- 26 Jul, 2021 4 commits
-
-
Zheyu Ma authored
The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error. Fix this by checking whether 'pixclock' is zero first. The following log reveals it: [ 33.396850] divide error: 0000 [#1] PREEMPT SMP KASAN PTI [ 33.396864] CPU: 5 PID: 11754 Comm: i740 Not tainted 5.14.0-rc2-00513-gac532c9bbcfb-dirty #222 [ 33.396883] RIP: 0010:riva_load_video_mode+0x417/0xf70 [ 33.396969] Call Trace: [ 33.396973] ? debug_smp_processor_id+0x1c/0x20 [ 33.396984] ? tick_nohz_tick_stopped+0x1a/0x90 [ 33.396996] ? rivafb_copyarea+0x3c0/0x3c0 [ 33.397003] ? wake_up_klogd.part.0+0x99/0xd0 [ 33.397014] ? vprintk_emit+0x110/0x4b0 [ 33.397024] ? vprintk_default+0x26/0x30 [ 33.397033] ? vprintk+0x9c/0x1f0 [ 33.397041] ? printk+0xba/0xed [ 33.397054] ? record_print_text.cold+0x16/0x16 [ 33.397063] ? __kasan_check_read+0x11/0x20 [ 33.397074] ? profile_tick+0xc0/0x100 [ 33.397084] ? __sanitizer_cov_trace_const_cmp4+0x24/0x80 [ 33.397094] ? riva_set_rop_solid+0x2a0/0x2a0 [ 33.397102] rivafb_set_par+0xbe/0x610 [ 33.397111] ? riva_set_rop_solid+0x2a0/0x2a0 [ 33.397119] fb_set_var+0x5bf/0xeb0 [ 33.397127] ? fb_blank+0x1a0/0x1a0 [ 33.397134] ? lock_acquire+0x1ef/0x530 [ 33.397143] ? lock_release+0x810/0x810 [ 33.397151] ? lock_is_held_type+0x100/0x140 [ 33.397159] ? ___might_sleep+0x1ee/0x2d0 [ 33.397170] ? __mutex_lock+0x620/0x1190 [ 33.397180] ? trace_hardirqs_on+0x6a/0x1c0 [ 33.397190] do_fb_ioctl+0x31e/0x700 Signed-off-by:
Zheyu Ma <zheyuma97@gmail.com> Signed-off-by:
Sam Ravnborg <sam@ravnborg.org> Link: https://patchwork.freedesktop.org/patch/msgid/1627293835-17441-4-git-send-email-zheyuma97@gmail.com
-
Zheyu Ma authored
The userspace program could pass any values to the driver through ioctl() interface. if the driver doesn't check the value of 'pixclock', it may cause divide error because the value of 'lineclock' and 'frameclock' will be zero. Fix this by checking whether 'pixclock' is zero in kyrofb_check_var(). The following log reveals it: [ 103.073930] divide error: 0000 [#1] PREEMPT SMP KASAN PTI [ 103.073942] CPU: 4 PID: 12483 Comm: syz-executor Not tainted 5.14.0-rc2-00478-g2734d6c1-dirty #118 [ 103.073959] RIP: 0010:kyrofb_set_par+0x316/0xc80 [ 103.074045] Call Trace: [ 103.074048] ? ___might_sleep+0x1ee/0x2d0 [ 103.074060] ? kyrofb_ioctl+0x330/0x330 [ 103.074069] fb_set_var+0x5bf/0xeb0 [ 103.074078] ? fb_blank+0x1a0/0x1a0 [ 103.074085] ? lock_acquire+0x3bd/0x530 [ 103.074094] ? lock_release+0x810/0x810 [ 103.074103] ? ___might_sleep+0x1ee/0x2d0 [ 103.074114] ? __mutex_lock+0x620/0x1190 [ 103.074126] ? trace_hardirqs_on+0x6a/0x1c0 [ 103.074137] do_fb_ioctl+0x31e/0x700 [ 103.074144] ? fb_getput_cmap+0x280/0x280 [ 103.074152] ? rcu_read_lock_sched_held+0x11/0x80 [ 