| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250402083628.20111-1-angelogioacchino.delregno@collabora.com> Date: Wed, 2 Apr 2025 10:36:23 +0200 From: AngeloGioacchino Del Regno <angelogioacchino.delregno@...labora.com> To: chunkuang.hu@...nel.org Cc: p.zabel@...gutronix.de, airlied@...il.com, simona@...ll.ch, matthias.bgg@...il.com, angelogioacchino.delregno@...labora.com, nancy.lin@...iatek.com, ck.hu@...iatek.com, djkurtz@...omium.org, littlecvr@...omium.org, bibby.hsieh@...iatek.com, dri-devel@...ts.freedesktop.org, linux-mediatek@...ts.infradead.org, linux-kernel@...r.kernel.org, linux-arm-kernel@...ts.infradead.org, wenst@...omium.org, kernel@...labora.com Subject: [PATCH v1 0/5] drm/mediatek: Cleanups and sanitization During probe, the mediatek-drm drivers take a bunch of kobject references for the various component sub-drivers and for the mmsys/mutex handles. Unfortunately, the refcount is not correctly decremented in some cases, and not correctly incremented in some others, leading to refcount_t overflows *or* underflows depending on where the code fails during platform driver probe or during component bind. This means that if mediatek-drm or any component of it returns a probe deferral, and if this happens "too many times" (where too many equals to around 3-5 times, and that's happening especially when outer drivers are compiled as module while mediatek-drm is built-in), it creates a whole bunch of badnesses. This series sanitizes the freeing of the acquired kobjects in mediatek-drm - especially in the multi-mmsys (multi-vdo) case. While at it, this also moves the ISR enablement and disablement to the component bind/unbind callbacks respectively, while keeping the ISR installation to the probe function: this is done to avoid leaks and to avoid entering ISRs for OVL/RDMA after those are unbound (as that'd be dangerous, other than useless, because those could access memory that doesn't belong to those drivers anymore, as pointers may not have been set to NULL...!). As an example, this is the reason (if not one of the reasons) for a boot failure seen on the MT8195 Tomato Chromebook, pointed out by KernelCI. AngeloGioacchino Del Regno (5): drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr drm/mediatek: Fix kobject put for component sub-drivers drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err drm/mediatek: mtk_disp_ovl: Enable/disable interrupt on bind/unbind drm/mediatek: mtk_disp_rdma: Enable/disable interrupt on bind/unbind drivers/gpu/drm/mediatek/mtk_disp_ovl.c | 19 +++++++++---- drivers/gpu/drm/mediatek/mtk_disp_rdma.c | 35 ++++++++++++++---------- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 31 +++++++++++++++------ 3 files changed, 57 insertions(+), 28 deletions(-) -- 2.48.1
Powered by blists - more mailing lists