From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Lyude Paul <lyude@redhat.com>,
Imre Deak <imre.deak@intel.com>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.1 36/60] drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()
Date: Mon, 30 Dec 2024 16:42:46 +0100 [thread overview]
Message-ID: <20241230154208.651587698@linuxfoundation.org> (raw)
In-Reply-To: <20241230154207.276570972@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Imre Deak <imre.deak@intel.com>
[ Upstream commit e54b00086f7473dbda1a7d6fc47720ced157c6a8 ]
While receiving an MST up request message from one thread in
drm_dp_mst_handle_up_req(), the MST topology could be removed from
another thread via drm_dp_mst_topology_mgr_set_mst(false), freeing
mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL.
This could lead to a NULL deref/use-after-free of mst_primary in
drm_dp_mst_handle_up_req().
Avoid the above by holding a reference for mst_primary in
drm_dp_mst_handle_up_req() while it's used.
v2: Fix kfreeing the request if getting an mst_primary reference fails.
Cc: Lyude Paul <lyude@redhat.com>
Reviewed-by: Lyude Paul <lyude@redhat.com> (v1)
Signed-off-by: Imre Deak <imre.deak@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241204132007.3132494-1-imre.deak@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/display/drm_dp_mst_topology.c | 24 ++++++++++++++-----
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/display/drm_dp_mst_topology.c b/drivers/gpu/drm/display/drm_dp_mst_topology.c
index 4f8fcfaa80fd..d8cbb4eadc5b 100644
--- a/drivers/gpu/drm/display/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c
@@ -4033,9 +4033,10 @@ static void drm_dp_mst_up_req_work(struct work_struct *work)
static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr)
{
struct drm_dp_pending_up_req *up_req;
+ struct drm_dp_mst_branch *mst_primary;
if (!drm_dp_get_one_sb_msg(mgr, true, NULL))
- goto out;
+ goto out_clear_reply;
if (!mgr->up_req_recv.have_eomt)
return 0;
@@ -4053,10 +4054,19 @@ static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr)
drm_dbg_kms(mgr->dev, "Received unknown up req type, ignoring: %x\n",
up_req->msg.req_type);
kfree(up_req);
- goto out;
+ goto out_clear_reply;
+ }
+
+ mutex_lock(&mgr->lock);
+ mst_primary = mgr->mst_primary;
+ if (!mst_primary || !drm_dp_mst_topology_try_get_mstb(mst_primary)) {
+ mutex_unlock(&mgr->lock);
+ kfree(up_req);
+ goto out_clear_reply;
}
+ mutex_unlock(&mgr->lock);
- drm_dp_send_up_ack_reply(mgr, mgr->mst_primary, up_req->msg.req_type,
+ drm_dp_send_up_ack_reply(mgr, mst_primary, up_req->msg.req_type,
false);
if (up_req->msg.req_type == DP_CONNECTION_STATUS_NOTIFY) {
@@ -4073,13 +4083,13 @@ static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr)
conn_stat->peer_device_type);
mutex_lock(&mgr->probe_lock);
- handle_csn = mgr->mst_primary->link_address_sent;
+ handle_csn = mst_primary->link_address_sent;
mutex_unlock(&mgr->probe_lock);
if (!handle_csn) {
drm_dbg_kms(mgr->dev, "Got CSN before finish topology probing. Skip it.");
kfree(up_req);
- goto out;
+ goto out_put_primary;
}
} else if (up_req->msg.req_type == DP_RESOURCE_STATUS_NOTIFY) {
const struct drm_dp_resource_status_notify *res_stat =
@@ -4096,7 +4106,9 @@ static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr)
mutex_unlock(&mgr->up_req_lock);
queue_work(system_long_wq, &mgr->up_req_work);
-out:
+out_put_primary:
+ drm_dp_mst_topology_put_mstb(mst_primary);
+out_clear_reply:
memset(&mgr->up_req_recv, 0, sizeof(struct drm_dp_sideband_msg_rx));
return 0;
}
--
2.39.5
next prev parent reply other threads:[~2024-12-30 15:46 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-30 15:42 [PATCH 6.1 00/60] 6.1.123-rc1 review Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 01/60] media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 02/60] mm/vmstat: fix a W=1 clang compiler warning Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 03/60] tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 04/60] tcp_bpf: Add sk_rmem_alloc related logic for tcp_bpf ingress redirection Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 05/60] bpf: Check negative offsets in __bpf_skb_min_len() Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 06/60] nfsd: restore callback functionality for NFSv4.0 Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 07/60] mtd: diskonchip: Cast an operand to prevent potential overflow Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 08/60] mtd: rawnand: arasan: Fix double assertion of chip-select Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 09/60] mtd: rawnand: arasan: Fix missing de-registration of NAND Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 10/60] phy: qcom-qmp: Fix register name in RX Lane config of SC8280XP Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 11/60] phy: core: Fix an OF node refcount leakage in _of_phy_get() Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 12/60] phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 13/60] phy: core: Fix that API devm_phy_put() fails to release the phy Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 14/60] phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 15/60] phy: core: Fix that API devm_phy_destroy() fails to destroy the phy Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 16/60] phy: usb: Toggle the PHY power during init Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 17/60] phy: rockchip: naneng-combphy: fix phy