From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Min Li <lm0963hack@gmail.com>, Andi Shyti <andi.shyti@kernel.org>,
Inki Dae <inki.dae@samsung.com>, Sasha Levin <sashal@kernel.org>,
sw0312.kim@samsung.com, kyungmin.park@samsung.com,
airlied@gmail.com, daniel@ffwll.ch,
krzysztof.kozlowski@linaro.org, dri-devel@lists.freedesktop.org,
linux-arm-kernel@lists.infradead.org,
linux-samsung-soc@vger.kernel.org
Subject: [PATCH AUTOSEL 5.15 11/16] drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl
Date: Fri, 16 Jun 2023 06:27:14 -0400 [thread overview]
Message-ID: <20230616102721.673775-11-sashal@kernel.org> (raw)
In-Reply-To: <20230616102721.673775-1-sashal@kernel.org>
From: Min Li <lm0963hack@gmail.com>
[ Upstream commit 48bfd02569f5db49cc033f259e66d57aa6efc9a3 ]
If it is async, runqueue_node is freed in g2d_runqueue_worker on another
worker thread. So in extreme cases, if g2d_runqueue_worker runs first, and
then executes the following if statement, there will be use-after-free.
Signed-off-by: Min Li <lm0963hack@gmail.com>
Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/exynos/exynos_drm_g2d.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.c b/drivers/gpu/drm/exynos/exynos_drm_g2d.c
index 471fd6c8135f2..27613abeed961 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c
@@ -1335,7 +1335,7 @@ int exynos_g2d_exec_ioctl(struct drm_device *drm_dev, void *data,
/* Let the runqueue know that there is work to do. */
queue_work(g2d->g2d_workq, &g2d->runqueue_work);
- if (runqueue_node->async)
+ if (req->async)
goto out;
wait_for_completion(&runqueue_node->complete);
--
2.39.2
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Min Li <lm0963hack@gmail.com>, Andi Shyti <andi.shyti@kernel.org>,
Inki Dae <inki.dae@samsung.com>, Sasha Levin <sashal@kernel.org>,
sw0312.kim@samsung.com, kyungmin.park@samsung.com,
airlied@gmail.com, daniel@ffwll.ch,
krzysztof.kozlowski@linaro.org, dri-devel@lists.freedesktop.org,
linux-arm-kernel@lists.infradead.org,
linux-samsung-soc@vger.kernel.org
Subject: [PATCH AUTOSEL 5.15 11/16] drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl
Date: Fri, 16 Jun 2023 06:27:14 -0400 [thread overview]
Message-ID: <20230616102721.673775-11-sashal@kernel.org> (raw)
In-Reply-To: <20230616102721.673775-1-sashal@kernel.org>
From: Min Li <lm0963hack@gmail.com>
[ Upstream commit 48bfd02569f5db49cc033f259e66d57aa6efc9a3 ]
If it is async, runqueue_node is freed in g2d_runqueue_worker on another
worker thread. So in extreme cases, if g2d_runqueue_worker runs first, and
then executes the following if statement, there will be use-after-free.
