* [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
@ 2023-06-30 2:19 ` Tuo Li
0 siblings, 0 replies; 16+ messages in thread
From: Tuo Li @ 2023-06-30 2:19 UTC (permalink / raw)
To: inki.dae, sw0312.kim, kyungmin.park, airlied, daniel,
krzysztof.kozlowski, alim.akhtar
Cc: dri-devel, linux-arm-kernel, linux-samsung-soc, linux-kernel,
baijiaju1990, Tuo Li, BassCheck
The variable crtc->state->event is often protected by the lock
crtc->dev->event_lock when is accessed. However, it is accessed as a
condition of an if statement in exynos_drm_crtc_atomic_disable() without
holding the lock:
if (crtc->state->event && !crtc->state->active)
However, if crtc->state->event is changed to NULL by another thread right
after the conditions of the if statement is checked to be true, a
null-pointer dereference can occur in drm_crtc_send_vblank_event():
e->pipe = pipe;
To fix this possible null-pointer dereference caused by data race, the
spin lock coverage is extended to protect the if statement as well as the
function call to drm_crtc_send_vblank_event().
Reported-by: BassCheck <bass@buaa.edu.cn>
Signed-off-by: Tuo Li <islituo@gmail.com>
---
drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
index 4153f302de7c..d19e796c2061 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
@@ -39,13 +39,12 @@ static void exynos_drm_crtc_atomic_disable(struct drm_crtc *crtc,
if (exynos_crtc->ops->atomic_disable)
exynos_crtc->ops->atomic_disable(exynos_crtc);
+ spin_lock_irq(&crtc->dev->event_lock);
if (crtc->state->event && !crtc->state->active) {
- spin_lock_irq(&crtc->dev->event_lock);
drm_crtc_send_vblank_event(crtc, crtc->state->event);
- spin_unlock_irq(&crtc->dev->event_lock);
-
crtc->state->event = NULL;
}
+ spin_unlock_irq(&crtc->dev->event_lock);
}
static int exynos_crtc_atomic_check(struct drm_crtc *crtc,
--
2.34.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
@ 2023-06-30 2:19 ` Tuo Li
0 siblings, 0 replies; 16+ messages in thread
From: Tuo Li @ 2023-06-30 2:19 UTC (permalink / raw)
To: inki.dae, sw0312.kim, kyungmin.park, airlied, daniel,
krzysztof.kozlowski, alim.akhtar
Cc: dri-devel, linux-arm-kernel, linux-samsung-soc, linux-kernel,
baijiaju1990, Tuo Li, BassCheck
The variable crtc->state->event is often protected by the lock
crtc->dev->event_lock when is accessed. However, it is accessed as a
condition of an if statement in exynos_drm_crtc_atomic_disable() without
holding the lock:
if (crtc->state->event && !crtc->state->active)
However, if crtc->state->event is changed to NULL by another thread right
after the conditions of the if statement is checked to be true, a
null-pointer dereference can occur in drm_crtc_send_vblank_event():
e->pipe = pipe;
To fix this possible null-pointer dereference caused by data race, the
spin lock coverage is extended to protect the if statement as well as the
function call to drm_crtc_send_vblank_event().
Reported-by: BassCheck <bass@buaa.edu.cn>
Signed-off-by: Tuo Li <islituo@gmail.com>
---
drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
index 4153f302de7c..d19e796c2061 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
@@ -39,13 +39,12 @@ static void exynos_drm_crtc_atomic_disable(struct drm_crtc *crtc,
if (exynos_crtc->ops->atomic_disable)
exynos_crtc->ops->atomic_disable(exynos_crtc);
+ spin_lock_irq(&crtc->dev->event_lock);
if (crtc->state->event && !crtc->state->active) {
- spin_lock_irq(&crtc->dev->event_lock);
drm_crtc_send_vblank_event(crtc, crtc->state->event);
- spin_unlock_irq(&crtc->dev->event_lock);
-
crtc->state->event = NULL;
}
+ spin_unlock_irq(&crtc->dev->event_lock);
}
static int exynos_crtc_atomic_check(struct drm_crtc *crtc,
--
2.34.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
@ 2023-06-30 2:19 ` Tuo Li
0 siblings, 0 replies; 16+ messages in thread
From: Tuo Li @ 2023-06-30 2:19 UTC (permalink / raw)
To: inki.dae, sw0312.kim, kyungmin.park, airlied, daniel,
krzysztof.kozlowski, alim.akhtar
Cc: linux-samsung-soc, BassCheck, linux-kernel, dri-devel,
baijiaju1990, Tuo Li, linux-arm-kernel
The variable crtc->state->event is often protected by the lock
crtc->dev->event_lock when is accessed. However, it is accessed as a
condition of an if statement in exynos_drm_crtc_atomic_disable() without
holding the lock:
if (crtc->state->event && !crtc->state->active)
However, if crtc->state->event is changed to NULL by another thread right
after the conditions of the if statement is checked to be true, a
null-pointer dereference can occur in drm_crtc_send_vblank_event():
e->pipe = pipe;
To fix this possible null-pointer dereference caused by data race, the
spin lock coverage is extended to protect the if statement as well as the
function call to drm_crtc_send_vblank_event().
