superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers/gpu/drm
History
Daniel Vetter e4a0e09b79 drm/atomic: Fix potential use-after-free in nonblocking commits 
commit 4e076c73e4 upstream.

This requires a bit of background.  Properly done a modeset driver's
unload/remove sequence should be

	drm_dev_unplug();
	drm_atomic_helper_shutdown();
	drm_dev_put();

The trouble is that the drm_dev_unplugged() checks are by design racy,
they do not synchronize against all outstanding ioctl.  This is because
those ioctl could block forever (both for modeset and for driver
specific ioctls), leading to deadlocks in hotunplug.  Instead the code
sections that touch the hardware need to be annotated with
drm_dev_enter/exit, to avoid accessing hardware resources after the
unload/remove has finished.

To avoid use-after-free issues all the involved userspace visible
objects are supposed to hold a reference on the underlying drm_device,
like drm_file does.

The issue now is that we missed one, the atomic modeset ioctl can be run
in a nonblocking fashion, and in that case it cannot rely on the implied
drm_device reference provided by the ioctl calling context.  This can
result in a use-after-free if an nonblocking atomic commit is carefully
raced against a driver unload.

Fix this by unconditionally grabbing a drm_device reference for any
drm_atomic_state structures.  Strictly speaking this isn't required for
blocking commits and TEST_ONLY calls, but it's the simpler approach.

Thanks to shanzhulig for the initial idea of grabbing an unconditional
reference, I just added comments, a condensed commit message and fixed a
minor potential issue in where exactly we drop the final reference.

