iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/drivers/gpu/drm
History
Tuo Li 9ac69bda79 drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable() 
[ Upstream commit 2e63972a2de14482d0eae1a03a73e379f1c3f44c ]

The variable crtc->state->event is often protected by the lock
crtc->dev->event_lock when is accessed. However, it is accessed as a
condition of an if statement in exynos_drm_crtc_atomic_disable() without
holding the lock:

  if (crtc->state->event && !crtc->state->active)

However, if crtc->state->event is changed to NULL by another thread right
after the conditions of the if statement is checked to be true, a
null-pointer dereference can occur in drm_crtc_send_vblank_event():

  e->pipe = pipe;

To fix this possible null-pointer dereference caused by data race, the
spin lock coverage is extended to protect the if statement as well as the
function call to drm_crtc_send_vblank_event().

Reported-by: BassCheck <bass@buaa.edu.cn>
Link: https://sites.google.com/view/basscheck/home
Signed-off-by: Tuo Li <islituo@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Added relevant link.
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-09-23 10:48:16 +02:00
..
amd
drm/amd/display: Fix a bug when searching for insert_above_mpcc
2023-09-23 10:48:15 +02:00
arc
drm: drop _mode_ from drm_mode_connector_attach_encoder
2018-07-13 18:40:27 +02:00
arm
drm/arm: fix unintentional integer overflow on left shift
2020-08-19 08:14:54 +02:00
armada
drm/armada: remove obsolete fb unreferencing kfifo and workqueue
2018-07-30 11:53:06 +01:00
ast
drm/ast: Fix DRAM init on AST2200
2023-09-23 10:48:12 +02:00
atmel-hlcdc
drm: atmel-hlcdc: enable clock before configuring timing engine
2020-02-11 04:34:16 -08:00
bochs
drm/bochs: downgrade pci_request_region failure from error to warning
2020-04-13 10:44:59 +02:00
bridge
drm: adv7511: Fix low refresh rate register for ADV7533/5
2023-09-23 10:48:04 +02:00
cirrus
drm/cirrus: Use drm_framebuffer_put to avoid kernel oops in clean-up
2019-04-20 09:16:00 +02:00
etnaviv
drm/etnaviv: fix reference leak when mmaping imported buffer
2023-04-05 11:15:42 +02:00
exynos
drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
2023-09-23 10:48:16 +02:00
fsl-dcu
drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid()
2023-01-18 11:30:37 +01:00
gma500
gma500: fix an incorrect NULL check on list iterator
2022-06-14 16:59:30 +02:00
hisilicon
drm/hisilicon: hibmc: Don't overwrite fb helper surface depth
2020-01-27 14:49:55 +01:00
i2c
Merge branch 'drm-tda9950-fixes' of git://git.armlinux.org.uk/~rmk/linux-arm into drm-fixes
2018-10-04 10:32:14 +10:00
i810
drm/i810: Prevent underflow in ioctl
2019-12-13 08:52:44 +01:00
i915
drm/i915: Don't use stolen memory for ring buffers with LLC
2023-03-22 13:27:12 +01:00
imx
drm/imx: imx-tve: Fix return type of imx_tve_connector_mode_valid
2022-11-25 17:40:22 +01:00
lib
mediatek
drm/mediatek: Clean dangling pointer on bind error path
2023-03-11 16:31:41 +01:00
meson
drm/meson: Correct OSD1 global alpha value
2022-09-28 11:02:52 +02:00
mga
mgag200
drm: drop _mode_ from drm_mode_connector_attach_encoder
2018-07-13 18:40:27 +02:00
msm
drm/msm/mdp5: Don't leak some plane state
2023-09-23 10:48:04 +02:00
mxsfb
drm: mxsfb: DRM_MXSFB should depend on ARCH_MXS || ARCH_MXC
2023-03-11 16:31:39 +01:00
nouveau
drm/nouveau/disp: Revert a NULL check inside nouveau_connector_get_modes
2023-08-16 18:13:00 +02:00
omapdrm
drm/omap: dmm_tiler: fix return error code in omap_dmm_probe()
2020-12-30 11:25:54 +01:00
panel
drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H
2023-08-11 11:45:08 +02:00
pl111
