mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-12 13:55:32 +00:00
Code Issues Releases Wiki Activity
linux-stable/include/drm
History
Desmond Cheong Zhi Xi 56f0729a51 drm: protect drm_master pointers in drm_lease.c 
drm_file->master pointers should be protected by
drm_device.master_mutex or drm_file.master_lookup_lock when being
dereferenced.

However, in drm_lease.c, there are multiple instances where
drm_file->master is accessed and dereferenced while neither lock is
held. This makes drm_lease.c vulnerable to use-after-free bugs.

We address this issue in 2 ways:

1. Add a new drm_file_get_master() function that calls drm_master_get
on drm_file->master while holding on to
drm_file.master_lookup_lock. Since drm_master_get increments the
reference count of master, this prevents master from being freed until
we unreference it with drm_master_put.

2. In each case where drm_file->master is directly accessed and
eventually dereferenced in drm_lease.c, we wrap the access in a call
to the new drm_file_get_master function, then unreference the master
pointer once we are done using it.

Reported-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20210712043508.11584-6-desmondcheongzx@gmail.com
2021-07-20 20:22:19 +02:00
..
bridge drm/bridge/synopsys: dw-hdmi: Add an option to suppress loading CEC driver 2021-04-20 17:22:38 +02:00
i2c
ttm drm/ttm: add TTM_PL_FLAG_TEMPORARY flag v3 2021-06-23 14:59:39 -04:00
amd_asic_type.h drm/amdgpu: add yellow carp asic_type enum 2021-06-04 16:03:05 -04:00
drm_aperture.h drm/aperture: Pass DRM driver structure instead of driver name 2021-07-01 11:11:55 +02:00
drm_atomic.h drm: fix doc warnings in drm_atomic.h 2021-06-04 12:40:01 -04:00
drm_atomic_helper.h drm: automatic legacy gamma support 2020-12-15 15:46:03 +02:00
drm_atomic_state_helper.h drm/bridge: Add a drm_bridge_state object 2020-01-31 16:00:21 +01:00
drm_atomic_uapi.h
drm_audio_component.h ALSA: hda/i915 - fix list corruption with concurrent probes 2020-10-09 16:46:04 +02:00
drm_auth.h drm: protect drm_master pointers in drm_lease.c 2021-07-20 20:22:19 +02:00
drm_blend.h
drm_bridge.h drm: bridge: Mark deprecated operations in drm_bridge_funcs 2021-07-12 21:44:19 +02:00
drm_bridge_connector.h drm: Add helper to create a connector for a chain of bridges 2020-02-26 13:31:41 +02:00
drm_cache.h drm: Add a prefetching memcpy_from_wc 2021-06-07 16:07:08 +02:00
drm_client.h drm/gem: Store client buffer mappings as struct dma_buf_map 2020-11-09 09:19:45 +01:00
drm_color_mgmt.h drm: Inline drm_color_lut_extract() 2019-11-29 21:29:17 +02:00
drm_connector.h drm: Mention the power state requirement on side-channel operations 2021-06-23 14:32:27 +02:00
drm_crtc.h drm: drm_crc: fix a kernel-doc markup 2021-01-14 15:11:46 +01:00
drm_crtc_helper.h
drm_damage_helper.h
drm_debugfs.h drm/debugfs: remove checks for return value of drm_debugfs functions. 2020-03-18 17:32:20 +01:00
drm_debugfs_crc.h
drm_device.h drm: Mark AGP implementation and ioctls as legacy 2021-05-10 15:46:58 +02:00
drm_displayid.h drm/displayid: rename displayid_hdr to displayid_header 2021-03-31 15:42:39 +03:00
drm_dp_aux_bus.h drm: Introduce the DP AUX bus 2021-06-11 12:30:39 -07:00
drm_dp_dual_mode_helper.h drm/dp_dual_mode: Pass drm_device to drm_lspcon_(get|set)_mode() 2021-04-27 18:43:44 -04:00
drm_dp_helper.h drm/dp: Move panel DP AUX backlight support to drm_dp_helper 2021-07-13 06:38:37 -07:00
drm_dp_mst_helper.h drm/dp_mst: Use kHz as link rate units when settig source max link caps at init 2021-05-27 15:30:59 -04:00
drm_drv.h drm: Fix 3 typos in the inline doc 2021-03-26 11:46:33 +01:00
drm_dsc.h - Display hotplug fix for gen2/gen3 (Chris) 2021-01-07 12:20:29 +01:00
drm_edid.h drm/displayid: add separate drm_displayid.c 2021-03-31 15:41:35 +03:00
drm_encoder.h drm/encoder: Add macro drmm_plain_encoder_alloc() 2021-03-29 16:46:43 +01:00
drm_encoder_slave.h
drm_fb_cma_helper.h drm: Add and export function drm_fb_cma_sync_non_coherent 2021-05-25 11:42:09 +01:00
drm_fb_helper.h drm/aperture: Inline fbdev conflict helpers into aperture helpers 2021-04-14 09:00:04 +02:00
drm_file.h drm: protect drm_master pointers in drm_lease.c 2021-07-20 20:22:19 +02:00
drm_fixed.h
drm_flip_work.h
drm_format_helper.h drm/format-helper: Add blitter functions 2021-05-01 12:45:03 +02:00
