From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Tuo Li <islituo@gmail.com>, BassCheck <bass@buaa.edu.cn>,
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>,
Inki Dae <inki.dae@samsung.com>, Sasha Levin <sashal@kernel.org>,
sw0312.kim@samsung.com, kyungmin.park@samsung.com,
airlied@gmail.com, daniel@ffwll.ch,
dri-devel@lists.freedesktop.org,
linux-arm-kernel@lists.infradead.org,
linux-samsung-soc@vger.kernel.org
Subject: [PATCH AUTOSEL 6.5 26/36] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
Date: Fri, 8 Sep 2023 15:28:37 -0400 [thread overview]
Message-ID: <20230908192848.3462476-26-sashal@kernel.org> (raw)
In-Reply-To: <20230908192848.3462476-1-sashal@kernel.org>
From: Tuo Li <islituo@gmail.com>
[ Upstream commit 2e63972a2de14482d0eae1a03a73e379f1c3f44c ]
The variable crtc->state->event is often protected by the lock
crtc->dev->event_lock when is accessed. However, it is accessed as a
condition of an if statement in exynos_drm_crtc_atomic_disable() without
holding the lock:
if (crtc->state->event && !crtc->state->active)
However, if crtc->state->event is changed to NULL by another thread right
after the conditions of the if statement is checked to be true, a
null-pointer dereference can occur in drm_crtc_send_vblank_event():
e->pipe = pipe;
To fix this possible null-pointer dereference caused by data race, the
spin lock coverage is extended to protect the if statement as well as the
function call to drm_crtc_send_vblank_event().
Reported-by: BassCheck <bass@buaa.edu.cn>
Link: https://sites.google.com/view/basscheck/home
Signed-off-by: Tuo Li <islituo@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Added relevant link.
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
index 4153f302de7c4..d19e796c20613 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
@@ -39,13 +39,12 @@ static void exynos_drm_crtc_atomic_disable(struct drm_crtc *crtc,
if (exynos_crtc->ops->atomic_disable)
exynos_crtc->ops->atomic_disable(exynos_crtc);
+ spin_lock_irq(&crtc->dev->event_lock);
if (crtc->state->event && !crtc->state->active) {
- spin_lock_irq(&crtc->dev->event_lock);
drm_crtc_send_vblank_event(crtc, crtc->state->event);
- spin_unlock_irq(&crtc->dev->event_lock);
-
crtc->state->event = NULL;
}
+ spin_unlock_irq(&crtc->dev->event_lock);
}
static int exynos_crtc_atomic_check(struct drm_crtc *crtc,
--
2.40.1
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Tuo Li <islituo@gmail.com>, BassCheck <bass@buaa.edu.cn>,
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>,
Inki Dae <inki.dae@samsung.com>, Sasha Levin <sashal@kernel.org>,
sw0312.kim@samsung.com, kyungmin.park@samsung.com,
airlied@gmail.com, daniel@ffwll.ch,
dri-devel@lists.freedesktop.org,
linux-arm-kernel@lists.infradead.org,
linux-samsung-soc@vger.kernel.org
Subject: [PATCH AUTOSEL 6.5 26/36] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
Date: Fri, 8 Sep 2023 15:28:37 -0400 [thread overview]
Message-ID: <20230908192848.3462476-26-sashal@kernel.org> (raw)
In-Reply-To: <20230908192848.3462476-1-sashal@kernel.org>
From: Tuo Li <islituo@gmail.com>
[ Upstream commit 2e63972a2de14482d0eae1a03a73e379f1c3f44c ]
The variable crtc->state->event is often protected by the lock
crtc->dev->event_lock when is accessed. However, it is accessed as a
condition of an if statement in exynos_drm_crtc_atomic_disable() without
holding the lock:
if (crtc->state->event && !crtc->state->active)
However, if crtc->state->event is changed to NULL by another thread right
after the conditions of the if statement is checked to be true, a
null-pointer dereference can occur in drm_crtc_send_vblank_event():
e->pipe = pipe;
To fix this possible null-pointer dereference caused by data race, the
spin lock coverage is extended to protect the if statement as well as the
function call to drm_crtc_send_vblank_event().
