From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Imre Deak <imre.deak@intel.com>, Lyude Paul <lyude@redhat.com>,
Sasha Levin <sashal@kernel.org>,
maarten.lankhorst@linux.intel.com, mripard@kernel.org,
tzimmermann@suse.de, airlied@gmail.com, simona@ffwll.ch,
jani.nikula@intel.com, harry.wentland@amd.com,
alexander.deucher@amd.com, Wayne.Lin@amd.com,
dri-devel@lists.freedesktop.org
Subject: [PATCH AUTOSEL 6.6 19/23] drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()
Date: Wed, 11 Dec 2024 13:51:56 -0500 [thread overview]
Message-ID: <20241211185214.3841978-19-sashal@kernel.org> (raw)
In-Reply-To: <20241211185214.3841978-1-sashal@kernel.org>
From: Imre Deak <imre.deak@intel.com>
[ Upstream commit e54b00086f7473dbda1a7d6fc47720ced157c6a8 ]
While receiving an MST up request message from one thread in
drm_dp_mst_handle_up_req(), the MST topology could be removed from
another thread via drm_dp_mst_topology_mgr_set_mst(false), freeing
mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL.
This could lead to a NULL deref/use-after-free of mst_primary in
drm_dp_mst_handle_up_req().
Avoid the above by holding a reference for mst_primary in
drm_dp_mst_handle_up_req() while it's used.
v2: Fix kfreeing the request if getting an mst_primary reference fails.
Cc: Lyude Paul <lyude@redhat.com>
Reviewed-by: Lyude Paul <lyude@redhat.com> (v1)
Signed-off-by: Imre Deak <imre.deak@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241204132007.3132494-1-imre.deak@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/display/drm_dp_mst_topology.c | 24 ++++++++++++++-----
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/display/drm_dp_mst_topology.c b/drivers/gpu/drm/display/drm_dp_mst_topology.c
index 6ead31701e79e..4d954e50964f0 100644
--- a/drivers/gpu/drm/display/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c
@@ -3995,9 +3995,10 @@ static void drm_dp_mst_up_req_work(struct work_struct *work)
static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr)
{
struct drm_dp_pending_up_req *up_req;
+ struct drm_dp_mst_branch *mst_primary;
if (!drm_dp_get_one_sb_msg(mgr, true, NULL))
- goto out;
+ goto out_clear_reply;
if (!mgr->up_req_recv.have_eomt)
return 0;
@@ -4015,10 +4016,19 @@ static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr)
drm_dbg_kms(mgr->dev, "Received unknown up req type, ignoring: %x\n",
up_req->msg.req_type);
kfree(up_req);
- goto out;
+ goto out_clear_reply;
+ }
+
+ mutex_lock(&mgr->lock);
+ mst_primary = mgr->mst_primary;
+ if (!mst_primary || !drm_dp_mst_topology_try_get_mstb(mst_primary)) {
+ mutex_unlock(&mgr->lock);
+ kfree(up_req);
+ goto out_clear_reply;
}
+ mutex_unlock(&mgr->lock);
- drm_dp_send_up_ack_reply(mgr, mgr->mst_primary, up_req->msg.req_type,
+ drm_dp_send_up_ack_reply(mgr, mst_primary, up_req->msg.req_type,
false);
if (up_req->msg.req_type == DP_CONNECTION_STATUS_NOTIFY) {
@@ -4035,13 +4045,13 @@ static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr)
conn_stat->peer_device_type);
mutex_lock(&mgr->probe_lock);
- handle_csn = mgr->mst_primary->link_address_sent;
+ handle_csn = mst_primary->link_address_sent;
mutex_unlock(&mgr->probe_lock);
if (!handle_csn) {
drm_dbg_kms(mgr->dev, "Got CSN before finish topology probing. Skip it.");
kfree(up_req);
- goto out;
+ goto out_put_primary;
}
} else if (up_req->msg.req_type == DP_RESOURCE_STATUS_NOTIFY) {
const struct drm_dp_resource_status_notify *res_stat =
@@ -4058,7 +4068,9 @@ static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr)
mutex_unlock(&mgr->up_req_lock);
queue_work(system_long_wq, &mgr->up_req_work);
-out:
+out_put_primary:
+ drm_dp_mst_topology_put_mstb(mst_primary);
+out_clear_reply:
memset(&mgr->up_req_recv, 0, sizeof(struct drm_dp_sideband_msg_rx));
return 0;
}
--
2.43.0
next prev parent reply other threads:[~2024-12-11 18:52 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-11 18:51 [PATCH AUTOSEL 6.6 01/23] watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 Sasha Levin
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 02/23] watchdog: mediatek: Add support for MT6735 TOPRGU/WDT Sasha Levin
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 03/23] scsi: qla1280: Fix hw revision numbering for ISP1020/1040 Sasha Levin
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 04/23] scsi: megaraid_sas: Fix for a potential deadlock Sasha Levin
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 05/23] udf: Skip parent dir link count update if corrupted Sasha Levin
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 06/23] ALSA: hda/conexant: fix Z60MR100 startup pop issue Sasha Levin
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 07/23] ALSA: sh: Use standard helper for buffer accesses Sasha Levin
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 08/23] smb: server: Fix building with GCC 15 Sasha Levin
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 09/23] regmap: Use correct format specifier for logging range errors Sasha Levin
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 10/23] LoongArch: Fix reserving screen info memory for above-4G firmware Sasha Levin
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 11/23] LoongArch/irq: Use seq_put_decimal_ull_width() for decimal values Sasha Levin
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 12/23] LoongArch: BPF: Adjust the parameter of emit_jirl() Sasha Levin
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 13/23] platform/x86: asus-nb-wmi: Ignore unknown event 0xCF Sasha Levin
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 14/23] net: sched: fix ordering of qlen adjustment Sasha Levin
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 15/23] spi: intel: Add Panther Lake SPI controller support Sasha Levin
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 16/23] scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time Sasha Levin
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 17/23] scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error Sasha Levin
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 18/23] spi: omap2-mcspi: Fix the IS_ERR() bug for devm_clk_get_optional_enabled() Sasha Levin
2024-12-11 18:51 ` Sasha Levin [this message]
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 20/23] drm/dp_mst: Reset message rx state after OOM in drm_dp_mst_handle_up_req() Sasha Levin
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 21/23] virtio-blk: don't keep queue frozen during system suspend Sasha Levin
2024-12-11 18:51 ` [PATCH AUTOSEL 6.6 22/23] blk-mq: register cpuhp callback after hctx is added to xarray table Sasha Levin
2024-12-11 18:52 ` [PATCH AUTOSEL 6.6 23/23] blk-mq: move cpuhp callback registering out of q->sysfs_lock Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241211185214.3841978-19-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=Wayne.Lin@amd.com \
--cc=airlied@gmail.com \
--cc=alexander.deucher@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=harry.wentland@amd.com \
--cc=imre.deak@intel.com \
--cc=jani.nikula@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lyude@redhat.com \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=simona@ffwll.ch \
--cc=stable@vger.kernel.org \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox