From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
To: Johan Hovold <johan+linaro@kernel.org>
Cc: Bjorn Andersson <andersson@kernel.org>,
Andrzej Hajda <andrzej.hajda@intel.com>,
Neil Armstrong <neil.armstrong@linaro.org>,
Robert Foss <rfoss@kernel.org>,
Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
Maxime Ripard <mripard@kernel.org>,
Thomas Zimmermann <tzimmermann@suse.de>,
David Airlie <airlied@gmail.com>, Daniel Vetter <daniel@ffwll.ch>,
Vinod Koul <vkoul@kernel.org>, Jonas Karlman <jonas@kwiboo.se>,
Laurent Pinchart <Laurent.pinchart@ideasonboard.com>,
Jernej Skrabec <jernej.skrabec@gmail.com>,
Konrad Dybcio <konrad.dybcio@linaro.org>,
Kishon Vijay Abraham I <kishon@kernel.org>,
Rob Clark <robdclark@gmail.com>,
Abhinav Kumar <quic_abhinavk@quicinc.com>,
Kuogee Hsieh <quic_khsieh@quicinc.com>,
freedreno@lists.freedesktop.org,
dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org,
linux-arm-msm@vger.kernel.org, linux-phy@lists.infradead.org,
stable@vger.kernel.org
Subject: Re: [PATCH 3/6] soc: qcom: pmic_glink_altmode: fix drm bridge use-after-free
Date: Thu, 22 Feb 2024 23:10:11 +0200 [thread overview]
Message-ID: <CAA8EJpoPaknqPUEg8p37Nh1MV62Cr8fH+MxE-1b+T-8h3BmO9Q@mail.gmail.com> (raw)
In-Reply-To: <20240217150228.5788-4-johan+linaro@kernel.org>
On Sat, 17 Feb 2024 at 17:03, Johan Hovold <johan+linaro@kernel.org> wrote:
>
> A recent DRM series purporting to simplify support for "transparent
> bridges" and handling of probe deferrals ironically exposed a
> use-after-free issue on pmic_glink_altmode probe deferral.
>
> This has manifested itself as the display subsystem occasionally failing
> to initialise and NULL-pointer dereferences during boot of machines like
> the Lenovo ThinkPad X13s.
>
> Specifically, the dp-hpd bridge is currently registered before all
> resources have been acquired which means that it can also be
> deregistered on probe deferrals.
>
> In the meantime there is a race window where the new aux bridge driver
> (or PHY driver previously) may have looked up the dp-hpd bridge and
> stored a (non-reference-counted) pointer to the bridge which is about to
> be deallocated.
>
> When the display controller is later initialised, this triggers a
> use-after-free when attaching the bridges:
>
> dp -> aux -> dp-hpd (freed)
>
> which may, for example, result in the freed bridge failing to attach:
>
> [drm:drm_bridge_attach [drm]] *ERROR* failed to attach bridge /soc@0/phy@88eb000 to encoder TMDS-31: -16
>
> or a NULL-pointer dereference:
>
> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
> ...
> Call trace:
> drm_bridge_attach+0x70/0x1a8 [drm]
> drm_aux_bridge_attach+0x24/0x38 [aux_bridge]
> drm_bridge_attach+0x80/0x1a8 [drm]
> dp_bridge_init+0xa8/0x15c [msm]
> msm_dp_modeset_init+0x28/0xc4 [msm]
>
> The DRM bridge implementation is clearly fragile and implicitly built on
> the assumption that bridges may never go away. In this case, the fix is
> to move the bridge registration in the pmic_glink_altmode driver to
> after all resources have been looked up.
>
> Incidentally, with the new dp-hpd bridge implementation, which registers
> child devices, this is also a requirement due to a long-standing issue
> in driver core that can otherwise lead to a probe deferral loop (see
> fbc35b45f9f6 ("Add documentation on meaning of -EPROBE_DEFER")).