Reported-by: BassCheck <bass@buaa.edu.cn>
Signed-off-by: Tuo Li <islituo@gmail.com>
---
drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
index 4153f302de7c..d19e796c2061 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
@@ -39,13 +39,12 @@ static void exynos_drm_crtc_atomic_disable(struct drm_crtc *crtc,
if (exynos_crtc->ops->atomic_disable)
exynos_crtc->ops->atomic_disable(exynos_crtc);
+ spin_lock_irq(&crtc->dev->event_lock);
if (crtc->state->event && !crtc->state->active) {
- spin_lock_irq(&crtc->dev->event_lock);
drm_crtc_send_vblank_event(crtc, crtc->state->event);
- spin_unlock_irq(&crtc->dev->event_lock);
-
crtc->state->event = NULL;
}
+ spin_unlock_irq(&crtc->dev->event_lock);
}
static int exynos_crtc_atomic_check(struct drm_crtc *crtc,
--
2.34.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
2023-06-30 2:19 ` Tuo Li
(?)
@ 2023-07-01 8:01 ` Krzysztof Kozlowski
-1 siblings, 0 replies; 16+ messages in thread
From: Krzysztof Kozlowski @ 2023-07-01 8:01 UTC (permalink / raw)
To: Tuo Li, inki.dae, sw0312.kim, kyungmin.park, airlied, daniel,
alim.akhtar
Cc: dri-devel, linux-arm-kernel, linux-samsung-soc, linux-kernel,
baijiaju1990, BassCheck
On 30/06/2023 04:19, Tuo Li wrote:
> The variable crtc->state->event is often protected by the lock
> crtc->dev->event_lock when is accessed. However, it is accessed as a
> condition of an if statement in exynos_drm_crtc_atomic_disable() without
> holding the lock:
>
> if (crtc->state->event && !crtc->state->active)
>
> However, if crtc->state->event is changed to NULL by another thread right
> after the conditions of the if statement is checked to be true, a
> null-pointer dereference can occur in drm_crtc_send_vblank_event():
>
> e->pipe = pipe;
>
> To fix this possible null-pointer dereference caused by data race, the
> spin lock coverage is extended to protect the if statement as well as the
> function call to drm_crtc_send_vblank_event().
>
> Reported-by: BassCheck <bass@buaa.edu.cn>
I cannot find this report. This is an open source work and public
collaboration. The "Reported-by" usually means that the issue was
reported to us, in some way, usually in public. Can we see the report?
Otherwise adding non-public, non-verifiable reports is useless and
clutters our report-credit-system.
Best regards,
Krzysztof
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
@ 2023-07-01 8:01 ` Krzysztof Kozlowski
0 siblings, 0 replies; 16+ messages in thread
From: Krzysztof Kozlowski @ 2023-07-01 8:01 UTC (permalink / raw)
To: Tuo Li, inki.dae, sw0312.kim, kyungmin.park, airlied, daniel,
alim.akhtar
Cc: linux-samsung-soc, BassCheck, linux-kernel, dri-devel,
baijiaju1990, linux-arm-kernel
On 30/06/2023 04:19, Tuo Li wrote:
> The variable crtc->state->event is often protected by the lock
> crtc->dev->event_lock when is accessed. However, it is accessed as a
> condition of an if statement in exynos_drm_crtc_atomic_disable() without
> holding the lock:
>
> if (crtc->state->event && !crtc->state->active)
>
> However, if crtc->state->event is changed to NULL by another thread right
> after the conditions of the if statement is checked to be true, a
> null-pointer dereference can occur in drm_crtc_send_vblank_event():
>
> e->pipe = pipe;
>
> To fix this possible null-pointer dereference caused by data race, the
> spin lock coverage is extended to protect the if statement as well as the
> function call to drm_crtc_send_vblank_event().
>
> Reported-by: BassCheck <bass@buaa.edu.cn>
I cannot find this report. This is an open source work and public
collaboration. The "Reported-by" usually means that the issue was
reported to us, in some way, usually in public. Can we see the report?
Otherwise adding non-public, non-verifiable reports is useless and
clutters our report-credit-system.
Best regards,
Krzysztof
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
@ 2023-07-01 8:01 ` Krzysztof Kozlowski
0 siblings, 0 replies; 16+ messages in thread
From: Krzysztof Kozlowski @ 2023-07-01 8:01 UTC (permalink / raw)
To: Tuo Li, inki.dae, sw0312.kim, kyungmin.park, airlied, daniel,
alim.akhtar
Cc: dri-devel, linux-arm-kernel, linux-samsung-soc, linux-kernel,
baijiaju1990, BassCheck
On 30/06/2023 04:19, Tuo Li wrote:
> The variable crtc->state->event is often protected by the lock
> crtc->dev->event_lock when is accessed. However, it is accessed as a
> condition of an if statement in exynos_drm_crtc_atomic_disable() without
> holding the lock:
>
> if (crtc->state->event && !crtc->state->active)
>
> However, if crtc->state->event is changed to NULL by another thread right
> after the conditions of the if statement is checked to be true, a
> null-pointer dereference can occur in drm_crtc_send_vblank_event():
>
> e->pipe = pipe;
>
> To fix this possible null-pointer dereference caused by data race, the
> spin lock coverage is extended to protect the if statement as well as the
> function call to drm_crtc_send_vblank_event().
>
> Reported-by: BassCheck <bass@buaa.edu.cn>
I cannot find this report. This is an open source work and public
collaboration. The "Reported-by" usually means that the issue was
reported to us, in some way, usually in public. Can we see the report?
Otherwise adding non-public, non-verifiable reports is useless and
clutters our report-credit-system.
Best regards,
Krzysztof
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
2023-07-01 8:01 ` Krzysztof Kozlowski
(?)
(?)
@ 2023-07-03 3:00 ` Tuo Li
2023-07-04 7:27 ` Krzysztof Kozlowski
-1 siblings, 1 reply; 16+ messages in thread
From: Tuo Li @ 2023-07-03 3:00 UTC (permalink / raw)
To: Krzysztof Kozlowski
Cc: linux-samsung-soc, sw0312.kim, linux-kernel, dri-devel,
kyungmin.park, alim.akhtar, baijiaju1990, linux-arm-kernel,
BassCheck
[-- Attachment #1: Type: text/plain, Size: 1518 bytes --]
Hello,
Thanks for your reply! The report is publicly available at
https://sites.google.com/view/basscheck/home. And this
patch is from the 8th report on this website.
Thanks,
Tuo Li
On Sat, Jul 1, 2023 at 4:01 PM Krzysztof Kozlowski <
krzysztof.kozlowski@linaro.org> wrote:
> On 30/06/2023 04:19, Tuo Li wrote:
> > The variable crtc->state->event is often protected by the lock
> > crtc->dev->event_lock when is accessed. However, it is accessed as a
> > condition of an if statement in exynos_drm_crtc_atomic_disable() without
> > holding the lock:
> >
> > if (crtc->state->event && !crtc->state->active)
> >
> > However, if crtc->state->event is changed to NULL by another thread right
> > after the conditions of the if statement is checked to be true, a
> > null-pointer dereference can occur in drm_crtc_send_vblank_event():
> >
> > e->pipe = pipe;
> >
> > To fix this possible null-pointer dereference caused by data race, the
> > spin lock coverage is extended to protect the if statement as well as
> the
> > function call to drm_crtc_send_vblank_event().
> >
> > Reported-by: BassCheck <bass@buaa.edu.cn>
>
> I cannot find this report. This is an open source work and public
> collaboration. The "Reported-by" usually means that the issue was
> reported to us, in some way, usually in public. Can we see the report?
> Otherwise adding non-public, non-verifiable reports is useless and
> clutters our report-credit-system.
>
> Best regards,
> Krzysztof
>
>
[-- Attachment #2: Type: text/html, Size: 2169 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
2023-07-03 3:00 ` Tuo Li
2023-07-04 7:27 ` Krzysztof Kozlowski
@ 2023-07-04 7:27 ` Krzysztof Kozlowski
0 siblings, 0 replies; 16+ messages in thread
From: Krzysztof Kozlowski @ 2023-07-04 7:27 UTC (permalink / raw)
To: Tuo Li
Cc: inki.dae, sw0312.kim, kyungmin.park, airlied, daniel,
alim.akhtar, dri-devel, linux-arm-kernel, linux-samsung-soc,
linux-kernel, baijiaju1990, BassCheck
On 03/07/2023 05:00, Tuo Li wrote:
> Hello,
>
> Thanks for your reply! The report is publicly available at
> https://sites.google.com/view/basscheck/home. And this
> patch is from the 8th report on this website.
Great, thank you!
Best regards,
Krzysztof
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
@ 2023-07-04 7:27 ` Krzysztof Kozlowski
0 siblings, 0 replies; 16+ messages in thread
From: Krzysztof Kozlowski @ 2023-07-04 7:27 UTC (permalink / raw)
To: Tuo Li
Cc: linux-samsung-soc, sw0312.kim, linux-kernel, dri-devel,
kyungmin.park, alim.akhtar, baijiaju1990, linux-arm-kernel,
BassCheck
On 03/07/2023 05:00, Tuo Li wrote:
> Hello,
>
> Thanks for your reply! The report is publicly available at
> https://sites.google.com/view/basscheck/home. And this
> patch is from the 8th report on this website.
Great, thank you!
Best regards,
Krzysztof
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
@ 2023-07-04 7:27 ` Krzysztof Kozlowski
0 siblings, 0 replies; 16+ messages in thread
From: Krzysztof Kozlowski @ 2023-07-04 7:27 UTC (permalink / raw)
To: Tuo Li
Cc: inki.dae, sw0312.kim, kyungmin.park, airlied, daniel,
alim.akhtar, dri-devel, linux-arm-kernel, linux-samsung-soc,
linux-kernel, baijiaju1990, BassCheck
On 03/07/2023 05:00, Tuo Li wrote:
> Hello,
>
> Thanks for your reply! The report is publicly available at
> https://sites.google.com/view/basscheck/home. And this
> patch is from the 8th report on this website.
Great, thank you!
Best regards,
Krzysztof
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
2023-06-30 2:19 ` Tuo Li
(?)
@ 2023-07-04 7:35 ` Krzysztof Kozlowski
-1 siblings, 0 replies; 16+ messages in thread
From: Krzysztof Kozlowski @ 2023-07-04 7:35 UTC (permalink / raw)
To: Tuo Li, inki.dae, sw0312.kim, kyungmin.park, airlied, daniel,
alim.akhtar
Cc: dri-devel, linux-arm-kernel, linux-samsung-soc, linux-kernel,
baijiaju1990, BassCheck
On 30/06/2023 04:19, Tuo Li wrote:
> The variable crtc->state->event is often protected by the lock
> crtc->dev->event_lock when is accessed. However, it is accessed as a
> condition of an if statement in exynos_drm_crtc_atomic_disable() without
> holding the lock:
>
> if (crtc->state->event && !crtc->state->active)
>
> However, if crtc->state->event is changed to NULL by another thread right
> after the conditions of the if statement is checked to be true, a
> null-pointer dereference can occur in drm_crtc_send_vblank_event():
>
> e->pipe = pipe;
>
> To fix this possible null-pointer dereference caused by data race, the
> spin lock coverage is extended to protect the if statement as well as the
> function call to drm_crtc_send_vblank_event().
>
> Reported-by: BassCheck <bass@buaa.edu.cn>
> Signed-off-by: Tuo Li <islituo@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Best regards,
Krzysztof
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
@ 2023-07-04 7:35 ` Krzysztof Kozlowski
0 siblings, 0 replies; 16+ messages in thread
From: Krzysztof Kozlowski @ 2023-07-04 7:35 UTC (permalink / raw)
To: Tuo Li, inki.dae, sw0312.kim, kyungmin.park, airlied, daniel,
alim.akhtar
Cc: linux-samsung-soc, BassCheck, linux-kernel, dri-devel,
baijiaju1990, linux-arm-kernel
On 30/06/2023 04:19, Tuo Li wrote:
> The variable crtc->state->event is often protected by the lock
> crtc->dev->event_lock when is accessed. However, it is accessed as a
> condition of an if statement in exynos_drm_crtc_atomic_disable() without
> holding the lock:
>
> if (crtc->state->event && !crtc->state->active)
>
> However, if crtc->state->event is changed to NULL by another thread right
> after the conditions of the if statement is checked to be true, a
> null-pointer dereference can occur in drm_crtc_send_vblank_event():
>
> e->pipe = pipe;
>
> To fix this possible null-pointer dereference caused by data race, the
> spin lock coverage is extended to protect the if statement as well as the
> function call to drm_crtc_send_vblank_event().
>
> Reported-by: BassCheck <bass@buaa.edu.cn>
> Signed-off-by: Tuo Li <islituo@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Best regards,
Krzysztof
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
@ 2023-07-04 7:35 ` Krzysztof Kozlowski
0 siblings, 0 replies; 16+ messages in thread
From: Krzysztof Kozlowski @ 2023-07-04 7:35 UTC (permalink / raw)
To: Tuo Li, inki.dae, sw0312.kim, kyungmin.park, airlied, daniel,
alim.akhtar
Cc: dri-devel, linux-arm-kernel, linux-samsung-soc, linux-kernel,
baijiaju1990, BassCheck
On 30/06/2023 04:19, Tuo Li wrote:
> The variable crtc->state->event is often protected by the lock
> crtc->dev->event_lock when is accessed. However, it is accessed as a
> condition of an if statement in exynos_drm_crtc_atomic_disable() without
> holding the lock:
>
> if (crtc->state->event && !crtc->state->active)
>
> However, if crtc->state->event is changed to NULL by another thread right
> after the conditions of the if statement is checked to be true, a
> null-pointer dereference can occur in drm_crtc_send_vblank_event():
>
> e->pipe = pipe;
>
> To fix this possible null-pointer dereference caused by data race, the
> spin lock coverage is extended to protect the if statement as well as the
> function call to drm_crtc_send_vblank_event().
>
> Reported-by: BassCheck <bass@buaa.edu.cn>
> Signed-off-by: Tuo Li <islituo@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Best regards,
Krzysztof
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
2023-06-30 2:19 ` Tuo Li
(?)
@ 2023-07-13 0:32 ` 대인기/Tizen Platform Lab(SR)/삼성전자
-1 siblings, 0 replies; 16+ messages in thread
From: 대인기/Tizen Platform Lab(SR)/삼성전자 @ 2023-07-13 0:32 UTC (permalink / raw)
To: 'Tuo Li',
sw0312.kim, kyungmin.park, airlied, daniel, krzysztof.kozlowski,
alim.akhtar
Cc: dri-devel, linux-arm-kernel, linux-samsung-soc, linux-kernel,
baijiaju1990, 'BassCheck'
> -----Original Message-----
> From: Tuo Li <islituo@gmail.com>
> Sent: Friday, June 30, 2023 11:19 AM
> To: inki.dae@samsung.com; sw0312.kim@samsung.com;
> kyungmin.park@samsung.com; airlied@gmail.com; daniel@ffwll.ch;
> krzysztof.kozlowski@linaro.org; alim.akhtar@samsung.com
> Cc: dri-devel@lists.freedesktop.org; linux-arm-kernel@lists.infradead.org;
> linux-samsung-soc@vger.kernel.org; linux-kernel@vger.kernel.org;
> baijiaju1990@outlook.com; Tuo Li <islituo@gmail.com>; BassCheck
> <bass@buaa.edu.cn>
> Subject: [PATCH] drm/exynos: fix a possible null-pointer dereference due
> to data race in exynos_drm_crtc_atomic_disable()
>
> The variable crtc->state->event is often protected by the lock
> crtc->dev->event_lock when is accessed. However, it is accessed as a
> condition of an if statement in exynos_drm_crtc_atomic_disable() without
> holding the lock:
>
> if (crtc->state->event && !crtc->state->active)
>
> However, if crtc->state->event is changed to NULL by another thread right
> after the conditions of the if statement is checked to be true, a
> null-pointer dereference can occur in drm_crtc_send_vblank_event():
>
> e->pipe = pipe;
>
> To fix this possible null-pointer dereference caused by data race, the
> spin lock coverage is extended to protect the if statement as well as the
> function call to drm_crtc_send_vblank_event().
>
> Reported-by: BassCheck <bass@buaa.edu.cn>
> Signed-off-by: Tuo Li <islituo@gmail.com>
Applied.
