From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B70D2C4167B for ; Fri, 4 Dec 2020 15:13:37 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 821D422B3F for ; Fri, 4 Dec 2020 15:13:37 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 821D422B3F Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=cerno.tech Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=bRtDMlNiH0Jb6uIk8Pw9cfH6MaQs4Dr2VjtGgZhEl1E=; b=nGw2W5L4oC0FLhAjeamWsolTX r7M7IKNaRKn+U9yUjd0jmM/en/VlC2t2LyuLcr7+pgp5EqS1+7sB5u5vvHNZlvMfgOcGkXusFs99S nO8kqU1hhyKbCeMrOjRJAnM7NBmJ3cax5k08szI6s8B/lw1hGJFiGAjzbAXfrDAaXCrt9ZNlfMZ6j 7Vo0KZHJ262DVc10vuLoO7IJurTkryDfooHrtX7qD1YIFFkGhQVeW7wsVzXcvPwvIUSC+cVmZMz6h +8cMp192EU91TL3Zi6C8kcAx+WOoqCDy2Ut6oaXmZuzR2z/x9EOs4NSTPOfaDTGwKerie2mV5NlSF tILi0q91w==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1klCkk-0003XE-Uh; Fri, 04 Dec 2020 15:12:11 +0000 Received: from new4-smtp.messagingengine.com ([66.111.4.230]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1klCkO-0003O7-DQ; Fri, 04 Dec 2020 15:11:53 +0000 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailnew.nyi.internal (Postfix) with ESMTP id 52BEF58013E; Fri, 4 Dec 2020 10:11:44 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Fri, 04 Dec 2020 10:11:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cerno.tech; h= from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; s=fm1; bh=oLUVqYRCny2R8 Jjp/WXxzOhh4siMAbZuA2TK4TdNTiw=; b=cdKwvnnG5a/GEt2B2KkI76Qxc6aB2 DR7bqz6dv6ME2BZ1r6I/zLfljgKf9S2//R67OX43jjParjpXrAvKRb4WuR0oyPdP mEs/IxYnB8+QlrYGCY0NTN76es2YsGPUucbTPTZlHDgxaB2Dyg4N0K9huez9gw4Q iZxSAzzIIOOvwJYzdaRCER2SHsinthUQAUfNr5X8EA2bZ3RBnL+HHqBrp4EoNtVM APCe6qATOyh19DVtr1fnCQvcK70ITtQKR3zkMJfu4f4ucQKQrOLgjTjSSI8ux2mi bU6dYaDMIq/FF9JW1za9vxR+TbgpXGOatzYnOArYNLbICxpwhgk7pe/Lw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; bh=oLUVqYRCny2R8Jjp/WXxzOhh4siMAbZuA2TK4TdNTiw=; b=OaOitfbc qVUEbSk5R4Z6PXvPth6rqKO47uQBjd7vcDx09p6zQY3BUv6hsTmhGgI7qkn+XW8i /IKkES/pnbrB5Bfylx30zKW4dQJeeWfolPqkS67C4PQP7kSth4TimD8OMpomaAmq BNzzekC/JsOhaoxRNP3Reejc/8WFjluFm61ZXxwOFIzV91K+chgtPkT2qHvSp9+H xaVMD4MLX+utqeA1cUKvoGVYiopnwrjpb5I2iqcCcZEjWOpCrMSRxmtXvWV6xcoN 7h8fNkafHmXjEfCFoCYHkMlVybcgAUFNti0/aW4Jd4T0wnhoDKM1DgUC5j0c6lFV 4VyZogsQPcldMw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudeikedgjeegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeforgigihhm vgcutfhiphgrrhguuceomhgrgihimhgvsegtvghrnhhordhtvggthheqnecuggftrfgrth htvghrnhepvdekleevfeffkeejhfffueelteelfeduieefheduudfggffhhfffheevveeh hedvnecukfhppeeltddrkeelrdeikedrjeeinecuvehluhhsthgvrhfuihiivgeptdenuc frrghrrghmpehmrghilhhfrhhomhepmhgrgihimhgvsegtvghrnhhordhtvggthh X-ME-Proxy: Received: from localhost (lfbn-tou-1-1502-76.w90-89.abo.wanadoo.fr [90.89.68.76]) by mail.messagingengine.com (Postfix) with ESMTPA id 06E6E240065; Fri, 4 Dec 2020 10:11:43 -0500 (EST) From: Maxime Ripard To: Daniel Vetter , David Airlie , Maarten Lankhorst , Thomas Zimmermann , Maxime Ripard , Mark Rutland , Rob Herring , Frank Rowand , Eric Anholt Subject: [PATCH v2 2/7] drm: Document use-after-free gotcha with private objects Date: Fri, 4 Dec 2020 16:11:33 +0100 Message-Id: <20201204151138.1739736-3-maxime@cerno.tech> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201204151138.1739736-1-maxime@cerno.tech> References: <20201204151138.1739736-1-maxime@cerno.tech> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201204_101148_725654_0360CA5F X-CRM114-Status: GOOD ( 13.98 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: devicetree@vger.kernel.org, Tim Gover , Dave Stevenson , Daniel Vetter , dri-devel@lists.freedesktop.org, bcm-kernel-feedback-list@broadcom.com, linux-rpi-kernel@lists.infradead.org, Phil Elwell , linux-arm-kernel@lists.infradead.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org The private objects have a gotcha that could result in a use-after-free, make sure it's properly documented. Reviewed-by: Daniel Vetter Signed-off-by: Maxime Ripard --- include/drm/drm_atomic.h | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/include/drm/drm_atomic.h b/include/drm/drm_atomic.h index d07c851d255b..5d34c1df03f3 100644 --- a/include/drm/drm_atomic.h +++ b/include/drm/drm_atomic.h @@ -248,6 +248,26 @@ struct drm_private_state_funcs { * drm_dev_register() * 2/ all calls to drm_atomic_private_obj_fini() must be done after calling * drm_dev_unregister() + * + * If that private object is used to store a state shared by multiple + * CRTCs, proper care must be taken to ensure that non-blocking commits are + * properly ordered to avoid a use-after-free issue. + * + * Indeed, assuming a sequence of two non-blocking &drm_atomic_commit on two + * different &drm_crtc using different &drm_plane and &drm_connector, so with no + * resources shared, there's no guarantee on which commit is going to happen + * first. However, the second &drm_atomic_commit will consider the first + * &drm_private_obj its old state, and will be in charge of freeing it whenever + * the second &drm_atomic_commit is done. + * + * If the first &drm_atomic_commit happens after it, it will consider its + * &drm_private_obj the new state and will be likely to access it, resulting in + * an access to a freed memory region. Drivers should store (and get a reference + * to) the &drm_crtc_commit structure in our private state in + * &drm_mode_config_helper_funcs.atomic_commit_setup, and then wait for that + * commit to complete as the first step of + * &drm_mode_config_helper_funcs.atomic_commit_tail, similar to + * drm_atomic_helper_wait_for_dependencies(). */ struct drm_private_obj { /** -- 2.28.0 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel