iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/include/drm
History
Desmond Cheong Zhi Xi 34609faad0 drm: protect drm_master pointers in drm_lease.c 
[ Upstream commit 56f0729a510f92151682ff6c89f69724d5595d6e ]

drm_file->master pointers should be protected by
drm_device.master_mutex or drm_file.master_lookup_lock when being
dereferenced.

However, in drm_lease.c, there are multiple instances where
drm_file->master is accessed and dereferenced while neither lock is
held. This makes drm_lease.c vulnerable to use-after-free bugs.

We address this issue in 2 ways:

1. Add a new drm_file_get_master() function that calls drm_master_get
on drm_file->master while holding on to
drm_file.master_lookup_lock. Since drm_master_get increments the
reference count of master, this prevents master from being freed until
we unreference it with drm_master_put.

2. In each case where drm_file->master is directly accessed and
eventually dereferenced in drm_lease.c, we wrap the access in a call
to the new drm_file_get_master function, then unreference the master
pointer once we are done using it.

Reported-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20210712043508.11584-6-desmondcheongzx@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-09-18 13:40:19 +02:00
..
bridge
drm/bridge: dw-mipi-dsi: permit configuring the escape clock rate
2020-09-11 15:01:36 +02:00
i2c
ttm
drm/ttm: drop evicted from ttm_bo.
2020-09-18 06:23:38 +10:00
amd_asic_type.h
drm/amdgpu: add navy_flounder asic type
2020-07-15 12:45:39 -04:00
drm_agpsupport.h
drm/agp: Remove unused function drm_agp_bind_pages
2019-07-15 18:11:30 +02:00
drm_atomic_helper.h
drm/atomic-helper: Extract drm_atomic_helper_calc_timestamping_constants()
2020-09-14 22:36:44 +03:00
drm_atomic_state_helper.h
drm/bridge: Add a drm_bridge_state object
2020-01-31 16:00:21 +01:00
drm_atomic_uapi.h
drm_atomic.h
drm: drm_atomic.h: delete duplicated word in comment
2020-07-15 14:02:29 +02:00
drm_audio_component.h
ALSA: hda/i915 - fix list corruption with concurrent probes
2020-10-09 16:46:04 +02:00
drm_auth.h
drm: protect drm_master pointers in drm_lease.c
2021-09-18 13:40:19 +02:00
drm_blend.h
drm_bridge_connector.h
drm: Add helper to create a connector for a chain of bridges
2020-02-26 13:31:41 +02:00
drm_bridge.h
drm: drm_bridge.h: delete duplicated word in comment
2020-07-15 14:02:34 +02:00
drm_cache.h
MIPS: Loongson64: Rename CPU TYPES
2019-10-31 15:03:10 -07:00
drm_client.h
drm/client: Add drm_client_modeset_check()
2020-05-26 13:32:03 +02:00
drm_color_mgmt.h
drm: Inline drm_color_lut_extract()
2019-11-29 21:29:17 +02:00
drm_connector.h
drm: report dp downstream port type as a subconnector property
2020-08-11 14:06:04 +02:00
drm_crtc_helper.h
drm: Split out drm_probe_helper.h
2019-01-24 13:20:42 +01:00
drm_crtc.h
drm: Add get_vblank_timestamp() to struct drm_crtc_funcs
2020-02-13 13:08:13 +01:00
drm_damage_helper.h
