From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Tuo Li <islituo@gmail.com>, BassCheck <bass@buaa.edu.cn>,
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>,
Inki Dae <inki.dae@samsung.com>, Sasha Levin <sashal@kernel.org>,
sw0312.kim@samsung.com, kyungmin.park@samsung.com,
airlied@gmail.com, daniel@ffwll.ch,
dri-devel@lists.freedesktop.org,
linux-arm-kernel@lists.infradead.org,
linux-samsung-soc@vger.kernel.org
Subject: [PATCH AUTOSEL 6.5 26/36] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
Date: Fri, 8 Sep 2023 15:28:37 -0400 [thread overview]
Message-ID: <20230908192848.3462476-26-sashal@kernel.org> (raw)
In-Reply-To: <20230908192848.3462476-1-sashal@kernel.org>
From: Tuo Li <islituo@gmail.com>
[ Upstream commit 2e63972a2de14482d0eae1a03a73e379f1c3f44c ]
The variable crtc->state->event is often protected by the lock
crtc->dev->event_lock when is accessed. However, it is accessed as a
condition of an if statement in exynos_drm_crtc_atomic_disable() without
holding the lock:
if (crtc->state->event && !crtc->state->active)
However, if crtc->state->event is changed to NULL by another thread right
after the conditions of the if statement is checked to be true, a
null-pointer dereference can occur in drm_crtc_send_vblank_event():
e->pipe = pipe;
To fix this possible null-pointer dereference caused by data race, the
spin lock coverage is extended to protect the if statement as well as the
function call to drm_crtc_send_vblank_event().
Reported-by: BassCheck <bass@buaa.edu.cn>
Link: https://sites.google.com/view/basscheck/home
Signed-off-by: Tuo Li <islituo@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Added relevant link.
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
index 4153f302de7c4..d19e796c20613 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
@@ -39,13 +39,12 @@ static void exynos_drm_crtc_atomic_disable(struct drm_crtc *crtc,
if (exynos_crtc->ops->atomic_disable)
exynos_crtc->ops->atomic_disable(exynos_crtc);
+ spin_lock_irq(&crtc->dev->event_lock);
if (crtc->state->event && !crtc->state->active) {
- spin_lock_irq(&crtc->dev->event_lock);
drm_crtc_send_vblank_event(crtc, crtc->state->event);
- spin_unlock_irq(&crtc->dev->event_lock);
-
crtc->state->event = NULL;
}
+ spin_unlock_irq(&crtc->dev->event_lock);
}
static int exynos_crtc_atomic_check(struct drm_crtc *crtc,
--
2.40.1
next prev parent reply other threads:[~2023-09-08 19:32 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-08 19:28 [PATCH AUTOSEL 6.5 01/36] drm/bridge: tc358762: Instruct DSI host to generate HSE packets Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 02/36] drm/edid: Add quirk for OSVR HDK 2.0 Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 03/36] drm: bridge: samsung-dsim: Drain command transfer FIFO before transfer Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 04/36] ASoC: amd: vangogh: Use dmi_first_match() for DMI quirk handling Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 05/36] arm64: dts: qcom: sm6125-pdx201: correct ramoops pmsg-size Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 06/36] arm64: dts: qcom: sm6125-sprout: " Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 07/36] arm64: dts: qcom: sm6350: " Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 08/36] arm64: dts: qcom: sm8150-kumano: " Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 09/36] arm64: dts: qcom: sm8250-edo: " Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 10/36] drm/amdgpu: Increase soft IH ring size Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 11/36] drm/amd/display: Add stream overhead in BW calculations for 128b/132b Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 12/36] samples/hw_breakpoint: Fix kernel BUG 'invalid opcode: 0000' Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 13/36] drm/amdgpu: Update ring scheduler info as needed Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 14/36] drm/amd/display: Read down-spread percentage from lut to adjust dprefclk Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 15/36] drm/amd/display: Fix underflow issue on 175hz timing Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 16/36] drm/vkms: Fix race-condition between the hrtimer and the atomic commit Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 17/36] ASoC: SOF: topology: simplify code to prevent static analysis warnings Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 18/36] ASoC: Intel: sof_sdw: Update BT offload config for soundwire config Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 19/36] ALSA: hda: intel-dsp-cfg: add LunarLake support Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 20/36] drm/amd/display: Use DTBCLK as refclk instead of DPREFCLK Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 21/36] drm/amd/display: Blocking invalid 420 modes on HDMI TMDS for DCN31 Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 22/36] drm/amd/display: Blocking invalid 420 modes on HDMI TMDS for DCN314 Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 23/36] drm/amd/display: Use max memclk variable when setting max memclk Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 24/36] drm/msm/adreno: Use quirk identify hw_apriv Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 25/36] drm/msm/adreno: Use quirk to identify cached-coherent support Sasha Levin
2023-09-08 19:28 ` Sasha Levin [this message]
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 27/36] io_uring: annotate the struct io_kiocb slab for appropriate user copy Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 28/36] drm/mediatek: dp: Change logging to dev for mtk_dp_aux_transfer() Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 29/36] bus: ti-sysc: Configure uart quirks for k3 SoC Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 30/36] arm64: dts: qcom: sc8280xp-x13s: Add camera activity LED Sasha Levin
2023-09-11 6:33 ` Johan Hovold
2023-09-18 21:41 ` Sasha Levin
2023-09-19 6:15 ` Johan Hovold
2023-09-19 13:06 ` Sasha Levin
2023-09-19 13:28 ` Johan Hovold
2023-09-19 15:09 ` Sasha Levin
2023-09-19 15:40 ` Johan Hovold
2023-09-19 16:00 ` Johan Hovold
2023-09-20 4:53 ` Thorsten Leemhuis
2023-09-20 7:06 ` Johan Hovold
2023-09-20 7:16 ` Krzysztof Kozlowski
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 31/36] block: Allow bio_iov_iter_get_pages() with bio->bi_bdev unset Sasha Levin
2023-09-08 19:32 ` Jens Axboe
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 32/36] md: raid1: fix potential OOB in raid1_remove_disk() Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 33/36] ext2: fix datatype of block number in ext2_xattr_set2() Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 34/36] blk-mq: fix tags leak when shrink nr_hw_queues Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 35/36] ASoC: SOF: amd: clear panic mask status when panic occurs Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 36/36] x86: bring back rep movsq for user access on CPUs without ERMS Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230908192848.3462476-26-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=airlied@gmail.com \
--cc=bass@buaa.edu.cn \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=inki.dae@samsung.com \
--cc=islituo@gmail.com \
--cc=krzysztof.kozlowski@linaro.org \
--cc=kyungmin.park@samsung.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-samsung-soc@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=sw0312.kim@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).