From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
To: maarten.lankhorst@linux.intel.com, mripard@kernel.org,
tzimmermann@suse.de, airlied@linux.ie, daniel@ffwll.ch,
sumit.semwal@linaro.org, christian.koenig@amd.com
Cc: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>,
dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org,
intel-gfx@lists.freedesktop.org, skhan@linuxfoundation.org,
gregkh@linuxfoundation.org,
linux-kernel-mentees@lists.linuxfoundation.org,
linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org,
stable@vger.kernel.org, Daniel Vetter <daniel.vetter@ffwll.ch>
Subject: [PATCH v9 1/4] drm: fix null ptr dereference in drm_master_release
Date: Tue, 31 Aug 2021 14:13:45 +0800 [thread overview]
Message-ID: <20210831061348.97696-2-desmondcheongzx@gmail.com> (raw)
In-Reply-To: <20210831061348.97696-1-desmondcheongzx@gmail.com>
drm_master_release can be called on a drm_file without a master, which
results in a null ptr dereference of file_priv->master->magic_map. The
three cases are:
1. Error path in drm_open_helper
drm_open():
drm_open_helper():
drm_master_open():
drm_new_set_master(); <--- returns -ENOMEM,
drm_file.master not set
drm_file_free():
drm_master_release(); <--- NULL ptr dereference
(file_priv->master->magic_map)
2. Error path in mock_drm_getfile
mock_drm_getfile():
anon_inode_getfile(); <--- returns error, drm_file.master not set
drm_file_free():
drm_master_release(); <--- NULL ptr dereference
(file_priv->master->magic_map)
3. In drm_client_close, as drm_client_open doesn't set up a master
drm_file.master is set up in drm_open_helper through the call to
drm_master_open, so we mirror it with a call to drm_master_release in
drm_close_helper, and remove drm_master_release from drm_file_free to
avoid the null ptr dereference.
Fixes: 7eeaeb90a6a5 ("drm/file: Don't set master on in-kernel clients")
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
---
drivers/gpu/drm/drm_file.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c
index ed25168619fc..90b62f360da1 100644
--- a/drivers/gpu/drm/drm_file.c
+++ b/drivers/gpu/drm/drm_file.c
@@ -282,9 +282,6 @@ void drm_file_free(struct drm_file *file)
drm_legacy_ctxbitmap_flush(dev, file);
- if (drm_is_primary_client(file))
- drm_master_release(file);
-
if (dev->driver->postclose)
dev->driver->postclose(dev, file);
@@ -305,6 +302,9 @@ static void drm_close_helper(struct file *filp)
list_del(&file_priv->lhead);
mutex_unlock(&dev->filelist_mutex);
+ if (drm_is_primary_client(file_priv))
+ drm_master_release(file_priv);
+
drm_file_free(file_priv);
}
--
2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
To: maarten.lankhorst@linux.intel.com, mripard@kernel.org,
tzimmermann@suse.de, airlied@linux.ie, daniel@ffwll.ch,
sumit.semwal@linaro.org, christian.koenig@amd.com
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>,
intel-gfx@lists.freedesktop.org, linux-kernel@vger.kernel.org,
dri-devel@lists.freedesktop.org, linaro-mm-sig@lists.linaro.org,
stable@vger.kernel.org,
Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>,
linux-kernel-mentees@lists.linuxfoundation.org,
linux-media@vger.kernel.org
Subject: [PATCH v9 1/4] drm: fix null ptr dereference in drm_master_release
Date: Tue, 31 Aug 2021 14:13:45 +0800 [thread overview]
Message-ID: <20210831061348.97696-2-desmondcheongzx@gmail.com> (raw)
In-Reply-To: <20210831061348.97696-1-desmondcheongzx@gmail.com>
drm_master_release can be called on a drm_file without a master, which
results in a null ptr dereference of file_priv->master->magic_map. The
three cases are:
1. Error path in drm_open_helper
drm_open():
drm_open_helper():
drm_master_open():
drm_new_set_master(); <--- returns -ENOMEM,
drm_file.master not set
drm_file_free():
drm_master_release(); <--- NULL ptr dereference
(file_priv->master->magic_map)
2. Error path in mock_drm_getfile
mock_drm_getfile():
anon_inode_getfile(); <--- returns error, drm_file.master not set
drm_file_free():
drm_master_release(); <--- NULL ptr dereference
(file_priv->master->magic_map)
3. In drm_client_close, as drm_client_open doesn't set up a master
drm_file.master is set up in drm_open_helper through the call to
drm_master_open, so we mirror it with a call to drm_master_release in
drm_close_helper, and remove drm_master_release from drm_file_free to
avoid the null ptr dereference.