Signed-off-by: Min Li <lm0963hack@gmail.com>
Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/exynos/exynos_drm_g2d.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.c b/drivers/gpu/drm/exynos/exynos_drm_g2d.c
index 471fd6c8135f2..27613abeed961 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c
@@ -1335,7 +1335,7 @@ int exynos_g2d_exec_ioctl(struct drm_device *drm_dev, void *data,
/* Let the runqueue know that there is work to do. */
queue_work(g2d->g2d_workq, &g2d->runqueue_work);
- if (runqueue_node->async)
+ if (req->async)
goto out;
wait_for_completion(&runqueue_node->complete);
--
2.39.2
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sasha Levin <sashal@kernel.org>,
linux-samsung-soc@vger.kernel.org, Min Li <lm0963hack@gmail.com>,
sw0312.kim@samsung.com, krzysztof.kozlowski@linaro.org,
dri-devel@lists.freedesktop.org, kyungmin.park@samsung.com,
linux-arm-kernel@lists.infradead.org,
Andi Shyti <andi.shyti@kernel.org>
Subject: [PATCH AUTOSEL 5.15 11/16] drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl
Date: Fri, 16 Jun 2023 06:27:14 -0400 [thread overview]
Message-ID: <20230616102721.673775-11-sashal@kernel.org> (raw)
In-Reply-To: <20230616102721.673775-1-sashal@kernel.org>
From: Min Li <lm0963hack@gmail.com>
[ Upstream commit 48bfd02569f5db49cc033f259e66d57aa6efc9a3 ]
If it is async, runqueue_node is freed in g2d_runqueue_worker on another
worker thread. So in extreme cases, if g2d_runqueue_worker runs first, and
then executes the following if statement, there will be use-after-free.
Signed-off-by: Min Li <lm0963hack@gmail.com>
Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/exynos/exynos_drm_g2d.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.c b/drivers/gpu/drm/exynos/exynos_drm_g2d.c
index 471fd6c8135f2..27613abeed961 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c
@@ -1335,7 +1335,7 @@ int exynos_g2d_exec_ioctl(struct drm_device *drm_dev, void *data,
/* Let the runqueue know that there is work to do. */
queue_work(g2d->g2d_workq, &g2d->runqueue_work);
- if (runqueue_node->async)
+ if (req->async)
goto out;
wait_for_completion(&runqueue_node->complete);
--
2.39.2
next prev parent reply other threads:[~2023-06-16 10:32 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-16 10:27 [PATCH AUTOSEL 5.15 01/16] Input: soc_button_array - add invalid acpi_index DMI quirk handling Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.15 02/16] s390/cio: unregister device when the only path is gone Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.15 03/16] spi: lpspi: disable lpspi module irq in DMA mode Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.15 04/16] ASoC: simple-card: Add missing of_node_put() in case of error Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.15 05/16] soundwire: dmi-quirks: add new mapping for HP Spectre x360 Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.15 06/16] soundwire: qcom: add proper error paths in qcom_swrm_startup() Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.15 07/16] ASoC: nau8824: Add quirk to active-high jack-detect Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.15 08/16] s390/purgatory: disable branch profiling Sasha Levin
2023-06-16 10:27 ` Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.15 09/16] ARM: dts: Fix erroneous ADS touchscreen polarities Sasha Levin
2023-06-16 10:27 ` Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.15 10/16] drm/exynos: vidi: fix a wrong error return Sasha Levin
2023-06-16 10:27 ` Sasha Levin
2023-06-16 10:27 ` Sasha Levin
2023-06-16 10:27 ` Sasha Levin [this message]
2023-06-16 10:27 ` [PATCH AUTOSEL 5.15 11/16] drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl Sasha Levin
2023-06-16 10:27 ` Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.15 12/16] drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl Sasha Levin
2023-06-16 10:27 ` Sasha Levin
2023-06-16 10:27 ` Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.15 13/16] Revert "ext4: don't clear SB_RDONLY when remounting r/w until quota is re-enabled" Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.15 14/16] ext4: only check dquot_initialize_needed() when debugging Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.15 15/16] vhost_vdpa: tell vqs about the negotiated Sasha Levin
2023-06-16 10:27 ` Sasha Levin
2023-06-16 10:27 ` [PATCH AUTOSEL 5.15 16/16] vhost_net: revert upend_idx only on retriable error Sasha Levin
2023-06-16 10:27 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230616102721.673775-11-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=airlied@gmail.com \
--cc=andi.shyti@kernel.org \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=inki.dae@samsung.com \
--cc=krzysztof.kozlowski@linaro.org \
--cc=kyungmin.park@samsung.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-samsung-soc@vger.kernel.org \
--cc=lm0963hack@gmail.com \
--cc=stable@vger.kernel.org \
--cc=sw0312.kim@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.