From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Imre Deak <imre.deak@intel.com>, Lyude Paul <lyude@redhat.com>,
Sasha Levin <sashal@kernel.org>,
maarten.lankhorst@linux.intel.com, mripard@kernel.org,
tzimmermann@suse.de, airlied@gmail.com, simona@ffwll.ch,
jani.nikula@intel.com, harry.wentland@amd.com,
alexander.deucher@amd.com, Wayne.Lin@amd.com,
dri-devel@lists.freedesktop.org
Subject: [PATCH AUTOSEL 6.12 32/36] drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()
Date: Wed, 11 Dec 2024 13:49:48 -0500 [thread overview]
Message-ID: <20241211185028.3841047-32-sashal@kernel.org> (raw)
In-Reply-To: <20241211185028.3841047-1-sashal@kernel.org>
From: Imre Deak <imre.deak@intel.com>
[ Upstream commit e54b00086f7473dbda1a7d6fc47720ced157c6a8 ]
While receiving an MST up request message from one thread in
drm_dp_mst_handle_up_req(), the MST topology could be removed from
another thread via drm_dp_mst_topology_mgr_set_mst(false), freeing
mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL.
This could lead to a NULL deref/use-after-free of mst_primary in
drm_dp_mst_handle_up_req().
Avoid the above by holding a reference for mst_primary in
drm_dp_mst_handle_up_req() while it's used.
v2: Fix kfreeing the request if getting an mst_primary reference fails.
Cc: Lyude Paul <lyude@redhat.com>
Reviewed-by: Lyude Paul <lyude@redhat.com> (v1)
Signed-off-by: Imre Deak <imre.deak@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241204132007.3132494-1-imre.deak@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/display/drm_dp_mst_topology.c | 24 ++++++++++++++-----
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/display/drm_dp_mst_topology.c b/drivers/gpu/drm/display/drm_dp_mst_topology.c
index ac90118b9e7a8..a13514d106345 100644
--- a/drivers/gpu/drm/display/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c
@@ -4070,9 +4070,10 @@ static void drm_dp_mst_up_req_work(struct work_struct *work)
static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr)
{
struct drm_dp_pending_up_req *up_req;
+ struct drm_dp_mst_branch *mst_primary;
if (!drm_dp_get_one_sb_msg(mgr, true, NULL))
- goto out;
+ goto out_clear_reply;
if (!mgr->up_req_recv.have_eomt)
return 0;
@@ -4090,10 +4091,19 @@ static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr)
drm_dbg_kms(mgr->dev, "Received unknown up req type, ignoring: %x\n",
up_req->msg.req_type);
kfree(up_req);
- goto out;
+ goto out_clear_reply;
+ }
+
+ mutex_lock(&mgr->lock);
+ mst_primary = mgr->mst_primary;
+ if (!mst_primary || !drm_dp_mst_topology_try_get_mstb(mst_primary)) {
+ mutex_unlock(&mgr->lock);
+ kfree(up_req);
+ goto out_clear_reply;
}
+ mutex_unlock(&mgr->lock);
- drm_dp_send_up_ack_reply(mgr, mgr->mst_primary, up_req->msg.req_type,
+ drm_dp_send_up_ack_reply(mgr, mst_primary, up_req->msg.req_type,
false);
if (up_req->msg.req_type == DP_CONNECTION_STATUS_NOTIFY) {
@@ -4110,13 +4120,13 @@ static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr)
conn_stat->peer_device_type);
mutex_lock(&mgr->probe_lock);
- handle_csn = mgr->mst_primary->link_address_sent;
+ handle_csn = mst_primary->link_address_sent;
mutex_unlock(&mgr->probe_lock);
if (!handle_csn) {
drm_dbg_kms(mgr->dev, "Got CSN before finish topology probing. Skip it.");
kfree(up_req);
- goto out;
+ goto out_put_primary;
}
} else if (up_req->msg.req_type == DP_RESOURCE_STATUS_NOTIFY) {
const struct drm_dp_resource_status_notify *res_stat =
@@ -4133,7 +4143,9 @@ static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr)
mutex_unlock(&mgr->up_req_lock);
queue_work(system_long_wq, &mgr->up_req_work);
-out:
+out_put_primary:
+ drm_dp_mst_topology_put_mstb(mst_primary);
+out_clear_reply:
memset(&mgr->up_req_recv, 0, sizeof(struct drm_dp_sideband_msg_rx));
return 0;
}
--
2.43.0