reset Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 18/60] dmaengine: mv_xor: fix child node refcount handling in early exit Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 19/60] dmaengine: dw: Select only supported masters for ACPI devices Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 20/60] dmaengine: tegra: Return correct DMA status when paused Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 21/60] dmaengine: apple-admac: Avoid accessing registers in probe Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 22/60] dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 23/60] mtd: rawnand: fix double free in atmel_pmecc_create_user() Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 24/60] powerpc/pseries/vas: Add close() callback in vas_vm_ops struct Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 25/60] stddef: make __struct_group() UAPI C++-friendly Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 26/60] tracing/kprobe: Make trace_kprobes module callback called after jump_label update Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 27/60] watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 28/60] scsi: qla1280: Fix hw revision numbering for ISP1020/1040 Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 29/60] scsi: megaraid_sas: Fix for a potential deadlock Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 30/60] ALSA: hda/conexant: fix Z60MR100 startup pop issue Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 31/60] smb: server: Fix building with GCC 15 Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 32/60] regmap: Use correct format specifier for logging range errors Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 33/60] platform/x86: asus-nb-wmi: Ignore unknown event 0xCF Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 34/60] scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 35/60] scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error Greg Kroah-Hartman
2024-12-30 15:42 ` Greg Kroah-Hartman [this message]
2024-12-30 15:42 ` [PATCH 6.1 37/60] virtio-blk: dont keep queue frozen during system suspend Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 38/60] blk-mq: register cpuhp callback after hctx is added to xarray table Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 39/60] vmalloc: fix accounting with i915 Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 40/60] MIPS: Probe toolchain support of -msym32 Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 41/60] MIPS: mipsregs: Set proper ISA level for virt extensions Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 42/60] net/mlx5e: Dont call cleanup on profile rollback failure Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 43/60] bpf: Check validity of link->type in bpf_link_show_fdinfo() Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 44/60] ALSA: hda/realtek: fix mute/micmute LEDs dont work for EliteBook X G1i Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 45/60] ALSA: hda/realtek: fix micmute LEDs dont work on HP Laptops Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 46/60] pmdomain: core: Add missing put_device() Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 47/60] sched/core: Report correct state for TASK_IDLE | TASK_FREEZABLE Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 48/60] freezer, sched: Report frozen tasks as D instead of R Greg Kroah-Hartman
2024-12-30 15:42 ` [PATCH 6.1 49/60] tracing: Constify string literal data member in struct trace_event_call Greg Kroah-Hartman
2024-12-30 15:43 ` [PATCH 6.1 50/60] tracing: Prevent bad count for tracing_cpumask_write Greg Kroah-Hartman
2024-12-30 15:43 ` [PATCH 6.1 51/60] io_uring/sqpoll: fix sqpoll error handling races Greg Kroah-Hartman
2024-12-30 15:43 ` [PATCH 6.1 52/60] i2c: microchip-core: actually use repeated sends Greg Kroah-Hartman
2024-12-30 15:43 ` [PATCH 6.1 53/60] i2c: imx: add imx7d compatible string for applying erratum ERR007805 Greg Kroah-Hartman
2024-12-30 15:43 ` [PATCH 6.1 54/60] i2c: microchip-core: fix "ghost" detections Greg Kroah-Hartman
2024-12-30 15:43 ` [PATCH 6.1 55/60] power: supply: gpio-charger: Fix set charge current limits Greg Kroah-Hartman
2024-12-30 15:43 ` [PATCH 6.1 56/60] btrfs: avoid monopolizing a core when activating a swap file Greg Kroah-Hartman
2024-12-30 15:43 ` [PATCH 6.1 57/60] btrfs: sysfs: fix direct super block member reads Greg Kroah-Hartman
2024-12-30 15:43 ` [PATCH 6.1 58/60] nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net Greg Kroah-Hartman
2024-12-30 15:43 ` [PATCH 6.1 59/60] Revert "rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()" Greg Kroah-Hartman
2024-12-30 15:43 ` [PATCH 6.1 60/60] ALSA: hda/realtek: Fix spelling mistake "Firelfy" -> "Firefly" Greg Kroah-Hartman
2024-12-30 17:39 ` [PATCH 6.1 00/60] 6.1.123-rc1 review Florian Fainelli
2024-12-30 19:28 ` Pavel Machek
2024-12-30 20:59 ` Shuah Khan
2024-12-31 8:23 ` Muhammad Usama Anjum
2024-12-31 9:44 ` Naresh Kamboju
2024-12-31 22:38 ` [PATCH 6.1] " Hardik Garg
2024-12-31 23:00 ` [PATCH 6.1 00/60] " Ron Economos
2025-01-02 10:42 ` Pavel Machek
[not found] ` <2025010357-laziness-shield-0ad0@gregkh>
2025-01-04 17:54 ` Buggy patch -- " Pavel Machek
2025-01-06 10:04 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241230154208.651587698@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=imre.deak@intel.com \
--cc=lyude@redhat.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox