f940ee60 (f9494c14) [CRASH LOGS] 1978: f9494c14 ldr x20, [x0, #4760] [DISASSEMBLY] - Base address (x0) = ffff800081b05000 x20 = *(x0 + 0x12a8) = *(x0 + 4776) <- fault address ffff800081b06298 x0 is the address of input argument. This change prevents dereferencing freed memory and avoids a crash in _DebugfsCleanup(). Signed-off-by: Abhishek Ojha <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Fix a kernel crash caused by a dangling pointer in gal_device->devices[devIndex].
The memory pointed to by gal_device->devices[devIndex] was freed via gcmkVERIFY_OK(gckDEVICE_Destroy(device->os, device)), but the pointer itself was not cleared, leaving a dangling reference.
Later, this stale pointer was dereferenced in _DebugfsCleanup(), leading to a kernel crash due to invalid memory access.
This patch addresses the issue by setting gal_device->devices[devIndex] = gcvNULL immediately after the device is destroyed, preventing any further use of freed memory.
Crash Logs:
Unable to handle kernel paging request at virtual address ffff800081b06298
Kernel paging request at ffff800081b06298 with no valid PTE.
[ffff800081b06298] pgd=100000013ffff003, p4d=100000013ffff003,
pud=100000013fffe003, pmd=100000010002a003, pte=0000000000000000
Faulting instruction: ldr x20, [x0, #0x12a8]
Code: aa1803e0 528166e2 97d3ba16 f940ee60 (f9494c14) [CRASH LOGS]
1978: f9494c14 ldr x20, [x0, #4760] [DRIVER DISASSEMBLY]
Base address (x0): ffff800081b05000
Fault address: x0 + 0x12a8 = ffff800081b06298
Fix:
Set gal_device->devices[devIndex] = gcvNULL after gckDEVICE_Destroy() to nullify the dangling pointer and prevent use-after-free.