next prev parent reply other threads:[~2024-12-11 18:51 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-11 18:49 [PATCH AUTOSEL 6.12 01/36] watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 02/36] watchdog: rzg2l_wdt: Power on the watchdog domain in the restart handler Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 03/36] Revert "watchdog: s3c2410_wdt: use exynos_get_pmu_regmap_by_phandle() for PMU regs" Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 04/36] watchdog: mediatek: Add support for MT6735 TOPRGU/WDT Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 05/36] watchdog: s3c2410_wdt: add support for exynosautov920 SoC Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 06/36] scsi: qla1280: Fix hw revision numbering for ISP1020/1040 Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 07/36] scsi: megaraid_sas: Fix for a potential deadlock Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 08/36] udf: Skip parent dir link count update if corrupted Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 09/36] udf: Verify inode link counts before performing rename Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 10/36] ALSA: ump: Don't open legacy substream for an inactive group Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 11/36] ALSA: ump: Indicate the inactive group in legacy substream names Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 12/36] ALSA: ump: Update legacy substream names upon FB info update Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 13/36] ALSA: hda/conexant: fix Z60MR100 startup pop issue Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 14/36] ALSA: sh: Use standard helper for buffer accesses Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 15/36] smb: server: Fix building with GCC 15 Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 16/36] regmap: Use correct format specifier for logging range errors Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 17/36] LoongArch: Fix reserving screen info memory for above-4G firmware Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 18/36] LoongArch/irq: Use seq_put_decimal_ull_width() for decimal values Sasha Levin
2024-12-11 19:14 ` Thomas Gleixner
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 19/36] LoongArch: BPF: Adjust the parameter of emit_jirl() Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 20/36] platform/x86: asus-nb-wmi: Ignore unknown event 0xCF Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 21/36] bpf: Zero index arg error string for dynptr and iter Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 22/36] net: sched: fix ordering of qlen adjustment Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 23/36] spi: intel: Add Panther Lake SPI controller support Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 24/36] scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 25/36] scsi: mpi3mr: Synchronize access to ioctl data buffer Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 26/36] scsi: mpi3mr: Fix corrupt config pages PHY state is switched in sysfs Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 27/36] scsi: mpi3mr: Start controller indexing from 0 Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 28/36] scsi: mpi3mr: Handling of fault code for insufficient power Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 29/36] scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 30/36] ACPI/IORT: Add PMCG platform information for HiSilicon HIP09A Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 31/36] spi: omap2-mcspi: Fix the IS_ERR() bug for devm_clk_get_optional_enabled() Sasha Levin
2024-12-11 18:49 ` Sasha Levin [this message]
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 33/36] drm/dp_mst: Reset message rx state after OOM in drm_dp_mst_handle_up_req() Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 34/36] virtio-blk: don't keep queue frozen during system suspend Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 35/36] blk-mq: register cpuhp callback after hctx is added to xarray table Sasha Levin
2024-12-11 18:49 ` [PATCH AUTOSEL 6.12 36/36] blk-mq: move cpuhp callback registering out of q->sysfs_lock Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241211185028.3841047-32-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=Wayne.Lin@amd.com \
--cc=airlied@gmail.com \
--cc=alexander.deucher@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=harry.wentland@amd.com \
--cc=imre.deak@intel.com \
--cc=jani.nikula@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lyude@redhat.com \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=simona@ffwll.ch \
--cc=stable@vger.kernel.org \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox