[PATCH AUTOSEL 6.1 17/22] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Tuo Li <islituo@gmail.com>, BassCheck <bass@buaa.edu.cn>,
	Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>,
	Inki Dae <inki.dae@samsung.com>, Sasha Levin <sashal@kernel.org>,
	sw0312.kim@samsung.com, kyungmin.park@samsung.com,
	airlied@gmail.com, daniel@ffwll.ch,
	dri-devel@lists.freedesktop.org,
	linux-arm-kernel@lists.infradead.org,
	linux-samsung-soc@vger.kernel.org
Subject: [PATCH AUTOSEL 6.1 17/22] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
Date: Fri,  8 Sep 2023 15:34:01 -0400	[thread overview]
Message-ID: <20230908193407.3463368-17-sashal@kernel.org> (raw)
In-Reply-To: <20230908193407.3463368-1-sashal@kernel.org>

From: Tuo Li <islituo@gmail.com>

[ Upstream commit 2e63972a2de14482d0eae1a03a73e379f1c3f44c ]

The variable crtc->state->event is often protected by the lock
crtc->dev->event_lock when is accessed. However, it is accessed as a
condition of an if statement in exynos_drm_crtc_atomic_disable() without
holding the lock:

  if (crtc->state->event && !crtc->state->active)

However, if crtc->state->event is changed to NULL by another thread right
after the conditions of the if statement is checked to be true, a
null-pointer dereference can occur in drm_crtc_send_vblank_event():

  e->pipe = pipe;

To fix this possible null-pointer dereference caused by data race, the
spin lock coverage is extended to protect the if statement as well as the
function call to drm_crtc_send_vblank_event().

Reported-by: BassCheck <bass@buaa.edu.cn>
Link: https://sites.google.com/view/basscheck/home
Signed-off-by: Tuo Li <islituo@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Added relevant link.
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
index 4153f302de7c4..d19e796c20613 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
@@ -39,13 +39,12 @@ static void exynos_drm_crtc_atomic_disable(struct drm_crtc *crtc,
 	if (exynos_crtc->ops->atomic_disable)
 		exynos_crtc->ops->atomic_disable(exynos_crtc);
 
+	spin_lock_irq(&crtc->dev->event_lock);
 	if (crtc->state->event && !crtc->state->active) {
-		spin_lock_irq(&crtc->dev->event_lock);
 		drm_crtc_send_vblank_event(crtc, crtc->state->event);
-		spin_unlock_irq(&crtc->dev->event_lock);
-
 		crtc->state->event = NULL;
 	}
+	spin_unlock_irq(&crtc->dev->event_lock);
 }
 
 static int exynos_crtc_atomic_check(struct drm_crtc *crtc,
-- 
2.40.1

next prev parent reply	other threads:[~2023-09-08 19:47 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-08 19:33 [PATCH AUTOSEL 6.1 01/22] drm/bridge: tc358762: Instruct DSI host to generate HSE packets Sasha Levin
2023-09-08 19:33 ` [PATCH AUTOSEL 6.1 02/22] drm/edid: Add quirk for OSVR HDK 2.0 Sasha Levin
2023-09-08 19:33 ` [PATCH AUTOSEL 6.1 03/22] arm64: dts: qcom: sm6125-pdx201: correct ramoops pmsg-size Sasha Levin
2023-09-08 19:33 ` [PATCH AUTOSEL 6.1 04/22] arm64: dts: qcom: sm6350: " Sasha Levin
2023-09-08 19:33 ` [PATCH AUTOSEL 6.1 05/22] arm64: dts: qcom: sm8150-kumano: " Sasha Levin
2023-09-08 19:33 ` [PATCH AUTOSEL 6.1 06/22] arm64: dts: qcom: sm8250-edo: " Sasha Levin
2023-09-08 19:33 ` [PATCH AUTOSEL 6.1 07/22] samples/hw_breakpoint: Fix kernel BUG 'invalid opcode: 0000' Sasha Levin
2023-09-08 19:33 ` [PATCH AUTOSEL 6.1 08/22] drm/amd/display: Read down-spread percentage from lut to adjust dprefclk Sasha Levin
2023-09-08 19:33 ` [PATCH AUTOSEL 6.1 09/22] drm/amd/display: Fix underflow issue on 175hz timing Sasha Levin
2023-09-08 19:33 ` [PATCH AUTOSEL 6.1 10/22] drm/vkms: Fix race-condition between the hrtimer and the atomic commit Sasha Levin
2023-09-08 19:33 ` [PATCH AUTOSEL 6.1 11/22] ASoC: SOF: topology: simplify code to prevent static analysis warnings Sasha Levin
2023-09-08 19:33 ` [PATCH AUTOSEL 6.1 12/22] ASoC: Intel: sof_sdw: Update BT offload config for soundwire config Sasha Levin
2023-09-08 19:33 ` [PATCH AUTOSEL 6.1 13/22] ALSA: hda: intel-dsp-cfg: add LunarLake support Sasha Levin
2023-09-08 19:33 ` [PATCH AUTOSEL 6.1 14/22] drm/amd/display: Use DTBCLK as refclk instead of DPREFCLK Sasha Levin
2023-09-08 19:33 ` [PATCH AUTOSEL 6.1 15/22] drm/amd/display: Blocking invalid 420 modes on HDMI TMDS for DCN31 Sasha Levin
2023-09-08 19:34 ` [PATCH AUTOSEL 6.1 16/22] drm/amd/display: Blocking invalid 420 modes on HDMI TMDS for DCN314 Sasha Levin
2023-09-08 19:34 ` Sasha Levin [this message]
2023-09-08 19:34 ` [PATCH AUTOSEL 6.1 18/22] drm/mediatek: dp: Change logging to dev for mtk_dp_aux_transfer() Sasha Levin
2023-09-11  9:53   ` Pavel Machek
2023-09-08 19:34 ` [PATCH AUTOSEL 6.1 19/22] bus: ti-sysc: Configure uart quirks for k3 SoC Sasha Levin
2023-09-08 19:34 ` [PATCH AUTOSEL 6.1 20/22] block: Allow bio_iov_iter_get_pages() with bio->bi_bdev unset Sasha Levin
2023-09-11  9:54   ` Pavel Machek
2023-09-11 13:15     ` Jens Axboe
2023-09-18 20:57       ` Sasha Levin
2023-09-08 19:34 ` [PATCH AUTOSEL 6.1 21/22] md: raid1: fix potential OOB in raid1_remove_disk() Sasha Levin
2023-09-08 19:34 ` [PATCH AUTOSEL 6.1 22/22] ext2: fix datatype of block number in ext2_xattr_set2() Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4153f302de7c dfblob:d19e796c2061 )
 OR (
bs:"[PATCH AUTOSEL 6.1 17/22] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230908193407.3463368-17-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=airlied@gmail.com \
    --cc=bass@buaa.edu.cn \
    --cc=daniel@ffwll.ch \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=inki.dae@samsung.com \
    --cc=islituo@gmail.com \
    --cc=krzysztof.kozlowski@linaro.org \
    --cc=kyungmin.park@samsung.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-samsung-soc@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=sw0312.kim@samsung.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox