From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.18 01/33] drm: fix use of freed memory in drm_mode_setcrtc
Date: Tue, 30 Oct 2018 09:26:25 -0400 [thread overview]
Message-ID: <20181030132657.217970-1-sashal@kernel.org> (raw)
From: Tomi Valkeinen <tomi.valkeinen@ti.com>
[ Upstream commit 064253c1c0625efd0362a0b7ecdbe8bee2a2904d ]
drm_mode_setcrtc() retries modesetting in case one of the functions it
calls returns -EDEADLK. connector_set, mode and fb are freed before
retrying, but they are not set to NULL. This can cause
drm_mode_setcrtc() to use those variables.
For example: On the first try __drm_mode_set_config_internal() returns
-EDEADLK. connector_set, mode and fb are freed. Next retry starts, and
drm_modeset_lock_all_ctx() returns -EDEADLK, and we jump to 'out'. The
code will happily try to release all three again.
This leads to crashes of different kinds, depending on the sequence the
EDEADLKs happen.
Fix this by setting the three variables to NULL at the start of the
retry loop.
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20180917110054.4053-1-tomi.valkeinen@ti.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_crtc.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index 98a36e6c69ad..bd207857a964 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -560,9 +560,9 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
struct drm_mode_crtc *crtc_req = data;
struct drm_crtc *crtc;
struct drm_plane *plane;
- struct drm_connector **connector_set = NULL, *connector;
- struct drm_framebuffer *fb = NULL;
- struct drm_display_mode *mode = NULL;
+ struct drm_connector **connector_set, *connector;
+ struct drm_framebuffer *fb;
+ struct drm_display_mode *mode;
struct drm_mode_set set;
uint32_t __user *set_connectors_ptr;
struct drm_modeset_acquire_ctx ctx;
@@ -591,6 +591,10 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
mutex_lock(&crtc->dev->mode_config.mutex);
drm_modeset_acquire_init(&ctx, DRM_MODESET_ACQUIRE_INTERRUPTIBLE);
retry:
+ connector_set = NULL;
+ fb = NULL;
+ mode = NULL;
+
ret = drm_modeset_lock_all_ctx(crtc->dev, &ctx);
if (ret)
goto out;
--
2.17.1
next reply other threads:[~2018-10-30 13:27 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-30 13:26 Sasha Levin [this message]
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 02/33] bpf: do not blindly change rlimit in reuseport net selftest Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 03/33] nvme: remove ns sibling before clearing path Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 04/33] Revert "perf tools: Fix PMU term format max value calculation" Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 05/33] selftests: usbip: add wait after attach and before checking port status Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 06/33] net/mlx5: Fix memory leak when setting fpga ipsec caps Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 07/33] net/mlx5: Take only bit 24-26 of wqe.pftype_wq for page fault type Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 08/33] net/mlx5: WQ, fixes for fragmented WQ buffers API Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 09/33] xsk: do not call synchronize_net() under RCU read lock Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 10/33] xfrm: policy: use hlist rcu variants on insert Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 11/33] perf vendor events intel: Fix wrong filter_band* values for uncore events Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 12/33] sparc: Fix single-pcr perf event counter management Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 13/33] sparc: Throttle perf events properly Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 14/33] sparc64: Make proc_id signed Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 15/33] r8169: Enable MSI-X on RTL8106e Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 16/33] net: bcmgenet: Poll internal PHY for GENETv5 Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 17/33] net: fec: don't dump RX FIFO register when not available Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 18/33] nfp: flower: fix pedit set actions for multiple partial masks Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 19/33] nfp: flower: use offsets provided by pedit instead of index for ipv6 Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 20/33] sched/fair: Fix the min_vruntime update logic in dequeue_entity() Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 21/33] perf evsel: Store ids for events with their own cpus perf_event__synthesize_event_update_cpus Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 22/33] perf tools: Fix use of alternatives to find JDIR Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 23/33] perf cpu_map: Align cpu map synthesized events properly Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 24/33] perf report: Don't crash on invalid inline debug information Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 25/33] x86/fpu: Remove second definition of fpu in __fpu__restore_sig() Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 26/33] net: qla3xxx: Remove overflowing shift statement Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 27/33] r8169: re-enable MSI-X on RTL8168g Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 28/33] virtio_net: avoid using netif_tx_disable() for serializing tx routine Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 29/33] drm: Get ref on CRTC commit object when waiting for flip_done Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 30/33] r8169: fix NAPI handling under high load Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 31/33] selftests: ftrace: Add synthetic event syntax testcase Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 32/33] net: fix pskb_trim_rcsum_slow() with odd trim offset Sasha Levin
2018-10-30 13:26 ` [PATCH AUTOSEL 4.18 33/33] i2c: rcar: cleanup DMA for all kinds of failure Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181030132657.217970-1-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tomi.valkeinen@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).