From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7AEEEC388F7 for ; Fri, 13 Nov 2020 15:35:15 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1475122249 for ; Fri, 13 Nov 2020 15:35:01 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="DBsxW0EI"; dkim=temperror (0-bit key) header.d=cerno.tech header.i=@cerno.tech header.b="lPjJH6xY"; dkim=temperror (0-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="Y7YTllUE" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1475122249 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=cerno.tech Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=XPmgDxu0bT1dJa5WjEHCv2RcyTOSqAUpD9WRcQv/u5U=; b=DBsxW0EIQT7fPXGSfk3pixpRu 7VdCIX4FubU+5TGdMi2Gos3/cHU/uH1eNsONuJyeuzqp/MGBpg4NPTXigYfWSKv+V5ZPaJLPJkiQq rh57h8/zfAlr6SULL6dgGCf/T+WVaZma4Nh9RSZr92FKp72MA4eMYih0k0V4jvddKjuC4pfITfRox HEjzVSXWXWWSAjeOoGfmkhl/yQ8HKDAQiHvqXXmN2Pb9TBJ7srxADAa1V7YBQADkgk6bJcZ+vuu2R PW4iWiMafE9g0PFaM+83p+HtQ1FTA3U7WZXd2e+JeEo61cVu2G7gyiA3Ziqxqy45hFbvlXmlj+5vf LFG7PYBAw==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kdb45-0004Z5-B1; Fri, 13 Nov 2020 15:32:41 +0000 Received: from new2-smtp.messagingengine.com ([66.111.4.224]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kdb3j-0004RQ-Gl; Fri, 13 Nov 2020 15:32:24 +0000 Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailnew.nyi.internal (Postfix) with ESMTP id 4FD58580333; Fri, 13 Nov 2020 10:32:19 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Fri, 13 Nov 2020 10:32:19 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cerno.tech; h= from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; s=fm1; bh=7bfsWjTZyDOlt QkPS8XBY1LVaOtpcGUaALahRoERT+s=; b=lPjJH6xYlXxe6lxIrDVUBiD7RJhGg pY9CkWTuhtrLiOv21EH0DtcRFEuJJ4yRM3ppk3W66dszymMd3teDa/rbjsz2iMG/ 6aihY/DFYjxBWgEgZvHWcfoMCaAGK5oJZ3N74KyhUh81yWs7kLvaImTDHWz0BU8+ r6qAbnsxBUlCnZfTznBToFBYhAvzGtVor7EEvoLF/pIDowG7IsoQkyc1sbInM9X2 X+UttxkKwMmLusM6yrK973bAxjUN3syBUQ8uRcmvQ5wa7/Eix6H3Rv+6Jzkp8XHZ J8loFEbbDhBTXkTIsFepQJ9Z+SMq0Eju3tgr//MScZiX7gR295ZcWiPew== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; bh=7bfsWjTZyDOltQkPS8XBY1LVaOtpcGUaALahRoERT+s=; b=Y7YTllUE xf8mvUUiaM7ed2Fc0J/WzX7DhOtEOR4Od8pG3JO8OgS5WXFuZ/FkvrOvqldQ33o+ PmABBGihs62dotq6wqYpOkBSUzHLw98KDnMsd6QtmAXKR8hiRYKXzoZh0m2ZPshl 2wgJIsNGOECPs8a43vcj3semORDoIQTBQznTKHwRE8goWkcT86V6jnAT6eiFWbg0 Li5o42zCUkkYB7Hj87jTGFfrEuBPBIJ9izP/JmwPSB8Hgk38srzvbJadLNDoF/8T uv8jG6QN9iO6BBBsc/vTm+EAEubKyDuQWu1j5rZcBZHG0addO+V8QG933DotVgNF SWWS5iandYRHjg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedruddvhedgjeejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeforgigihhm vgcutfhiphgrrhguuceomhgrgihimhgvsegtvghrnhhordhtvggthheqnecuggftrfgrth htvghrnhepvdekleevfeffkeejhfffueelteelfeduieefheduudfggffhhfffheevveeh hedvnecukfhppeeltddrkeelrdeikedrjeeinecuvehluhhsthgvrhfuihiivgeptdenuc frrghrrghmpehmrghilhhfrhhomhepmhgrgihimhgvsegtvghrnhhordhtvggthh X-ME-Proxy: Received: from localhost (lfbn-tou-1-1502-76.w90-89.abo.wanadoo.fr [90.89.68.76]) by mail.messagingengine.com (Postfix) with ESMTPA id B7DC53064AB4; Fri, 13 Nov 2020 10:32:18 -0500 (EST) From: Maxime Ripard To: Mark Rutland , Rob Herring , Frank Rowand , Eric Anholt , Daniel Vetter , David Airlie , Maarten Lankhorst , Thomas Zimmermann , Maxime Ripard Subject: [PATCH 2/8] drm: Document use-after-free gotcha with private objects Date: Fri, 13 Nov 2020 16:29:50 +0100 Message-Id: <20201113152956.139663-3-maxime@cerno.tech> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201113152956.139663-1-maxime@cerno.tech> References: <20201113152956.139663-1-maxime@cerno.tech> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201113_103219_659598_0637C4A5 X-CRM114-Status: GOOD ( 12.18 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: devicetree@vger.kernel.org, Tim Gover , Dave Stevenson , dri-devel@lists.freedesktop.org, bcm-kernel-feedback-list@broadcom.com, linux-rpi-kernel@lists.infradead.org, Phil Elwell , linux-arm-kernel@lists.infradead.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org The private objects have a gotcha that could result in a use-after-free, make sure it's properly documented. Signed-off-by: Maxime Ripard --- include/drm/drm_atomic.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/include/drm/drm_atomic.h b/include/drm/drm_atomic.h index 413fd0ca56a8..24b52b3a459f 100644 --- a/include/drm/drm_atomic.h +++ b/include/drm/drm_atomic.h @@ -248,6 +248,24 @@ struct drm_private_state_funcs { * drm_dev_register() * 2/ all calls to drm_atomic_private_obj_fini() must be done after calling * drm_dev_unregister() + * + * If that private object is used to store a state shared my multiple + * CRTCs, proper care must be taken to ensure that non-blocking commits are + * properly ordered to avoid a use-after-free issue. + * + * Indeed, assuming a sequence of two non-blocking commits on two different + * CRTCs using different planes and connectors, so with no resources shared, + * there's no guarantee on which commit is going to happen first. However, the + * second commit will consider the first private state its old state, and will + * be in charge of freeing it whenever the second commit is done. + * + * If the first commit happens after it, it will consider its private state the + * new state and will be likely to access it, resulting in an access to a freed + * memory region. A way to circumvent this is to store (and get a reference to) + * the crtc commit in our private state in + * &drm_mode_config_helper_funcs.atomic_commit_setup, and then wait for that + * commit to complete as part of + * &drm_mode_config_helper_funcs.atomic_commit_tail. */ struct drm_private_obj { /** -- 2.28.0 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel