From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sean Paul <sean@poorly.run>, Sasha Levin <sashal@kernel.org>,
quic_sbillaka@quicinc.com, linux-arm-msm@vger.kernel.org,
andersson@kernel.org, Abhinav Kumar <quic_abhinavk@quicinc.com>,
dri-devel@lists.freedesktop.org, swboyd@chromium.org,
johan+linaro@kernel.org, Daniel Vetter <daniel.vetter@ffwll.ch>,
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>,
quic_khsieh@quicinc.com, freedreno@lists.freedesktop.org
Subject: [PATCH AUTOSEL 5.10 19/39] drm/msm: Use drm_mode_copy()
Date: Sun, 18 Dec 2022 11:15:39 -0500 [thread overview]
Message-ID: <20221218161559.932604-19-sashal@kernel.org> (raw)
In-Reply-To: <20221218161559.932604-1-sashal@kernel.org>
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
[ Upstream commit b2a1c5ca50db22b3677676dd5bad5f6092429acf ]
struct drm_display_mode embeds a list head, so overwriting
the full struct with another one will corrupt the list
(if the destination mode is on a list). Use drm_mode_copy()
instead which explicitly preserves the list head of
the destination mode.
Even if we know the destination mode is not on any list
using drm_mode_copy() seems decent as it sets a good
example. Bad examples of not using it might eventually
get copied into code where preserving the list head
actually matters.
Obviously one case not covered here is when the mode
itself is embedded in a larger structure and the whole
structure is copied. But if we are careful when copying
into modes embedded in structures I think we can be a
little more reassured that bogus list heads haven't been
propagated in.
@is_mode_copy@
@@
drm_mode_copy(...)
{
...
}
@depends on !is_mode_copy@
struct drm_display_mode *mode;
expression E, S;
@@
(
- *mode = E
+ drm_mode_copy(mode, &E)
|
- memcpy(mode, E, S)
+ drm_mode_copy(mode, E)
)
@depends on !is_mode_copy@
struct drm_display_mode mode;
expression E;
@@
(
- mode = E
+ drm_mode_copy(&mode, &E)
|
- memcpy(&mode, E, S)
+ drm_mode_copy(&mode, E)
)
@@
struct drm_display_mode *mode;
@@
- &*mode
+ mode
Cc: Rob Clark <robdclark@gmail.com>
Cc: Sean Paul <sean@poorly.run>
Cc: Abhinav Kumar <quic_abhinavk@quicinc.com>
Cc: linux-arm-msm@vger.kernel.org
Cc: freedreno@lists.freedesktop.org
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221107192545.9896-5-ville.syrjala@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dp/dp_display.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c
index 5a152d505dfb..1c3dcbc6cce8 100644
--- a/drivers/gpu/drm/msm/dp/dp_display.c
+++ b/drivers/gpu/drm/msm/dp/dp_display.c
@@ -848,7 +848,7 @@ static int dp_display_set_mode(struct msm_dp *dp_display,
dp = container_of(dp_display, struct dp_display_private, dp_display);
- dp->panel->dp_mode.drm_mode = mode->drm_mode;
+ drm_mode_copy(&dp->panel->dp_mode.drm_mode, &mode->drm_mode);
dp->panel->dp_mode.bpp = mode->bpp;
dp->panel->dp_mode.capabilities = mode->capabilities;
dp_panel_init_panel_info(dp->panel);
--
2.35.1
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Ville Syrjälä" <ville.syrjala@linux.intel.com>,
"Rob Clark" <robdclark@gmail.com>, "Sean Paul" <sean@poorly.run>,
"Abhinav Kumar" <quic_abhinavk@quicinc.com>,
linux-arm-msm@vger.kernel.org, freedreno@lists.freedesktop.org,
"Dmitry Baryshkov" <dmitry.baryshkov@linaro.org>,
"Daniel Vetter" <daniel.vetter@ffwll.ch>,
"Sasha Levin" <sashal@kernel.org>,
airlied@gmail.com, daniel@ffwll.ch, swboyd@chromium.org,
quic_khsieh@quicinc.com, johan+linaro@kernel.org,
quic_sbillaka@quicinc.com, andersson@kernel.org,
dri-devel@lists.freedesktop.org
Subject: [PATCH AUTOSEL 5.10 19/39] drm/msm: Use drm_mode_copy()
Date: Sun, 18 Dec 2022 11:15:39 -0500 [thread overview]
Message-ID: <20221218161559.932604-19-sashal@kernel.org> (raw)
In-Reply-To: <20221218161559.932604-1-sashal@kernel.org>
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
[ Upstream commit b2a1c5ca50db22b3677676dd5bad5f6092429acf ]
struct drm_display_mode embeds a list head, so overwriting
the full struct with another one will corrupt the list
(if the destination mode is on a list). Use drm_mode_copy()
instead which explicitly preserves the list head of
the destination mode.
Even if we know the destination mode is not on any list
using drm_mode_copy() seems decent as it sets a good
example. Bad examples of not using it might eventually
get copied into code where preserving the list head
actually matters.
Obviously one case not covered here is when the mode
itself is embedded in a larger structure and the whole
structure is copied. But if we are careful when copying
into modes embedded in structures I think we can be a
little more reassured that bogus list heads haven't been
propagated in.
@is_mode_copy@
@@
drm_mode_copy(...)
{
...