Reported-by: shanzhulig <shanzhulig@gmail.com>
Suggested-by: shanzhulig <shanzhulig@gmail.com>
Reviewed-by: Maxime Ripard <mripard@kernel.org>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: David Airlie <airlied@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2023-07-23 13:49:50 +02:00
..
amd Revert "drm/amd: Disable PSR-SU on Parade 0803 TCON" 2023-07-23 13:49:50 +02:00
arm
armada drm/armada: Fix a potential double free in an error handling path 2023-04-20 12:35:09 +02:00
aspeed
ast drm/ast: Fix ARM compatibility 2023-06-09 10:34:07 +02:00
atmel-hlcdc
bridge drm/bridge: ti-sn65dsi86: Fix auxiliary bus lifetime 2023-07-23 13:49:19 +02:00
display drm: use mgr->dev in drm_dbg_kms in drm_dp_add_payload_part2 2023-07-19 16:20:54 +02:00
etnaviv drm/etnaviv: fix reference leak when mmaping imported buffer 2023-04-06 12:10:55 +02:00
exynos drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl 2023-06-28 11:12:39 +02:00
fsl-dcu drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid() 2022-12-31 13:33:06 +01:00
gma500 drm pull for 6.1-rc1 2022-10-05 11:24:12 -07:00
gud drm/gud: Fix UBSAN warning 2023-03-10 09:34:33 +01:00
hisilicon drm pull for 6.1-rc1 2022-10-05 11:24:12 -07:00
hyperv hyperv-next for 6.1 2022-10-10 13:59:01 -07:00
i2c
i810
i915 drm/i915: Fix one wrong caching mode enum usage 2023-07-23 13:49:25 +02:00
imx drm/imx: ipuv3-plane: Fix overlay plane width 2023-01-12 12:02:27 +01:00
ingenic drm/ingenic: Fix missing platform_driver_unregister() call in ingenic_drm_init() 2023-01-07 11:11:57 +01:00
kmb
lib
lima drm/lima/lima_drv: Add missing unwind goto in lima_pdev_probe() 2023-05-11 23:03:12 +09:00
logicvc
mcde
mediatek drm/mediatek: dp: Change the aux retries times when receiving AUX_DEFER 2023-05-11 23:03:12 +09:00
meson drm/meson: fix missing component unbind on bind errors 2023-03-30 12:49:27 +02:00
mga
mgag200 drm/mgag200: Fix gamma lut not initialized. 2023-05-30 14:03:19 +01:00
msm drm/msm/dpu: correct MERGE_3D length 2023-07-19 16:21:32 +02:00
mxsfb drm: mxsfb: DRM_MXSFB should depend on ARCH_MXS || ARCH_MXC 2023-03-10 09:33:09 +01:00
nouveau drm/nouveau: add nv_encoder pointer check for NULL 2023-06-21 16:01:01 +02:00
omapdrm drm/omap: dsi: Fix excessive stack usage 2023-03-10 09:33:55 +01:00
panel drm/panel: simple: Add Powertip PH800480T013 drm_display_mode flags 2023-07-23 13:49:20 +02:00
panfrost drm/panfrost: Fix the panfrost_mmu_map_fault_addr() error path 2023-04-13 16:55:35 +02:00
pl111
qxl
r128
radeon drm/radeon: fix possible division-by-zero errors 2023-07-19 16:21:28 +02:00
rcar-du drm: rcar-du: Fix a NULL vs IS_ERR() bug 2023-05-11 23:03:11 +09:00
rockchip drm/rockchip: vop: Leave vblank enabled in self-refresh 2023-07-23 13:49:39 +02:00
savage
scheduler drm/scheduler: fix fence ref counting 2022-10-25 13:14:36 +02:00
shmobile
sis
solomon drm/ssd130x: Init display before the SSD130X_DISPLAY_ON command 2023-02-09 11:28:02 +01:00
sprd
sti drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid() 2022-12-31 13:33:06 +01:00
stm
sun4i drm: sun4i_tcon: use devm_clk_get_enabled in `sun4i_tcon_init_clocks` 2023-07-19 16:21:17 +02:00
tdfx
tegra drm/tegra: Avoid potential 32-bit integer overflow 2023-05-24 17:32:35 +01:00
tests drm: test: Fix 32-bit issue in drm_buddy_test 2023-04-26 14:28:36 +02:00
tidss drm: tidss: Fix pixel format definition 2023-03-10 09:33:09 +01:00
tilcdc
tiny drm/cirrus: NULL-check pipe->plane.state->fb in cirrus_pipe_update() 2023-03-30 12:49:16 +02:00
ttm drm/ttm: Don't leak a resource on swapout move error 2023-07-23 13:49:40 +02:00
tve200
udl
v3d
vboxvideo
vc4 drm/vc4: hdmi: Correct interlaced timings again 2023-03-10 09:33:11 +01:00
vgem drm/vgem: add missing mutex_destroy 2023-05-11 23:03:07 +09:00
via
virtio drm/virtio: Pass correct device to dma_sync_sgtable_for_device() 2023-03-22 13:33:39 +01:00
