From: Tuo Li <islituo@gmail.com>
To: inki.dae@samsung.com, sw0312.kim@samsung.com,
kyungmin.park@samsung.com, airlied@gmail.com, daniel@ffwll.ch,
krzysztof.kozlowski@linaro.org, alim.akhtar@samsung.com
Cc: dri-devel@lists.freedesktop.org,
linux-arm-kernel@lists.infradead.org,
linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org,
baijiaju1990@outlook.com, Tuo Li <islituo@gmail.com>,
BassCheck <bass@buaa.edu.cn>
Subject: [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
Date: Fri, 30 Jun 2023 10:19:06 +0800 [thread overview]
Message-ID: <20230630021906.1035115-1-islituo@gmail.com> (raw)
The variable crtc->state->event is often protected by the lock
crtc->dev->event_lock when is accessed. However, it is accessed as a
condition of an if statement in exynos_drm_crtc_atomic_disable() without
holding the lock:
if (crtc->state->event && !crtc->state->active)
However, if crtc->state->event is changed to NULL by another thread right
after the conditions of the if statement is checked to be true, a
null-pointer dereference can occur in drm_crtc_send_vblank_event():
e->pipe = pipe;
To fix this possible null-pointer dereference caused by data race, the
spin lock coverage is extended to protect the if statement as well as the
function call to drm_crtc_send_vblank_event().
Reported-by: BassCheck <bass@buaa.edu.cn>
Signed-off-by: Tuo Li <islituo@gmail.com>
---
drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
index 4153f302de7c..d19e796c2061 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
@@ -39,13 +39,12 @@ static void exynos_drm_crtc_atomic_disable(struct drm_crtc *crtc,
if (exynos_crtc->ops->atomic_disable)
exynos_crtc->ops->atomic_disable(exynos_crtc);
+ spin_lock_irq(&crtc->dev->event_lock);
if (crtc->state->event && !crtc->state->active) {
- spin_lock_irq(&crtc->dev->event_lock);
drm_crtc_send_vblank_event(crtc, crtc->state->event);
- spin_unlock_irq(&crtc->dev->event_lock);
-
crtc->state->event = NULL;
}
+ spin_unlock_irq(&crtc->dev->event_lock);
}
static int exynos_crtc_atomic_check(struct drm_crtc *crtc,
--
2.34.1
WARNING: multiple messages have this Message-ID (diff)
From: Tuo Li <islituo@gmail.com>
To: inki.dae@samsung.com, sw0312.kim@samsung.com,
kyungmin.park@samsung.com, airlied@gmail.com, daniel@ffwll.ch,
krzysztof.kozlowski@linaro.org, alim.akhtar@samsung.com
Cc: dri-devel@lists.freedesktop.org,
linux-arm-kernel@lists.infradead.org,
linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org,
baijiaju1990@outlook.com, Tuo Li <islituo@gmail.com>,
BassCheck <bass@buaa.edu.cn>
Subject: [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
Date: Fri, 30 Jun 2023 10:19:06 +0800 [thread overview]
Message-ID: <20230630021906.1035115-1-islituo@gmail.com> (raw)
The variable crtc->state->event is often protected by the lock
crtc->dev->event_lock when is accessed. However, it is accessed as a
condition of an if statement in exynos_drm_crtc_atomic_disable() without
holding the lock:
if (crtc->state->event && !crtc->state->active)
However, if crtc->state->event is changed to NULL by another thread right
after the conditions of the if statement is checked to be true, a
null-pointer dereference can occur in drm_crtc_send_vblank_event():
e->pipe = pipe;
To fix this possible null-pointer dereference caused by data race, the
spin lock coverage is extended to protect the if statement as well as the
function call to drm_crtc_send_vblank_event().