>
> Fixes: 080b4e24852b ("soc: qcom: pmic_glink: Introduce altmode support")
> Fixes: 2bcca96abfbf ("soc: qcom: pmic-glink: switch to DRM_AUX_HPD_BRIDGE")
> Cc: stable@vger.kernel.org # 6.3
> Cc: Bjorn Andersson <andersson@kernel.org>
> Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
> Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
> ---
> drivers/soc/qcom/pmic_glink_altmode.c | 16 +++++++++++++---
> 1 file changed, 13 insertions(+), 3 deletions(-)
>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
--
With best wishes
Dmitry
next prev parent reply other threads:[~2024-02-22 21:10 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-17 15:02 [PATCH 0/6] soc: qcom: pmic_glink_altmode: fix drm bridge use-after-free Johan Hovold
2024-02-17 15:02 ` [PATCH 1/6] drm/bridge: aux-hpd: fix OF node leaks Johan Hovold
2024-02-19 17:48 ` Markus Elfring
2024-02-20 7:24 ` Johan Hovold
2024-02-20 11:52 ` Julia Lawall
2024-02-20 11:55 ` Dmitry Baryshkov
2024-02-20 12:56 ` Julia Lawall
2024-02-20 13:35 ` Dmitry Baryshkov
2024-02-22 1:22 ` Bjorn Andersson
2024-02-22 21:00 ` Dmitry Baryshkov
2024-02-23 10:56 ` Neil Armstrong
2024-02-23 10:56 ` Neil Armstrong
2024-02-17 15:02 ` [PATCH 2/6] drm/bridge: aux-hpd: separate allocation and registration Johan Hovold
2024-02-22 2:06 ` Bjorn Andersson
2024-02-22 16:06 ` Johan Hovold
2024-02-22 20:57 ` Dmitry Baryshkov
2024-02-23 12:46 ` Johan Hovold
2024-02-17 15:02 ` [PATCH 3/6] soc: qcom: pmic_glink_altmode: fix drm bridge use-after-free Johan Hovold
2024-02-20 8:25 ` Markus Elfring
2024-02-20 10:55 ` Markus Elfring
2024-02-20 11:26 ` Johan Hovold
2024-02-20 12:40 ` [3/6] " Markus Elfring
2024-02-22 2:11 ` [PATCH 3/6] " Bjorn Andersson
2024-02-22 21:10 ` Dmitry Baryshkov [this message]
2024-02-17 15:02 ` [PATCH 4/6] soc: qcom: pmic_glink: Fix boot when QRTR=m Johan Hovold
2024-02-22 2:18 ` Bjorn Andersson
2024-02-22 21:10 ` Dmitry Baryshkov
2024-02-23 11:04 ` Neil Armstrong
2024-02-17 15:02 ` [PATCH 5/6] phy: qcom-qmp-combo: fix drm bridge registration Johan Hovold
2024-02-19 9:03 ` Neil Armstrong
2024-02-22 2:21 ` Bjorn Andersson
2024-02-22 21:11 ` Dmitry Baryshkov
2024-02-23 12:09 ` Vinod Koul
2024-02-17 15:02 ` [PATCH 6/6] phy: qcom-qmp-combo: fix type-c switch registration Johan Hovold
2024-02-22 2:23 ` Bjorn Andersson
2024-02-22 21:12 ` Dmitry Baryshkov
2024-02-23 12:10 ` Vinod Koul
2024-02-23 11:02 ` [PATCH 0/6] soc: qcom: pmic_glink_altmode: fix drm bridge use-after-free Neil Armstrong
2024-02-23 11:03 ` Neil Armstrong
2024-02-23 12:51 ` Johan Hovold
2024-02-23 13:52 ` Neil Armstrong
2024-02-23 14:18 ` Dmitry Baryshkov
2024-02-23 14:28 ` Johan Hovold
2024-02-23 14:21 ` Johan Hovold
2024-02-23 14:38 ` Neil Armstrong
2024-02-23 14:52 ` Johan Hovold
2024-02-23 14:55 ` Neil Armstrong
2024-02-23 15:07 ` Dmitry Baryshkov
2024-02-23 14:54 ` Neil Armstrong
2024-02-23 15:06 ` (subset) " Dmitry Baryshkov
2024-03-06 17:47 ` Vinod Koul
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAA8EJpoPaknqPUEg8p37Nh1MV62Cr8fH+MxE-1b+T-8h3BmO9Q@mail.gmail.com \
--to=dmitry.baryshkov@linaro.org \
--cc=Laurent.pinchart@ideasonboard.com \
--cc=airlied@gmail.com \
--cc=andersson@kernel.org \
--cc=andrzej.hajda@intel.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=freedreno@lists.freedesktop.org \
--cc=jernej.skrabec@gmail.com \
--cc=johan+linaro@kernel.org \
--cc=jonas@kwiboo.se \
--cc=kishon@kernel.org \
--cc=konrad.dybcio@linaro.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-phy@lists.infradead.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=neil.armstrong@linaro.org \
--cc=quic_abhinavk@quicinc.com \
--cc=quic_khsieh@quicinc.com \
--cc=rfoss@kernel.org \
--cc=robdclark@gmail.com \
--cc=stable@vger.kernel.org \
--cc=tzimmermann@suse.de \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).