mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-28 07:13:34 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers
History
Daniel Vetter 328f520540 drm/atomic: Fix potential use-after-free in nonblocking commits 
commit 4e076c73e4 upstream.

This requires a bit of background.  Properly done a modeset driver's
unload/remove sequence should be

	drm_dev_unplug();
	drm_atomic_helper_shutdown();
	drm_dev_put();

The trouble is that the drm_dev_unplugged() checks are by design racy,
they do not synchronize against all outstanding ioctl.  This is because
those ioctl could block forever (both for modeset and for driver
specific ioctls), leading to deadlocks in hotunplug.  Instead the code
sections that touch the hardware need to be annotated with
drm_dev_enter/exit, to avoid accessing hardware resources after the
unload/remove has finished.

To avoid use-after-free issues all the involved userspace visible
objects are supposed to hold a reference on the underlying drm_device,
like drm_file does.

The issue now is that we missed one, the atomic modeset ioctl can be run
in a nonblocking fashion, and in that case it cannot rely on the implied
drm_device reference provided by the ioctl calling context.  This can
result in a use-after-free if an nonblocking atomic commit is carefully
raced against a driver unload.

Fix this by unconditionally grabbing a drm_device reference for any
drm_atomic_state structures.  Strictly speaking this isn't required for
blocking commits and TEST_ONLY calls, but it's the simpler approach.

Thanks to shanzhulig for the initial idea of grabbing an unconditional
reference, I just added comments, a condensed commit message and fixed a
minor potential issue in where exactly we drop the final reference.