Reported-by: BassCheck <bass@buaa.edu.cn>
Signed-off-by: Tuo Li <islituo@gmail.com>
---
drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
index 4153f302de7c..d19e796c2061 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
@@ -39,13 +39,12 @@ static void exynos_drm_crtc_atomic_disable(struct drm_crtc *crtc,
if (exynos_crtc->ops->atomic_disable)
exynos_crtc->ops->atomic_disable(exynos_crtc);
+ spin_lock_irq(&crtc->dev->event_lock);
if (crtc->state->event && !crtc->state->active) {
- spin_lock_irq(&crtc->dev->event_lock);
drm_crtc_send_vblank_event(crtc, crtc->state->event);
- spin_unlock_irq(&crtc->dev->event_lock);
-
crtc->state->event = NULL;
}
+ spin_unlock_irq(&crtc->dev->event_lock);
}
static int exynos_crtc_atomic_check(struct drm_crtc *crtc,
--
2.34.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Tuo Li <islituo@gmail.com>
To: inki.dae@samsung.com, sw0312.kim@samsung.com,
kyungmin.park@samsung.com, airlied@gmail.com, daniel@ffwll.ch,
krzysztof.kozlowski@linaro.org, alim.akhtar@samsung.com
Cc: linux-samsung-soc@vger.kernel.org, BassCheck <bass@buaa.edu.cn>,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
baijiaju1990@outlook.com, Tuo Li <islituo@gmail.com>,
linux-arm-kernel@lists.infradead.org
Subject: [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
Date: Fri, 30 Jun 2023 10:19:06 +0800 [thread overview]
Message-ID: <20230630021906.1035115-1-islituo@gmail.com> (raw)
The variable crtc->state->event is often protected by the lock
crtc->dev->event_lock when is accessed. However, it is accessed as a
condition of an if statement in exynos_drm_crtc_atomic_disable() without
holding the lock:
if (crtc->state->event && !crtc->state->active)
However, if crtc->state->event is changed to NULL by another thread right
after the conditions of the if statement is checked to be true, a
null-pointer dereference can occur in drm_crtc_send_vblank_event():
e->pipe = pipe;
To fix this possible null-pointer dereference caused by data race, the
spin lock coverage is extended to protect the if statement as well as the
function call to drm_crtc_send_vblank_event().
Reported-by: BassCheck <bass@buaa.edu.cn>
Signed-off-by: Tuo Li <islituo@gmail.com>
---
drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
index 4153f302de7c..d19e796c2061 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
@@ -39,13 +39,12 @@ static void exynos_drm_crtc_atomic_disable(struct drm_crtc *crtc,
if (exynos_crtc->ops->atomic_disable)
exynos_crtc->ops->atomic_disable(exynos_crtc);
+ spin_lock_irq(&crtc->dev->event_lock);
if (crtc->state->event && !crtc->state->active) {
- spin_lock_irq(&crtc->dev->event_lock);
drm_crtc_send_vblank_event(crtc, crtc->state->event);
- spin_unlock_irq(&crtc->dev->event_lock);
-
crtc->state->event = NULL;
}
+ spin_unlock_irq(&crtc->dev->event_lock);
}
static int exynos_crtc_atomic_check(struct drm_crtc *crtc,
--
2.34.1
next reply other threads:[~2023-06-30 2:20 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20230630022033epcas1p2a104f08061a51a240364b72eb43842d8@epcas1p2.samsung.com>
2023-06-30 2:19 ` Tuo Li [this message]
2023-06-30 2:19 ` [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable() Tuo Li
2023-06-30 2:19 ` Tuo Li
2023-07-01 8:01 ` Krzysztof Kozlowski
2023-07-01 8:01 ` Krzysztof Kozlowski
2023-07-01 8:01 ` Krzysztof Kozlowski
2023-07-03 3:00 ` Tuo Li
2023-07-04 7:27 ` Krzysztof Kozlowski
2023-07-04 7:27 ` Krzysztof Kozlowski
2023-07-04 7:27 ` Krzysztof Kozlowski
2023-07-04 7:35 ` Krzysztof Kozlowski
2023-07-04 7:35 ` Krzysztof Kozlowski
2023-07-04 7:35 ` Krzysztof Kozlowski
2023-07-13 0:32 ` 대인기/Tizen Platform Lab(SR)/삼성전자
2023-07-13 0:32 ` 대인기/Tizen Platform Lab(SR)/삼성전자
2023-07-13 0:32 ` 대인기/Tizen Platform Lab(SR)/삼성전자
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230630021906.1035115-1-islituo@gmail.com \
--to=islituo@gmail.com \
--cc=airlied@gmail.com \
--cc=alim.akhtar@samsung.com \
--cc=baijiaju1990@outlook.com \
--cc=bass@buaa.edu.cn \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=inki.dae@samsung.com \
--cc=krzysztof.kozlowski@linaro.org \
--cc=kyungmin.park@samsung.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-samsung-soc@vger.kernel.org \
--cc=sw0312.kim@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.