Thanks,
Inki Dae
> ---
> drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
> b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
> index 4153f302de7c..d19e796c2061 100644
> --- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
> +++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
> @@ -39,13 +39,12 @@ static void exynos_drm_crtc_atomic_disable(struct
> drm_crtc *crtc,
> if (exynos_crtc->ops->atomic_disable)
> exynos_crtc->ops->atomic_disable(exynos_crtc);
>
> + spin_lock_irq(&crtc->dev->event_lock);
> if (crtc->state->event && !crtc->state->active) {
> - spin_lock_irq(&crtc->dev->event_lock);
> drm_crtc_send_vblank_event(crtc, crtc->state->event);
> - spin_unlock_irq(&crtc->dev->event_lock);
> -
> crtc->state->event = NULL;
> }
> + spin_unlock_irq(&crtc->dev->event_lock);
> }
>
> static int exynos_crtc_atomic_check(struct drm_crtc *crtc,
> --
> 2.34.1
^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
@ 2023-07-13 0:32 ` 대인기/Tizen Platform Lab(SR)/삼성전자
0 siblings, 0 replies; 16+ messages in thread
From: 대인기/Tizen Platform Lab(SR)/삼성전자 @ 2023-07-13 0:32 UTC (permalink / raw)
To: 'Tuo Li',
sw0312.kim, kyungmin.park, airlied, daniel, krzysztof.kozlowski,
alim.akhtar
Cc: linux-samsung-soc, 'BassCheck',
linux-kernel, dri-devel, baijiaju1990, linux-arm-kernel
> -----Original Message-----
> From: Tuo Li <islituo@gmail.com>
> Sent: Friday, June 30, 2023 11:19 AM
> To: inki.dae@samsung.com; sw0312.kim@samsung.com;
> kyungmin.park@samsung.com; airlied@gmail.com; daniel@ffwll.ch;
> krzysztof.kozlowski@linaro.org; alim.akhtar@samsung.com
> Cc: dri-devel@lists.freedesktop.org; linux-arm-kernel@lists.infradead.org;
> linux-samsung-soc@vger.kernel.org; linux-kernel@vger.kernel.org;
> baijiaju1990@outlook.com; Tuo Li <islituo@gmail.com>; BassCheck
> <bass@buaa.edu.cn>
> Subject: [PATCH] drm/exynos: fix a possible null-pointer dereference due
> to data race in exynos_drm_crtc_atomic_disable()
>
> The variable crtc->state->event is often protected by the lock
> crtc->dev->event_lock when is accessed. However, it is accessed as a
> condition of an if statement in exynos_drm_crtc_atomic_disable() without
> holding the lock:
>
> if (crtc->state->event && !crtc->state->active)
>
> However, if crtc->state->event is changed to NULL by another thread right
> after the conditions of the if statement is checked to be true, a
> null-pointer dereference can occur in drm_crtc_send_vblank_event():
>
> e->pipe = pipe;
>
> To fix this possible null-pointer dereference caused by data race, the
> spin lock coverage is extended to protect the if statement as well as the
> function call to drm_crtc_send_vblank_event().
>
> Reported-by: BassCheck <bass@buaa.edu.cn>
> Signed-off-by: Tuo Li <islituo@gmail.com>
Applied.