drm/damage-helper: Add drm_atomic_helper_damage_merged()
2019-01-17 10:56:54 +01:00
drm_debugfs_crc.h
drm_debugfs.h
drm/debugfs: remove checks for return value of drm_debugfs functions.
2020-03-18 17:32:20 +01:00
drm_device.h
drm/managed: Cleanup of unused functions and polishing docs
2020-09-03 16:25:06 +02:00
drm_displayid.h
drm/edid: Replace zero-length array with flexible-array
2020-06-15 23:08:31 -05:00
drm_dp_dual_mode_helper.h
drm_dp_helper.h
drm: kernel-doc: drm_dp_helper.h: fix a typo
2020-10-27 11:21:27 +01:00
drm_dp_mst_helper.h
drm/dp/mst: Export drm_dp_get_vc_payload_bw()
2021-02-10 09:29:18 +01:00
drm_drv.h
drm/dev: Remove drm_dev_init
2020-09-21 10:45:08 +02:00
drm_dsc.h
drm: drm_dsc.h: fix a kernel-doc markup
2020-09-30 16:40:44 +02:00
drm_edid.h
drm: drm_edid: remove a duplicated kernel-doc declaration
2020-10-27 11:20:55 +01:00
drm_encoder_slave.h
drm: remove include of drmP.h from drm_encoder_slave.h
2019-01-09 22:35:35 +01:00
drm_encoder.h
drm: Validate encoder->possible_crtcs
2020-03-18 18:38:27 +02:00
drm_fb_cma_helper.h
drm/fb-cma-helpers: Fix include issue
2020-01-09 17:33:41 +01:00
drm_fb_helper.h
drm: Don't return 0 from a void drm_fbdev_generic_setup
2020-04-08 22:42:39 +01:00
drm_file.h
drm: protect drm_master pointers in drm_lease.c
2021-09-18 13:40:19 +02:00
drm_fixed.h
drm_flip_work.h
drm_format_helper.h
drm/format-helper: Add drm_fb_swab()
2020-05-26 13:33:08 +02:00
drm_fourcc.h
drm/fb: Extend format_info member arrays to handle four planes
2020-01-07 13:16:08 +02:00
drm_framebuffer.h
drm/core: Calculate bpp in afbc helper
2020-04-01 14:11:22 +02:00
drm_gem_cma_helper.h
drm/cma-helper: Add DRM_GEM_CMA_DRIVER_OPS to set default GEM CMA functions
2020-06-10 09:01:49 +02:00
drm_gem_framebuffer_helper.h
drm/core: Add drm_afbc_framebuffer and a corresponding helper
2020-03-18 11:22:05 +01:00
drm_gem_shmem_helper.h
drm/shmem-helper: Add .gem_create_object helper that sets map_cached flag
2020-06-10 10:16:43 +02:00
drm_gem_ttm_helper.h
drm/ttm: add drm_gem_ttm_mmap()
2019-10-17 13:59:16 +02:00
drm_gem_vram_helper.h
drm/vboxvideo: Use drm_gem_vram_vmap() interfaces
2020-09-14 09:12:24 +02:00
drm_gem.h
drm: drm_gem.h: delete duplicated words in comments
2020-07-15 14:02:42 +02:00
drm_hashtab.h
drm_hdcp.h
drm/i915: Fix sha_text population code
2020-09-02 10:48:11 +03:00
drm_ioctl.h
drm: Return -ENOTTY for non-drm ioctls
2021-07-28 14:35:47 +02:00
drm_irq.h
drm_lease.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157
2019-05-30 11:26:37 -07:00
drm_legacy.h
drm-misc-next for 5.8:
2020-04-22 10:41:35 +10:00
drm_managed.h
drm: Add docs for managed resources
2020-03-26 16:09:48 +01:00
drm_mipi_dbi.h
drm/mipi-dbi: Remove ->enabled
2020-06-24 09:17:34 +02:00
drm_mipi_dsi.h
drm/dsi: add helpers for DSI compression mode and PPS packets
2019-11-07 15:00:16 +02:00
drm_mm.h
drm: fix spelling error in comments
2020-09-17 13:39:44 +02:00
drm_mode_config.h