drm/pl111: Initialize clock spinlock early
2019-06-15 11:54:00 +02:00
qxl
drm: qxl: ensure surf.data is ininitialized
2021-07-20 16:15:49 +02:00
r128
radeon
drm/radeon: Use RMW accessors for changing LNKCTL
2023-09-23 10:48:06 +02:00
rcar-du
drm: rcar-du: Fix build error
2020-06-30 23:17:17 -04:00
rockchip
drm/rockchip: Drop unbalanced obj unref
2023-05-17 11:13:08 +02:00
savage
scheduler
drm/scheduler: fix param documentation
2018-08-09 11:57:39 -05:00
selftests
shmobile
drm/shmob: Fix return value check in shmob_drm_probe
2020-01-27 14:50:12 +01:00
sis
sti
drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()
2023-01-18 11:30:37 +01:00
stm
drm/stm: attach gem fence to atomic state
2019-10-07 18:56:31 +02:00
sun4i
drm/sun4i: dw-hdmi: fix error return code in sun8i_dw_hdmi_bind()
2020-11-24 13:27:22 +01:00
tdfx
tegra
drm/tegra: dpaux: Fix incorrect return value of platform_get_irq
2023-09-23 10:48:04 +02:00
tilcdc
tilcdc: tilcdc_external: fix an incorrect NULL check on list iterator
2022-07-29 17:10:35 +02:00
tinydrm
tinydrm/mipi-dbi: Use dma-safe buffers for all SPI transfers
2019-05-31 06:46:32 -07:00
ttm
drm/ttm: fix eviction valuable range check.
2020-11-05 11:08:54 +01:00
tve200
drm/tve200: Fix handling of platform_get_irq() error
2020-12-30 11:25:49 +01:00
udl
drm/udl: fix control-message timeout
2021-11-26 11:36:24 +01:00
v3d
drm/v3d: Handle errors from IRQ setup.
2019-05-31 06:46:34 -07:00
vc4
drm/vc4: dpi: Fix format mapping for RGB565
2023-03-11 16:31:39 +01:00
vgem
drm/vgem: add missing mutex_destroy
2023-05-17 11:13:08 +02:00
via
virtio
drm/virtio: Fix GEM handle creation UAF
2023-01-18 11:30:56 +01:00
vkms
drm/vkms: Hold gem object while still in-use
2020-06-22 09:05:08 +02:00
vmwgfx
drm/vmwgfx: Validate the box size for the snooped cursor
2023-01-18 11:30:45 +01:00
xen
drm/xen-front: Fix misused IS_ERR_OR_NULL checks
2020-12-30 11:25:43 +01:00
zte
drm/zte: Don't select DRM_KMS_FB_HELPER
2021-07-20 16:15:58 +02:00
ati_pcigart.c
drm_agpsupport.c
drm_atomic_helper.c
drm/atomic: put state on error path
2021-01-27 11:05:36 +01:00
drm_atomic.c
drm/atomic: Fix potential use-after-free in nonblocking commits
2023-08-11 11:45:24 +02:00
drm_auth.c
drm: Lock pointer access in drm_master_release()
2021-06-16 11:54:59 +02:00
drm_blend.c
drm_bridge.c
drm_bufs.c
drm: return -EFAULT if copy_to_user() fails
2019-07-14 08:11:14 +02:00
drm_cache.c
drm_client.c
drm/cma-helper: Fix crash in fbdev error path
2018-10-02 13:03:34 +02:00
drm_color_mgmt.c
drm_connector.c
drm/connector: send hotplug uevent on connector cleanup
2023-01-18 11:30:44 +01:00
drm_context.c
drm: Fix error handling in drm_legacy_addctx
2020-01-27 14:50:10 +01:00
drm_crtc_helper_internal.h
drm: remove drm_fb_helper_modinit
2022-07-02 16:27:38 +02:00
drm_crtc_helper.c
drm_crtc_internal.h
drm: drop _mode_ from remaining connector functions
2018-07-13 18:40:27 +02:00
drm_crtc.c
drm/lease: Make sure implicit planes are leased
2019-06-09 09:17:23 +02:00
drm_debugfs_crc.c
drm: remove the newline for CRC source name.
2020-02-24 08:34:45 +01:00
drm_debugfs.c
drm/debugfs: fix plain echo to connector "force" attribute
2020-08-19 08:14:52 +02:00
drm_dma.c
drm_dp_aux_dev.c
drm/dp_aux_dev: check aux_dev before use in drm_dp_aux_dev_get_by_minor()
2020-12-30 11:26:13 +01:00
drm_dp_cec.c
drm_dp_cec.c: fix formatting typo: %pdH -> %phD
2018-07-28 15:50:40 -03:00
drm_dp_dual_mode_helper.c
drm_dp_helper.c
drm/dp_helper: Add DP aux channel tracing
2018-07-16 11:47:53 -04:00
drm_dp_mst_topology.c
drm/dp/mst: fix a possible memory leak in fetch_monitor_name()
2022-05-25 09:10:38 +02:00
drm_drv.c
drm/drv: Hold ref on parent device during drm_device lifetime