vkms drm/vkms: Fix RGB565 pixel conversion 2023-07-19 16:21:18 +02:00
vmwgfx drm/vmwgfx: Fix Legacy Display Unit atomic drm support 2023-05-17 11:53:27 +02:00
xen
xlnx
Kconfig drm: Disable dynamic debug as broken 2023-02-22 12:59:46 +01:00
Makefile Driver core changes for 6.1-rc1 2022-10-07 17:04:10 -07:00
drm_agpsupport.c
drm_aperture.c
drm_atomic.c drm/atomic: Fix potential use-after-free in nonblocking commits 2023-07-23 13:49:50 +02:00
drm_atomic_helper.c drm/atomic: Allow vblank-enabled + self-refresh "disable" 2023-07-23 13:49:39 +02:00
drm_atomic_state_helper.c
drm_atomic_uapi.c
drm_auth.c
drm_blend.c
drm_bridge.c drm/bridge: Introduce pre_enable_prev_first to alter bridge init order 2023-07-19 16:21:23 +02:00
drm_bridge_connector.c
drm_buddy.c drm: buddy_allocator: Fix buddy allocator init on 32-bit systems 2023-04-26 14:28:36 +02:00
drm_bufs.c
drm_cache.c
drm_client.c drm/client: Send hotplug event after registering a client 2023-07-23 13:49:28 +02:00
drm_client_modeset.c
drm_color_mgmt.c
drm_connector.c drm/connector: send hotplug uevent on connector cleanup 2023-01-07 11:11:56 +01:00
drm_context.c
drm_crtc.c
drm_crtc_helper.c Driver core changes for 6.1-rc1 2022-10-07 17:04:10 -07:00
drm_crtc_helper_internal.h
drm_crtc_internal.h
drm_damage_helper.c
drm_debugfs.c
drm_debugfs_crc.c
drm_displayid.c drm/displayid: add displayid_get_header() and check bounds better 2023-05-24 17:32:34 +01:00
drm_dma.c
drm_drv.c drm/drv: Fix potential memory leak in drm_dev_init() 2022-11-10 18:49:01 -05:00
drm_dumb_buffers.c
drm_edid.c drm/edid: fix parsing of 3D modes from HDMI VSDB 2023-03-10 09:34:33 +01:00
drm_edid_load.c
drm_encoder.c
drm_encoder_slave.c
drm_fb_dma_helper.c
drm_fb_helper.c drm/client: Send hotplug event after registering a client 2023-07-23 13:49:28 +02:00
drm_file.c
drm_flip_work.c
drm_format_helper.c drm/format-helper: Only advertise supported formats for conversion 2022-10-31 09:50:44 +01:00
drm_fourcc.c drm/fourcc: Add missing big-endian XRGB1555 and RGB565 formats 2023-03-10 09:33:08 +01:00
drm_framebuffer.c
drm_gem.c drm/msm/gem: Prevent blocking within shrinker loop 2023-03-22 13:33:39 +01:00
drm_gem_atomic_helper.c
drm_gem_dma_helper.c
drm_gem_framebuffer_helper.c
drm_gem_shmem_helper.c drm/shmem-helper: Remove another errant put in error path 2023-03-22 13:34:00 +01:00
drm_gem_ttm_helper.c
drm_gem_vram_helper.c drm/vram-helper: fix function names in vram helper doc 2023-07-19 16:21:16 +02:00
drm_hashtab.c
drm_internal.h drm: Fix potential null-ptr-deref in drm_vblank_destroy_worker() 2022-11-10 18:49:02 -05:00
drm_ioc32.c
drm_ioctl.c
drm_irq.c
drm_kms_helper_common.c
drm_lease.c
drm_legacy.h
drm_legacy_misc.c
drm_lock.c
drm_managed.c drm: fix drmm_mutex_init() 2023-05-30 14:03:20 +01:00
drm_memory.c
drm_mipi_dbi.c
drm_mipi_dsi.c drm/mipi-dsi: Set the fwnode for mipi_dsi_device 2023-05-24 17:32:31 +01:00
drm_mm.c
drm_mode_config.c drm: Fix potential null-ptr-deref due to drmm_mode_config_init() 2023-03-10 09:33:08 +01:00
drm_mode_object.c
drm_modes.c
drm_modeset_helper.c
drm_modeset_lock.c
drm_nomodeset.c
drm_of.c
drm_panel.c
drm_panel_orientation_quirks.c drm: panel-orientation-quirks: Change Air's quirk to support Air Plus 2023-06-21 16:00:52 +02:00
drm_pci.c
drm_plane.c
drm_plane_helper.c
drm_prime.c
drm_print.c
drm_privacy_screen.c
drm_privacy_screen_x86.c
drm_probe_helper.c drm/probe-helper: Cancel previous job before starting new one 2023-05-11 23:03:07 +09:00
drm_property.c
drm_rect.c
drm_scatter.c
drm_self_refresh_helper.c
drm_simple_kms_helper.c
drm_syncobj.c
drm_sysfs.c
drm_trace.h
drm_trace_points.c
drm_vblank.c
drm_vblank_work.c
drm_vm.c
drm_vma_manager.c drm/drm_vma_manager: Add drm_vma_node_allow_once() 2023-02-01 08:34:42 +01:00
drm_writeback.c