Reported-by: BassCheck <bass@buaa.edu.cn>
Link: https://sites.google.com/view/basscheck/home
Signed-off-by: Tuo Li <islituo@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Added relevant link.
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
index 4153f302de7c4..d19e796c20613 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
@@ -39,13 +39,12 @@ static void exynos_drm_crtc_atomic_disable(struct drm_crtc *crtc,
if (exynos_crtc->ops->atomic_disable)
exynos_crtc->ops->atomic_disable(exynos_crtc);
+ spin_lock_irq(&crtc->dev->event_lock);
if (crtc->state->event && !crtc->state->active) {
- spin_lock_irq(&crtc->dev->event_lock);
drm_crtc_send_vblank_event(crtc, crtc->state->event);
- spin_unlock_irq(&crtc->dev->event_lock);
-
crtc->state->event = NULL;
}
+ spin_unlock_irq(&crtc->dev->event_lock);
}
static int exynos_crtc_atomic_check(struct drm_crtc *crtc,
--
2.40.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sasha Levin <sashal@kernel.org>,
linux-samsung-soc@vger.kernel.org, BassCheck <bass@buaa.edu.cn>,
sw0312.kim@samsung.com, kyungmin.park@samsung.com,
dri-devel@lists.freedesktop.org,
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>,
Tuo Li <islituo@gmail.com>,
linux-arm-kernel@lists.infradead.org
Subject: [PATCH AUTOSEL 6.5 26/36] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
Date: Fri, 8 Sep 2023 15:28:37 -0400 [thread overview]
Message-ID: <20230908192848.3462476-26-sashal@kernel.org> (raw)
In-Reply-To: <20230908192848.3462476-1-sashal@kernel.org>
From: Tuo Li <islituo@gmail.com>
[ Upstream commit 2e63972a2de14482d0eae1a03a73e379f1c3f44c ]
The variable crtc->state->event is often protected by the lock
crtc->dev->event_lock when is accessed. However, it is accessed as a
condition of an if statement in exynos_drm_crtc_atomic_disable() without
holding the lock:
if (crtc->state->event && !crtc->state->active)
However, if crtc->state->event is changed to NULL by another thread right
after the conditions of the if statement is checked to be true, a
null-pointer dereference can occur in drm_crtc_send_vblank_event():
e->pipe = pipe;
To fix this possible null-pointer dereference caused by data race, the
spin lock coverage is extended to protect the if statement as well as the
function call to drm_crtc_send_vblank_event().
Reported-by: BassCheck <bass@buaa.edu.cn>
Link: https://sites.google.com/view/basscheck/home
Signed-off-by: Tuo Li <islituo@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Added relevant link.