Thanks,
Inki Dae
> ---
> drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
> b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
> index 4153f302de7c..d19e796c2061 100644
> --- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
> +++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
> @@ -39,13 +39,12 @@ static void exynos_drm_crtc_atomic_disable(struct
> drm_crtc *crtc,
> if (exynos_crtc->ops->atomic_disable)
> exynos_crtc->ops->atomic_disable(exynos_crtc);
>
> + spin_lock_irq(&crtc->dev->event_lock);
> if (crtc->state->event && !crtc->state->active) {
> - spin_lock_irq(&crtc->dev->event_lock);
> drm_crtc_send_vblank_event(crtc, crtc->state->event);
> - spin_unlock_irq(&crtc->dev->event_lock);
> -
> crtc->state->event = NULL;
> }
> + spin_unlock_irq(&crtc->dev->event_lock);
> }
>
> static int exynos_crtc_atomic_check(struct drm_crtc *crtc,
> --
> 2.34.1
^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
@ 2023-07-13 0:32 ` 대인기/Tizen Platform Lab(SR)/삼성전자
0 siblings, 0 replies; 16+ messages in thread
From: 대인기/Tizen Platform Lab(SR)/삼성전자 @ 2023-07-13 0:32 UTC (permalink / raw)
To: 'Tuo Li',
sw0312.kim, kyungmin.park, airlied, daniel, krzysztof.kozlowski,
alim.akhtar
Cc: dri-devel, linux-arm-kernel, linux-samsung-soc, linux-kernel,
baijiaju1990, 'BassCheck'
> -----Original Message-----
> From: Tuo Li <islituo@gmail.com>
> Sent: Friday, June 30, 2023 11:19 AM
> To: inki.dae@samsung.com; sw0312.kim@samsung.com;
> kyungmin.park@samsung.com; airlied@gmail.com; daniel@ffwll.ch;
> krzysztof.kozlowski@linaro.org; alim.akhtar@samsung.com
> Cc: dri-devel@lists.freedesktop.org; linux-arm-kernel@lists.infradead.org;
> linux-samsung-soc@vger.kernel.org; linux-kernel@vger.kernel.org;
> baijiaju1990@outlook.com; Tuo Li <islituo@gmail.com>; BassCheck
> <bass@buaa.edu.cn>
> Subject: [PATCH] drm/exynos: fix a possible null-pointer dereference due
> to data race in exynos_drm_crtc_atomic_disable()
>
> The variable crtc->state->event is often protected by the lock
> crtc->dev->event_lock when is accessed. However, it is accessed as a
> condition of an if statement in exynos_drm_crtc_atomic_disable() without
> holding the lock:
>
> if (crtc->state->event && !crtc->state->active)
>
> However, if crtc->state->event is changed to NULL by another thread right
> after the conditions of the if statement is checked to be true, a
> null-pointer dereference can occur in drm_crtc_send_vblank_event():
>
> e->pipe = pipe;
>
> To fix this possible null-pointer dereference caused by data race, the
> spin lock coverage is extended to protect the if statement as well as the
> function call to drm_crtc_send_vblank_event().
>
> Reported-by: BassCheck <bass@buaa.edu.cn>
> Signed-off-by: Tuo Li <islituo@gmail.com>
Applied.
Thanks,
Inki Dae
> ---
> drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
> b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
> index 4153f302de7c..d19e796c2061 100644
> --- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
> +++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
> @@ -39,13 +39,12 @@ static void exynos_drm_crtc_atomic_disable(struct
> drm_crtc *crtc,
> if (exynos_crtc->ops->atomic_disable)
> exynos_crtc->ops->atomic_disable(exynos_crtc);
>
> + spin_lock_irq(&crtc->dev->event_lock);
> if (crtc->state->event && !crtc->state->active) {
> - spin_lock_irq(&crtc->dev->event_lock);
> drm_crtc_send_vblank_event(crtc, crtc->state->event);
> - spin_unlock_irq(&crtc->dev->event_lock);
> -
> crtc->state->event = NULL;
> }
> + spin_unlock_irq(&crtc->dev->event_lock);
> }
>
> static int exynos_crtc_atomic_check(struct drm_crtc *crtc,
> --
> 2.34.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2023-07-13 0:33 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <CGME20230630022033epcas1p2a104f08061a51a240364b72eb43842d8@epcas1p2.samsung.com>
2023-06-30 2:19 ` [PATCH] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable() Tuo Li
2023-06-30 2:19 ` Tuo Li
2023-06-30 2:19 ` Tuo Li
2023-07-01 8:01 ` Krzysztof Kozlowski
2023-07-01 8:01 ` Krzysztof Kozlowski
2023-07-01 8:01 ` Krzysztof Kozlowski
2023-07-03 3:00 ` Tuo Li
2023-07-04 7:27 ` Krzysztof Kozlowski
2023-07-04 7:27 ` Krzysztof Kozlowski
2023-07-04 7:27 ` Krzysztof Kozlowski
2023-07-04 7:35 ` Krzysztof Kozlowski
2023-07-04 7:35 ` Krzysztof Kozlowski
2023-07-04 7:35 ` Krzysztof Kozlowski
2023-07-13 0:32 ` 대인기/Tizen Platform Lab(SR)/삼성전자
2023-07-13 0:32 ` 대인기/Tizen Platform Lab(SR)/삼성전자
2023-07-13 0:32 ` 대인기/Tizen Platform Lab(SR)/삼성전자
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.