2019-05-31 06:46:34 -07:00
drm_dumb_buffers.c
drm_edid_load.c
drm/edid: Fix a missing-check bug in drm_load_edid_firmware()
2019-07-31 07:26:58 +02:00
drm_edid.c
drm/edid: fix objtool warning in drm_cvt_modes()
2023-08-11 11:45:41 +02:00
drm_encoder_slave.c
drm: encoder_slave: fix refcouting error for modules
2020-06-25 15:33:06 +02:00
drm_encoder.c
drm_fb_cma_helper.c
drm/cma-helper: Fix crash in fbdev error path
2018-10-02 13:03:34 +02:00
drm_fb_helper.c
drm/client: Fix memory leak in drm_client_target_cloned
2023-08-11 11:45:36 +02:00
drm_file.c
drm: Wake up next in drm_read() chain if we are forced to putback the event
2019-05-31 06:46:34 -07:00
drm_flip_work.c
drm_fourcc.c
drm/fourcc: Add is_yuv field to drm_format_info to denote if the format is yuv
2018-07-18 16:56:45 +01:00
drm_framebuffer.c
drm: silence variable 'conn' set but not used
2019-08-16 10:12:46 +02:00
drm_gem_cma_helper.c
drm_gem_framebuffer_helper.c
drm_gem.c
drm: hold gem reference until object is no longer accessed
2020-08-05 10:06:01 +02:00
drm_global.c
drm_hashtab.c
drm_info.c
drm_internal.h
drm/lease: Send a distinct uevent
2018-12-13 09:16:21 +01:00
drm_ioc32.c
drm: Copy drm_wait_vblank to user before returning
2021-09-03 09:58:02 +02:00
drm_ioctl.c
drm: Prevent drm_copy_field() to attempt copying a NULL pointer
2022-10-26 13:19:38 +02:00
drm_irq.c
drm_kms_helper_common.c
drm: remove drm_fb_helper_modinit
2022-07-02 16:27:38 +02:00
drm_lease.c
drm/lease: fix WARNING in idr_destroy
2020-03-25 08:06:12 +01:00
drm_legacy.h
drm_lock.c
drm_memory.c
drm_mipi_dsi.c
drm/mipi-dsi: Fix byte order of 16-bit DCS set/get brightness
2023-03-11 16:31:40 +01:00
drm_mm.c
drm_mode_config.c
drm_mode_object.c
drm: Reorder set_property_atomic to avoid returning with an active ww_ctx
2019-03-27 14:14:42 +09:00
drm_modes.c
drm/modes: Prevent division by zero htotal
2019-02-15 08:10:12 +01:00
drm_modeset_helper.c
drm_modeset_lock.c
drm_of.c
drm/doc: Include drm_of.c helpers
2018-07-13 18:40:28 +02:00
drm_panel_orientation_quirks.c
drm: panel-orientation-quirks: Add quirk for Acer Switch V 10 (SW5-017)
2022-12-08 11:18:28 +01:00
drm_panel.c
Revert "drm/panel: Add device_link from panel device to DRM device"
2018-09-27 11:00:42 -04:00
drm_pci.c
drm: Remove PageReserved manipulation from drm_pci_alloc
2020-04-17 10:48:55 +02:00
drm_plane_helper.c
drm/plane-helper: fix uninitialized variable reference
2021-11-26 11:36:14 +01:00
drm_plane.c
drm/plane: Move range check for format_count earlier
2022-06-14 16:59:16 +02:00
drm_prime.c
drm_print.c
drm: Add puts callback for the coredump printer
2018-07-30 08:49:41 -04:00
drm_probe_helper.c
drm/probe-helper: Cancel previous job before starting new one
2023-05-17 11:13:08 +02:00
drm_property.c
drm: limit to INT_MAX in create_blob ioctl
2020-01-09 10:18:59 +01:00
drm_rect.c
drm/rect: Avoid division by zero
2020-02-11 04:34:07 -08:00
drm_scatter.c
drm_scdc_helper.c
drm_simple_kms_helper.c
drm: drop _mode_ from drm_mode_connector_attach_encoder
2018-07-13 18:40:27 +02:00
drm_syncobj.c
drm/syncobj: Don't leak fences when WAIT_FOR_SUBMIT is set
2018-09-26 10:39:14 -04:00
drm_sysfs.c
drm/lease: Send a distinct uevent
2018-12-13 09:16:21 +01:00
drm_trace_points.c
drm_trace.h
drm_vblank.c
drm/drm_vblank: Change EINVAL by the correct errno
2019-12-31 16:35:01 +01:00
drm_vm.c
drm_vma_manager.c
drm_writeback.c
drm: writeback: Fix doc that says connector should be disconnected
2018-07-16 16:35:27 +01:00
Kconfig
drm/radeon: fix AGP dependency
2021-03-30 14:36:58 +02:00
Makefile
drm: add support for DisplayPort CEC-Tunneling-over-AUX
2018-07-13 17:58:19 +03:00