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
index 4153f302de7c4..d19e796c20613 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
@@ -39,13 +39,12 @@ static void exynos_drm_crtc_atomic_disable(struct drm_crtc *crtc,
if (exynos_crtc->ops->atomic_disable)
exynos_crtc->ops->atomic_disable(exynos_crtc);
+ spin_lock_irq(&crtc->dev->event_lock);
if (crtc->state->event && !crtc->state->active) {
- spin_lock_irq(&crtc->dev->event_lock);
drm_crtc_send_vblank_event(crtc, crtc->state->event);
- spin_unlock_irq(&crtc->dev->event_lock);
-
crtc->state->event = NULL;
}
+ spin_unlock_irq(&crtc->dev->event_lock);
}
static int exynos_crtc_atomic_check(struct drm_crtc *crtc,
--
2.40.1
next prev parent reply other threads:[~2023-09-08 19:32 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-08 19:28 [PATCH AUTOSEL 6.5 01/36] drm/bridge: tc358762: Instruct DSI host to generate HSE packets Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 02/36] drm/edid: Add quirk for OSVR HDK 2.0 Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 03/36] drm: bridge: samsung-dsim: Drain command transfer FIFO before transfer Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 04/36] ASoC: amd: vangogh: Use dmi_first_match() for DMI quirk handling Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 05/36] arm64: dts: qcom: sm6125-pdx201: correct ramoops pmsg-size Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 06/36] arm64: dts: qcom: sm6125-sprout: " Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 07/36] arm64: dts: qcom: sm6350: " Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 08/36] arm64: dts: qcom: sm8150-kumano: " Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 09/36] arm64: dts: qcom: sm8250-edo: " Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 10/36] drm/amdgpu: Increase soft IH ring size Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 11/36] drm/amd/display: Add stream overhead in BW calculations for 128b/132b Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 12/36] samples/hw_breakpoint: Fix kernel BUG 'invalid opcode: 0000' Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 13/36] drm/amdgpu: Update ring scheduler info as needed Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 14/36] drm/amd/display: Read down-spread percentage from lut to adjust dprefclk Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 15/36] drm/amd/display: Fix underflow issue on 175hz timing Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 16/36] drm/vkms: Fix race-condition between the hrtimer and the atomic commit Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 17/36] ASoC: SOF: topology: simplify code to prevent static analysis warnings Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 18/36] ASoC: Intel: sof_sdw: Update BT offload config for soundwire config Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 19/36] ALSA: hda: intel-dsp-cfg: add LunarLake support Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 20/36] drm/amd/display: Use DTBCLK as refclk instead of DPREFCLK Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 21/36] drm/amd/display: Blocking invalid 420 modes on HDMI TMDS for DCN31 Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 22/36] drm/amd/display: Blocking invalid 420 modes on HDMI TMDS for DCN314 Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 23/36] drm/amd/display: Use max memclk variable when setting max memclk Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 24/36] drm/msm/adreno: Use quirk identify hw_apriv Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 25/36] drm/msm/adreno: Use quirk to identify cached-coherent support Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin [this message]
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 26/36] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable() Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 27/36] io_uring: annotate the struct io_kiocb slab for appropriate user copy Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 28/36] drm/mediatek: dp: Change logging to dev for mtk_dp_aux_transfer() Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 29/36] bus: ti-sysc: Configure uart quirks for k3 SoC Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 30/36] arm64: dts: qcom: sc8280xp-x13s: Add camera activity LED Sasha Levin
2023-09-11 6:33 ` Johan Hovold
2023-09-18 21:41 ` Sasha Levin
2023-09-19 6:15 ` Johan Hovold
2023-09-19 13:06 ` Sasha Levin
2023-09-19 13:28 ` Johan Hovold
2023-09-19 15:09 ` Sasha Levin
2023-09-19 15:40 ` Johan Hovold
2023-09-19 16:00 ` Johan Hovold
2023-09-20 4:53 ` Thorsten Leemhuis
2023-09-20 7:06 ` Johan Hovold
2023-09-20 7:16 ` Krzysztof Kozlowski
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 31/36] block: Allow bio_iov_iter_get_pages() with bio->bi_bdev unset Sasha Levin
2023-09-08 19:32 ` Jens Axboe
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 32/36] md: raid1: fix potential OOB in raid1_remove_disk() Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 33/36] ext2: fix datatype of block number in ext2_xattr_set2() Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 34/36] blk-mq: fix tags leak when shrink nr_hw_queues Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 35/36] ASoC: SOF: amd: clear panic mask status when panic occurs Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 36/36] x86: bring back rep movsq for user access on CPUs without ERMS Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230908192848.3462476-26-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=airlied@gmail.com \
--cc=bass@buaa.edu.cn \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=inki.dae@samsung.com \
--cc=islituo@gmail.com \
--cc=krzysztof.kozlowski@linaro.org \
--cc=kyungmin.park@samsung.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-samsung-soc@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=sw0312.kim@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.