Merge drm/drm-next into drm-misc-next
2020-08-12 20:42:08 +02:00
drm_mode_object.h
drm_modes.h
drm: Replace mode->export_head with a boolean
2020-09-01 13:38:34 +03:00
drm_modeset_helper_vtables.h
drm/probe_helper: Add drm_connector_helper_funcs.mode_valid_ctx
2020-07-13 13:29:20 -04:00
drm_modeset_helper.h
drm: remove drmP.h from drm_modeset_helper.h
2019-02-07 21:48:34 +01:00
drm_modeset_lock.h
drm/modeset-lock: Take the modeset BKL for legacy drivers
2020-08-17 13:41:50 -04:00
drm_of.h
drm: of: Fix linking when CONFIG_OF is not set
2020-01-09 10:40:58 +10:00
drm_panel.h
drm/panel: Add helper for reading DT rotation
2020-08-16 17:12:18 +02:00
drm_pciids.h
drm_plane_helper.h
drm_plane.h
drm/plane: Clarify our expectations for src/dst rectangles
2019-10-10 15:49:34 +02:00
drm_prime.h
drm-misc-next for 5.10:
2020-09-23 09:52:24 +10:00
drm_print.h
drm: drm_print.h: fix kernel-doc markups
2020-10-27 11:21:39 +01:00
drm_probe_helper.h
drm: Split out drm_probe_helper.h
2019-01-24 13:20:42 +01:00
drm_property.h
drm_rect.h
drm: drm_rect.h: delete duplicated word in comment
2020-07-15 14:03:02 +02:00
drm_scdc_helper.h
drm/scdc: Fix typo in bit definition of SCDC_STATUS_FLAGS
2019-11-04 17:58:46 +01:00
drm_self_refresh_helper.h
drm/atomic: fix self-refresh helpers crtc state dereference
2019-11-06 13:00:21 -05:00
drm_simple_kms_helper.h
drm/simple-kms: Add drm_simple_encoder_{init,create}()
2020-03-02 09:22:35 +01:00
drm_syncobj.h
drm/syncobj: add new drm_syncobj_add_point interface v4
2019-04-01 12:05:53 +02:00
drm_sysfs.h
drm: uevent for connector status change
2019-08-06 13:16:54 +05:30
drm_util.h
drm: Move EXPORT_SYMBOL_FOR_TESTS_ONLY under a separate Kconfig
2019-11-07 21:22:15 +00:00
drm_utils.h
drm: export drm_timeout_abs_to_jiffies
2019-03-07 12:00:30 -06:00
drm_vblank_work.h
drm/vblank: Add vblank works
2020-07-16 18:16:31 -04:00
drm_vblank.h
drm/vblank: Add vblank works
2020-07-16 18:16:31 -04:00
drm_vma_manager.h
drm: increase drm mmap_range size to 1TB
2019-04-24 16:20:23 -05:00
drm_writeback.h
drm/writeback: wire drm_writeback.h to kernel-doc
2020-04-07 17:39:46 +02:00
gma_drm.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 335
2019-06-05 17:37:06 +02:00
gpu_scheduler.h
Merge tag 'amd-drm-next-5.10-2020-09-03' of git://people.freedesktop.org/~agd5f/linux into drm-next
2020-09-08 16:40:13 +10:00
i915_component.h
drm/i915/tgl: Add additional ports for Tiger Lake
2019-07-11 16:31:14 -07:00
i915_drm.h
drm: Move port definition back to i915 header
2019-08-30 14:08:26 +05:30
i915_mei_hdcp_interface.h
drm/i915: significantly reduce the use of <drm/i915_drm.h>
2020-02-27 08:35:09 +02:00
i915_pciids.h
drm/i915: break TGL pci-ids in GT 1 & 2
2020-08-31 17:58:26 +03:00
intel_lpe_audio.h
intel-gtt.h
iommu/vt-d: Move intel_iommu_gfx_mapped to Intel IOMMU header
2020-09-04 12:12:45 +02:00
spsc_queue.h
task_barrier.h
drm: Add Reusable task barrier.
2019-12-18 16:09:12 -05:00