drm_fourcc.h drm/fourcc: Remove struct drm_format_buf_name 2021-05-27 08:34:57 +02:00
drm_framebuffer.h drm/core: Calculate bpp in afbc helper 2020-04-01 14:11:22 +02:00
drm_gem.h drm: Don't export the drm_gem_dumb_destroy() function 2021-01-05 07:20:25 +02:00
drm_gem_atomic_helper.h drm/gem: Export implementation of shadow-plane helpers 2021-07-13 13:30:58 +02:00
drm_gem_cma_helper.h drm: Add support for GEM buffers backed by non-coherent memory 2021-05-25 11:41:07 +01:00
drm_gem_framebuffer_helper.h drm/gem: Move drm_gem_fb_prepare_fb() to GEM atomic helpers 2021-02-23 08:54:22 +01:00
drm_gem_shmem_helper.h drm/shmem-helper: Removed drm_gem_shmem_create_object_cached() 2020-11-24 09:10:33 +01:00
drm_gem_ttm_helper.h drm/gem-ttm-helper: Provide helper for struct drm_driver.dumb_map_offset 2021-04-11 20:14:45 +02:00
drm_gem_vram_helper.h drm/vram-helper: Unexport drm_vram_helper_{alloc,release}_mm() 2021-07-05 08:55:11 +02:00
drm_hashtab.h
drm_hdcp.h drm/hdcp: DP HDCP2.2 errata LC_Send_L_Prime=16 2021-03-31 14:27:43 +03:00
drm_ioctl.h
drm_irq.h drm/irq: Add the new api to install irq 2020-12-03 03:57:15 -05:00
drm_lease.h
drm_legacy.h drm: Mark AGP implementation and ioctls as legacy 2021-05-10 15:46:58 +02:00
drm_managed.h drm: Remove drmm_add_final_kfree() declaration from public headers 2020-12-05 20:01:12 +01:00
drm_mipi_dbi.h drm/dbi: Print errors for mipi_dbi_command() 2021-07-05 00:22:51 +02:00
drm_mipi_dsi.h drm: Mention the power state requirement on side-channel operations 2021-06-23 14:32:27 +02:00
drm_mm.h drm: fix spelling error in comments 2020-09-17 13:39:44 +02:00
drm_mode_config.h drm/modifiers: Enforce consistency between the cap an IN_FORMATS 2021-05-12 11:31:29 +02:00
drm_mode_object.h
drm_modes.h drm/modes: add non-OF stub for of_get_drm_display_mode 2021-01-08 19:42:14 +01:00
drm_modeset_helper.h
drm_modeset_helper_vtables.h drm/atomic-helper: make drm_gem_plane_helper_prepare_fb the default 2021-06-24 15:35:13 +02:00
drm_modeset_lock.h drm/modeset-lock: Take the modeset BKL for legacy drivers 2020-08-17 13:41:50 -04:00
drm_of.h drm: of: Fix linking when CONFIG_OF is not set 2020-01-09 10:40:58 +10:00
drm_panel.h drm/dp: Move panel DP AUX backlight support to drm_dp_helper 2021-07-13 06:38:37 -07:00
drm_pciids.h
drm_plane.h drm/gem: Move drm_gem_fb_prepare_fb() to GEM atomic helpers 2021-02-23 08:54:22 +01:00
drm_plane_helper.h
drm_prime.h drm/prime: split array import functions v4 2020-11-30 15:00:45 +01:00
drm_print.h drm/print: fixup spelling in a comment 2021-07-20 15:08:18 +02:00
drm_probe_helper.h
drm_property.h drm: Fix macro name DRM_MODE_PROP_OBJECT in code comment 2021-01-12 09:56:48 +01:00
drm_rect.h drm: Add function to convert rect in 16.16 fixed format to regular format 2021-01-05 05:32:52 -08:00
drm_scdc_helper.h drm/scdc: Fix typo in bit definition of SCDC_STATUS_FLAGS 2019-11-04 17:58:46 +01:00
drm_self_refresh_helper.h drm/atomic: fix self-refresh helpers crtc state dereference 2019-11-06 13:00:21 -05:00
drm_simple_kms_helper.h drm/simple-helper: drm_gem_simple_display_pipe_prepare_fb as default 2021-06-24 15:39:46 +02:00
drm_syncobj.h
drm_sysfs.h
drm_util.h drm: Move EXPORT_SYMBOL_FOR_TESTS_ONLY under a separate Kconfig 2019-11-07 21:22:15 +00:00
drm_utils.h
drm_vblank.h drm/vblank: Document drm_crtc_vblank_restore constraints 2021-02-10 12:38:55 +01:00
drm_vblank_work.h drm/vblank: Add vblank works 2020-07-16 18:16:31 -04:00
drm_vma_manager.h drm/vma: Add a driver_private member to vma_node. 2021-06-11 10:53:18 +02:00
drm_writeback.h drm/writeback: wire drm_writeback.h to kernel-doc 2020-04-07 17:39:46 +02:00
gma_drm.h
gpu_scheduler.h drm/sched: Allow using a dedicated workqueue for the timeout/fault tdr 2021-07-01 08:53:25 +02:00
gud.h drm: Add GUD USB Display driver 2021-03-16 13:12:46 +01:00
i915_component.h
i915_drm.h
i915_mei_hdcp_interface.h drm/i915: significantly reduce the use of <drm/i915_drm.h> 2020-02-27 08:35:09 +02:00
i915_pciids.h drm/i915/adl_p: Add PCI Devices IDs 2021-05-07 10:51:38 +03:00
intel-gtt.h iommu/vt-d: Move intel_iommu_gfx_mapped to Intel IOMMU header 2020-09-04 12:12:45 +02:00
intel_lpe_audio.h
spsc_queue.h
task_barrier.h drm: Add Reusable task barrier. 2019-12-18 16:09:12 -05:00