Fixes: 7eeaeb90a6a5 ("drm/file: Don't set master on in-kernel clients")
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
---
drivers/gpu/drm/drm_file.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c
index ed25168619fc..90b62f360da1 100644
--- a/drivers/gpu/drm/drm_file.c
+++ b/drivers/gpu/drm/drm_file.c
@@ -282,9 +282,6 @@ void drm_file_free(struct drm_file *file)
drm_legacy_ctxbitmap_flush(dev, file);
- if (drm_is_primary_client(file))
- drm_master_release(file);
-
if (dev->driver->postclose)
dev->driver->postclose(dev, file);
@@ -305,6 +302,9 @@ static void drm_close_helper(struct file *filp)
list_del(&file_priv->lhead);
mutex_unlock(&dev->filelist_mutex);
+ if (drm_is_primary_client(file_priv))
+ drm_master_release(file_priv);
+
drm_file_free(file_priv);
}
--
2.25.1
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
WARNING: multiple messages have this Message-ID (diff)
From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
To: maarten.lankhorst@linux.intel.com, mripard@kernel.org,
tzimmermann@suse.de, airlied@linux.ie, daniel@ffwll.ch,
sumit.semwal@linaro.org, christian.koenig@amd.com
Cc: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>,
dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org,
intel-gfx@lists.freedesktop.org, skhan@linuxfoundation.org,
gregkh@linuxfoundation.org,
linux-kernel-mentees@lists.linuxfoundation.org,
linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org,
stable@vger.kernel.org, Daniel Vetter <daniel.vetter@ffwll.ch>
Subject: [Intel-gfx] [PATCH v9 1/4] drm: fix null ptr dereference in drm_master_release
Date: Tue, 31 Aug 2021 14:13:45 +0800 [thread overview]
Message-ID: <20210831061348.97696-2-desmondcheongzx@gmail.com> (raw)
In-Reply-To: <20210831061348.97696-1-desmondcheongzx@gmail.com>
drm_master_release can be called on a drm_file without a master, which
results in a null ptr dereference of file_priv->master->magic_map. The
three cases are:
1. Error path in drm_open_helper
drm_open():
drm_open_helper():
drm_master_open():
drm_new_set_master(); <--- returns -ENOMEM,
drm_file.master not set
drm_file_free():
drm_master_release(); <--- NULL ptr dereference
(file_priv->master->magic_map)
2. Error path in mock_drm_getfile
mock_drm_getfile():
anon_inode_getfile(); <--- returns error, drm_file.master not set
drm_file_free():
drm_master_release(); <--- NULL ptr dereference
(file_priv->master->magic_map)
3. In drm_client_close, as drm_client_open doesn't set up a master
drm_file.master is set up in drm_open_helper through the call to
drm_master_open, so we mirror it with a call to drm_master_release in
drm_close_helper, and remove drm_master_release from drm_file_free to
avoid the null ptr dereference.
Fixes: 7eeaeb90a6a5 ("drm/file: Don't set master on in-kernel clients")
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
---
drivers/gpu/drm/drm_file.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c
index ed25168619fc..90b62f360da1 100644
--- a/drivers/gpu/drm/drm_file.c
+++ b/drivers/gpu/drm/drm_file.c
@@ -282,9 +282,6 @@ void drm_file_free(struct drm_file *file)
drm_legacy_ctxbitmap_flush(dev, file);
- if (drm_is_primary_client(file))
- drm_master_release(file);
-
if (dev->driver->postclose)
dev->driver->postclose(dev, file);
@@ -305,6 +302,9 @@ static void drm_close_helper(struct file *filp)
list_del(&file_priv->lhead);
mutex_unlock(&dev->filelist_mutex);
+ if (drm_is_primary_client(file_priv))
+ drm_master_release(file_priv);
+
drm_file_free(file_priv);
}
--
2.25.1
next prev parent reply other threads:[~2021-08-31 6:14 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-31 6:13 [PATCH v9 0/4] drm: update locking for modesetting Desmond Cheong Zhi Xi
2021-08-31 6:13 ` [Intel-gfx] " Desmond Cheong Zhi Xi
2021-08-31 6:13 ` Desmond Cheong Zhi Xi
2021-08-31 6:13 ` Desmond Cheong Zhi Xi [this message]
2021-08-31 6:13 ` [Intel-gfx] [PATCH v9 1/4] drm: fix null ptr dereference in drm_master_release Desmond Cheong Zhi Xi
2021-08-31 6:13 ` Desmond Cheong Zhi Xi
2021-08-31 6:13 ` [PATCH v9 2/4] drm: convert drm_device.master_mutex into a rwsem Desmond Cheong Zhi Xi
2021-08-31 6:13 ` [Intel-gfx] " Desmond Cheong Zhi Xi
2021-08-31 6:13 ` Desmond Cheong Zhi Xi
2021-08-31 6:13 ` [PATCH v9 3/4] drm: lock drm_global_mutex earlier in the ioctl handler Desmond Cheong Zhi Xi
2021-08-31 6:13 ` [Intel-gfx] " Desmond Cheong Zhi Xi
2021-08-31 6:13 ` Desmond Cheong Zhi Xi
2021-08-31 6:13 ` [PATCH v9 4/4] drm: avoid races with modesetting rights Desmond Cheong Zhi Xi
2021-08-31 6:13 ` [Intel-gfx] " Desmond Cheong Zhi Xi
2021-08-31 6:13 ` Desmond Cheong Zhi Xi
2021-08-31 6:49 ` [Intel-gfx] ✗ Fi.CI.BUILD: failure for drm: update locking for modesetting (rev6) Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210831061348.97696-2-desmondcheongzx@gmail.com \
--to=desmondcheongzx@gmail.com \
--cc=airlied@linux.ie \
--cc=christian.koenig@amd.com \
--cc=daniel.vetter@ffwll.ch \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=gregkh@linuxfoundation.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=stable@vger.kernel.org \
--cc=sumit.semwal@linaro.org \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.