Reported-by: shanzhulig <shanzhulig@gmail.com>
Suggested-by: shanzhulig <shanzhulig@gmail.com>
Reviewed-by: Maxime Ripard <mripard@kernel.org>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: David Airlie <airlied@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-07-23 13:54:17 +02:00
..
accel accel/ivpu: Clear specific interrupt status bits on C0 2023-07-23 13:54:11 +02:00
accessibility
acpi APEI: GHES: correctly return NULL for ghes_get_devices() 2023-07-19 16:35:15 +02:00
amba
android
ata ata: libata-scsi: Avoid deadlock on rescan after device resume 2023-06-18 12:00:49 +09:00
atm
auxdisplay
base regmap-irq: Fix out-of-bounds access when allocating config buffers 2023-07-23 13:54:09 +02:00
bcma
block Revert "virtio-blk: support completion batching for the IRQ path" 2023-06-21 04:14:28 -04:00
bluetooth
bus bus: ixp4xx: fix IXP4XX_EXP_T1_MASK 2023-07-23 13:54:08 +02:00
cdrom
cdx cdx: fix driver managed dma support 2023-07-19 16:36:37 +02:00
char hwrng: imx-rngc - fix the timeout for init and self check 2023-07-23 13:53:58 +02:00
clk clk: qcom: mmcc-msm8974: fix MDSS_GDSC power flags 2023-07-19 16:36:38 +02:00
clocksource clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe 2023-07-19 16:35:14 +02:00
comedi
connector
counter
cpufreq cpufreq: mediatek: correct voltages for MT7622 and MT7623 2023-07-19 16:36:38 +02:00
cpuidle
crypto crypto: qat - unmap buffers before free for RSA 2023-07-19 16:36:19 +02:00
cxl cxl/region: Fix state transitions after reset failure 2023-07-19 16:36:23 +02:00
dax dax/kmem: Pass valid argument to memory_group_register_static 2023-07-19 16:36:20 +02:00
dca
devfreq
dio
dma
dma-buf udmabuf: revert 'Add support for mapping hugepages (v4)' 2023-06-19 13:19:32 -07:00
edac
eisa
extcon extcon: Fix kernel doc of property capability fields to avoid warnings 2023-07-19 16:36:31 +02:00
firewire
firmware firmware: stratix10-svc: Fix a potential resource leak in svc_create_memory_pool() 2023-07-23 13:54:06 +02:00
fpga
fsi
gnss
gpio ARM/gpio: Push OMAP2 quirk down into TWL4030 driver 2023-07-19 16:35:48 +02:00
gpu drm/atomic: Fix potential use-after-free in nonblocking commits 2023-07-23 13:54:17 +02:00
greybus
hid HID: hyperv: avoid struct memcpy overrun warning 2023-07-23 13:53:43 +02:00
hsi
hte
hv x86/hyperv: Fix hyperv_pcpu_input_arg handling when CPUs go online/offline 2023-06-17 23:09:47 +00:00
hwmon hwmon: (pmbus/adm1275) Fix problems with temperature monitoring on ADM1272 2023-07-19 16:35:58 +02:00
hwspinlock
hwtracing hwtracing: hisi_ptt: Fix potential sleep in atomic context 2023-07-19 16:36:39 +02:00
i2c usb: typec: ucsi: Mark dGPUs as DEVICE scope 2023-07-19 16:36:55 +02:00
i3c i3c: master: svc: fix cpu schedule in spin lock 2023-07-19 16:36:33 +02:00
idle
iio meson saradc: fix clock divider mask length 2023-07-23 13:54:07 +02:00
infiniband RDMA/bnxt_re: Avoid calling wake_up threads from spin_lock context 2023-07-19 16:36:00 +02:00
input Input: ads7846 - fix pointer cast warning 2023-07-19 16:36:59 +02:00
interconnect interconnect: qcom: rpm: Don't use clk_get_optional for bus clocks anymore 2023-07-19 16:36:27 +02:00
iommu iommufd: Call iopt_area_contig_done() under the lock 2023-07-19 16:36:08 +02:00
ipack
irqchip irqchip/loongson-pch-pic: Fix initialization of HT vector register 2023-07-19 16:36:51 +02:00
isdn
leds leds: trigger: netdev: Recheck NETDEV_LED_MODE_LINKUP on dev rename 2023-07-19 16:36:58 +02:00
macintosh
mailbox mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0 2023-07-19 16:36:45 +02:00
mcb
md dm: verity-loadpin: Add NULL pointer check for 'bdev' parameter 2023-07-23 13:54:08 +02:00
media media: cec: i2c: ch7322: also select REGMAP 2023-07-19 16:36:41 +02:00
memory memory: brcmstb_dpfe: fix testing array offset after use 2023-07-19 16:35:53 +02:00
memstick memstick r592: make memstick_debug_get_tpc_name() static 2023-07-19 16:35:28 +02:00
message
mfd mfd: pm8008: Fix module autoloading 2023-07-23 13:54:01 +02:00
misc misc: pci_endpoint_test: Re-init completion for every test 2023-07-23 13:54:01 +02:00
mmc mmc: sdhci: fix DMA configure compatibility issue when 64bit DMA mode is used. 2023-07-19 16:36:52 +02:00
most
mtd mtd: rawnand: meson: fix unaligned DMA buffers handling 2023-07-23 13:53:53 +02:00
mux
net net: dsa: ocelot: unlock on error in vsc9959_qos_port_tas_set() 2023-07-23 13:54:17 +02:00
nfc nfc: fdp: Add MODULE_FIRMWARE macros 2023-06-18 11:19:52 +01:00
ntb NTB: ntb_tool: Add check for devm_kcalloc 2023-07-23 13:53:43 +02:00
nubus nubus: Partially revert proc_create_single_data() conversion 2023-07-05 18:30:30 +01:00
nvdimm
nvme nvme: don't reject probe due to duplicate IDs for single-ported PCIe devices 2023-07-23 13:54:09 +02:00
nvmem nvmem: rmem: Use NVMEM_DEVID_AUTO 2023-07-19 16:36:37 +02:00
of
opp opp: Fix use-after-free in lazy_opp_tables after probe deferral 2023-07-23 13:54:07 +02:00
parisc
parport
pci PCI: rockchip: Set address alignment for endpoint mode 2023-07-23 13:54:00 +02:00
pcmcia
peci
perf perf: RISC-V: Remove PERF_HES_STOPPED flag checking in riscv_pmu_start() 2023-07-23 13:54:09 +02:00
phy media: tc358746: select CONFIG_GENERIC_PHY 2023-07-19 16:36:41 +02:00
pinctrl pinctrl: amd: Unify debounce handling into amd_pinconf_set() 2023-07-23 13:53:52 +02:00
platform platform/x86: wmi: Break possible infinite loop when parsing GUID 2023-07-23 13:53:44 +02:00
pnp
power power: supply: rt9467: Make charger-enable control as logic level 2023-07-19 16:36:33 +02:00
powercap powercap: RAPL: Fix CONFIG_IOSF_MBI dependency 2023-07-19 16:35:15 +02:00
pps
ps3
ptp
pwm pwm: meson: fix handling of period/duty if greater than UINT_MAX 2023-07-23 13:54:11 +02:00
rapidio
ras
regulator regulator: tps65219: Fix matching interrupts for their regulators 2023-07-19 16:36:58 +02:00
remoteproc
reset
rpmsg
rtc rtc: st-lpc: Release some resources in st_rtc_probe() in case of error 2023-07-19 16:36:40 +02:00
s390 s390/zcrypt: do not retry administrative requests 2023-07-23 13:53:59 +02:00
sbus
scsi scsi: qla2xxx: Fix end of loop test 2023-07-23 13:54:17 +02:00
sh
siox
slimbus
soc soc: qcom: mdt_loader: Fix unconditional call to scm_pas_mem_setup 2023-07-23 13:53:57 +02:00
soundwire soundwire: qcom: fix storing port config out-of-bounds 2023-07-23 13:54:08 +02:00
spi spi: bcm-qspi: return error if neither hif_mspi nor mspi is available 2023-07-19 16:36:44 +02:00
spmi
ssb
staging media: atomisp: ov2680: Stop using half pixelclock for binned modes 2023-07-19 16:36:34 +02:00
target
tc
tee
thermal thermal/drivers/qoriq: Only enable supported sensors 2023-07-19 16:35:16 +02:00
thunderbolt
tty Revert "8250: add support for ASIX devices with a FIFO bug" 2023-07-23 13:54:08 +02:00
ufs scsi: ufs: ufs-mediatek: Add dependency for RESET_CONTROLLER 2023-07-23 13:53:40 +02:00
uio
usb xhci: Show ZHAOXIN xHCI root hub speed correctly 2023-07-23 13:54:07 +02:00
vdpa vduse: fix NULL pointer dereference 2023-07-19 16:36:47 +02:00
vfio vfio/mdev: Move the compat_class initialization to module init 2023-07-19 16:36:18 +02:00
vhost
video fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe() 2023-07-19 16:35:55 +02:00
virt virt: sevguest: Add CONFIG_CRYPTO dependency 2023-07-19 16:35:08 +02:00
virtio virtio-vdpa: Fix unchecked call to NULL set_vq_affinity 2023-07-19 16:36:41 +02:00
vlynq
w1 w1: fix loop in w1_fini() 2023-07-19 16:36:25 +02:00
watchdog
xen xen/virtio: Fix NULL deref when a bridge of PCI root bus has no parent 2023-07-23 13:53:36 +02:00
zorro
Kconfig
Makefile