}
@depends on !is_mode_copy@
struct drm_display_mode *mode;
expression E, S;
@@
(
- *mode = E
+ drm_mode_copy(mode, &E)
|
- memcpy(mode, E, S)
+ drm_mode_copy(mode, E)
)
@depends on !is_mode_copy@
struct drm_display_mode mode;
expression E;
@@
(
- mode = E
+ drm_mode_copy(&mode, &E)
|
- memcpy(&mode, E, S)
+ drm_mode_copy(&mode, E)
)
@@
struct drm_display_mode *mode;
@@
- &*mode
+ mode
Cc: Rob Clark <robdclark@gmail.com>
Cc: Sean Paul <sean@poorly.run>
Cc: Abhinav Kumar <quic_abhinavk@quicinc.com>
Cc: linux-arm-msm@vger.kernel.org
Cc: freedreno@lists.freedesktop.org
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221107192545.9896-5-ville.syrjala@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dp/dp_display.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c
index 5a152d505dfb..1c3dcbc6cce8 100644
--- a/drivers/gpu/drm/msm/dp/dp_display.c
+++ b/drivers/gpu/drm/msm/dp/dp_display.c
@@ -848,7 +848,7 @@ static int dp_display_set_mode(struct msm_dp *dp_display,
dp = container_of(dp_display, struct dp_display_private, dp_display);
- dp->panel->dp_mode.drm_mode = mode->drm_mode;
+ drm_mode_copy(&dp->panel->dp_mode.drm_mode, &mode->drm_mode);
dp->panel->dp_mode.bpp = mode->bpp;
dp->panel->dp_mode.capabilities = mode->capabilities;
dp_panel_init_panel_info(dp->panel);
--
2.35.1
next prev parent reply other threads:[~2022-12-18 16:17 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-18 16:15 [PATCH AUTOSEL 5.10 01/39] drm/etnaviv: add missing quirks for GC300 Sasha Levin
2022-12-18 16:15 ` Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 02/39] brcmfmac: return error when getting invalid max_flowrings from dongle Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 03/39] wifi: ath9k: verify the expected usb_endpoints are present Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 04/39] wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 05/39] ASoC: codecs: rt298: Add quirk for KBL-R RVP platform Sasha Levin
2022-12-18 16:15 ` Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 06/39] ipmi: fix memleak when unload ipmi driver Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 07/39] drm/amd/display: prevent memory leak Sasha Levin
2022-12-18 16:15 ` Sasha Levin
2022-12-18 16:15 ` Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 08/39] qed (gcc13): use u16 for fid to be big enough Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 09/39] bpf: make sure skb->len != 0 when redirecting to a tunneling device Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 10/39] net: ethernet: ti: Fix return type of netcp_ndo_start_xmit() Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 11/39] hamradio: baycom_epp: Fix return type of baycom_send_packet() Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 12/39] wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request() Sasha Levin
2022-12-18 16:15 ` [Intel-wired-lan] [PATCH AUTOSEL 5.10 13/39] igb: Do not free q_vector unless new one was allocated Sasha Levin
2022-12-18 16:15 ` Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 14/39] drm/amdgpu: Fix type of second parameter in trans_msg() callback Sasha Levin
2022-12-18 16:15 ` Sasha Levin
2022-12-18 16:15 ` Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 15/39] drm/amdgpu: Fix type of second parameter in odn_edit_dpm_table() callback Sasha Levin
2022-12-18 16:15 ` Sasha Levin
2022-12-18 16:15 ` Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 16/39] s390/ctcm: Fix return type of ctc{mp,}m_tx() Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 17/39] s390/netiucv: Fix return type of netiucv_tx() Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 18/39] s390/lcs: Fix return type of lcs_start_xmit() Sasha Levin
2022-12-18 16:15 ` Sasha Levin [this message]
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 19/39] drm/msm: Use drm_mode_copy() Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 20/39] drm/rockchip: " Sasha Levin
2022-12-18 16:15 ` Sasha Levin
2022-12-18 16:15 ` Sasha Levin
2022-12-18 16:15 ` Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 21/39] drm/sti: " Sasha Levin
2022-12-18 16:15 ` Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 22/39] drivers/md/md-bitmap: check the return value of md_bitmap_get_counter() Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 23/39] md/raid1: stop mdx_raid1 thread when raid1 array run failed Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 24/39] drm/amd/display: fix array index out of bound error in bios parser Sasha Levin
2022-12-18 16:15 ` Sasha Levin
2022-12-18 16:15 ` Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 25/39] net: add atomic_long_t to net_device_stats fields Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 26/39] mrp: introduce active flags to prevent UAF when applicant uninit Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 27/39] ppp: associate skb with a device at tx Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 28/39] bpf: Prevent decl_tag from being referenced in func_proto arg Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 29/39] ethtool: avoiding integer overflow in ethtool_phys_id() Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 30/39] media: dvb-frontends: fix leak of memory fw Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 31/39] media: dvbdev: adopts refcnt to avoid UAF Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 32/39] media: dvb-usb: fix memory leak in dvb_usb_adapter_init() Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 33/39] blk-mq: fix possible memleak when register 'hctx' failed Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 34/39] libbpf: Avoid enum forward-declarations in public API in C++ mode Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 35/39] regulator: core: fix use_count leakage when handling boot-on Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 36/39] mmc: f-sdh30: Add quirks for broken timeout clock capability Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 37/39] mmc: renesas_sdhi: better reset from HS400 mode Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 38/39] media: si470x: Fix use-after-free in si470x_int_in_callback() Sasha Levin
2022-12-18 16:15 ` [PATCH AUTOSEL 5.10 39/39] clk: st: Fix memory leak in st_of_quadfs_setup() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221218161559.932604-19-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=andersson@kernel.org \
--cc=daniel.vetter@ffwll.ch \
--cc=dmitry.baryshkov@linaro.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=freedreno@lists.freedesktop.org \
--cc=johan+linaro@kernel.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=quic_abhinavk@quicinc.com \
--cc=quic_khsieh@quicinc.com \
--cc=quic_sbillaka@quicinc.com \
--cc=sean@poorly.run \
--cc=stable@vger.kernel.org \
--cc=swboyd@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.