| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Jul 2023 09:32:14 +0900
From: ´ëÀαâ/Tizen Platform Lab(SR)/»ï¼ºÀüÀÚ
<inki.dae@...sung.com>
To: "'Tuo Li'" <islituo@...il.com>, <sw0312.kim@...sung.com>,
<kyungmin.park@...sung.com>, <airlied@...il.com>,
<daniel@...ll.ch>, <krzysztof.kozlowski@...aro.org>,
<alim.akhtar@...sung.com>
Cc: <dri-devel@...ts.freedesktop.org>,
<linux-arm-kernel@...ts.infradead.org>,
<linux-samsung-soc@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <baijiaju1990@...look.com>,
"'BassCheck'" <bass@...a.edu.cn>
Subject: RE: [PATCH] drm/exynos: fix a possible null-pointer dereference due
to data race in exynos_drm_crtc_atomic_disable()
> -----Original Message-----
> From: Tuo Li <islituo@...il.com>
> Sent: Friday, June 30, 2023 11:19 AM
> To: inki.dae@...sung.com; sw0312.kim@...sung.com;
> kyungmin.park@...sung.com; airlied@...il.com; daniel@...ll.ch;
> krzysztof.kozlowski@...aro.org; alim.akhtar@...sung.com
> Cc: dri-devel@...ts.freedesktop.org; linux-arm-kernel@...ts.infradead.org;
> linux-samsung-soc@...r.kernel.org; linux-kernel@...r.kernel.org;
> baijiaju1990@...look.com; Tuo Li <islituo@...il.com>; BassCheck
> <bass@...a.edu.cn>
> Subject: [PATCH] drm/exynos: fix a possible null-pointer dereference due
> to data race in exynos_drm_crtc_atomic_disable()
>
> The variable crtc->state->event is often protected by the lock
> crtc->dev->event_lock when is accessed. However, it is accessed as a
> condition of an if statement in exynos_drm_crtc_atomic_disable() without
> holding the lock:
>
> if (crtc->state->event && !crtc->state->active)
>
> However, if crtc->state->event is changed to NULL by another thread right
> after the conditions of the if statement is checked to be true, a
> null-pointer dereference can occur in drm_crtc_send_vblank_event():
>
> e->pipe = pipe;
>
> To fix this possible null-pointer dereference caused by data race, the
> spin lock coverage is extended to protect the if statement as well as the
> function call to drm_crtc_send_vblank_event().
>
> Reported-by: BassCheck <bass@...a.edu.cn>
> Signed-off-by: Tuo Li <islituo@...il.com>
Applied.
Thanks,
Inki Dae
> ---
> drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
> b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
> index 4153f302de7c..d19e796c2061 100644
> --- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
> +++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
> @@ -39,13 +39,12 @@ static void exynos_drm_crtc_atomic_disable(struct
> drm_crtc *crtc,
> if (exynos_crtc->ops->atomic_disable)
> exynos_crtc->ops->atomic_disable(exynos_crtc);
>
> + spin_lock_irq(&crtc->dev->event_lock);
> if (crtc->state->event && !crtc->state->active) {
> - spin_lock_irq(&crtc->dev->event_lock);
> drm_crtc_send_vblank_event(crtc, crtc->state->event);
> - spin_unlock_irq(&crtc->dev->event_lock);
> -
> crtc->state->event = NULL;
> }
> + spin_unlock_irq(&crtc->dev->event_lock);
> }
>
> static int exynos_crtc_atomic_check(struct drm_crtc *crtc,
> --
> 2.34.1
Powered by blists - more mailing lists