103.074162] ? rcu_read_lock_sched_held+0x11/0x80 [ 103.074171] ? __sanitizer_cov_trace_switch+0x67/0xf0 [ 103.074181] ? __sanitizer_cov_trace_const_cmp2+0x20/0x80 [ 103.074191] ? do_vfs_ioctl+0x14b/0x16c0 [ 103.074199] ? vfs_fileattr_set+0xb60/0xb60 [ 103.074207] ? rcu_read_lock_sched_held+0x11/0x80 [ 103.074216] ? lock_release+0x483/0x810 [ 103.074224] ? __fget_files+0x217/0x3d0 [ 103.074234] ? __fget_files+0x239/0x3d0 [ 103.074243] ? do_fb_ioctl+0x700/0x700 [ 103.074250] fb_ioctl+0xe6/0x130 Signed-off-by:
-
Zheyu Ma authored
The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error. Fix this by checking whether 'pixclock' is zero first. The following log reveals it: [ 43.861711] divide error: 0000 [#1] PREEMPT SMP KASAN PTI [ 43.861737] CPU: 2 PID: 11764 Comm: i740 Not tainted 5.14.0-rc2-00513-gac532c9bbcfb-dirty #224 [ 43.861756] RIP: 0010:asiliantfb_check_var+0x4e/0x730 [ 43.861843] Call Trace: [ 43.861848] ? asiliantfb_remove+0x190/0x190 [ 43.861858] fb_set_var+0x2e4/0xeb0 [ 43.861866] ? fb_blank+0x1a0/0x1a0 [ 43.861873] ? lock_acquire+0x1ef/0x530 [ 43.861884] ? lock_release+0x810/0x810 [ 43.861892] ? lock_is_held_type+0x100/0x140 [ 43.861903] ? ___might_sleep+0x1ee/0x2d0 [ 43.861914] ? __mutex_lock+0x620/0x1190 [ 43.861921] ? do_fb_ioctl+0x313/0x700 [ 43.861929] ? mutex_lock_io_nested+0xfa0/0xfa0 [ 43.861936] ? __this_cpu_preempt_check+0x1d/0x30 [ 43.861944] ? _raw_spin_unlock_irqrestore+0x46/0x60 [ 43.861952] ? lockdep_hardirqs_on+0x59/0x100 [ 43.861959] ? _raw_spin_unlock_irqrestore+0x46/0x60 [ 43.861967] ? trace_hardirqs_on+0x6a/0x1c0 [ 43.861978] do_fb_ioctl+0x31e/0x700 Signed-off-by:
-
Simon Ser authored
When a property has the type DRM_MODE_PROP_BITMASK, the value field stores a bitshift, not a bitmask, which can be surprising. Signed-off-by:
Simon Ser <contact@emersion.fr> Cc: Leandro Ribeiro <leandro.ribeiro@collabora.com> Reviewed-by:
Daniel Vetter <daniel.vetter@ffwll.ch> Acked-by:
Pekka Paalanen <pekka.paalanen@collabora.com> Link: https://patchwork.freedesktop.org/patch/msgid/NUZTPTKKZtAlDhxIXFB1qrUqWBYKapkBxCnb1S1bc3g@cp3-web-033.plabs.ch
-
- 25 Jul, 2021 9 commits
-
-
Alyssa Rosenzweig authored
Like many free software projects, freedesktop.org issued a non-binding recommendation for projects to migrate from Freenode to OFTC [1]. As such, freedesktop.org entries in the MAINTAINERS file are out-of-date as the respective channels have moved. Update the file to point to the right network. v2: Correct typo in commit message pointed out by Lukas and Jonathan. Add Hector's ack. v3: Add acks. [1] https://lists.freedesktop.org/archives/dri-devel/2021-May/307605.htmlSigned-off-by:
Alyssa Rosenzweig <alyssa@rosenzweig.io> Acked-by:
Hector Martin <marcan@marcan.st> Acked-by:
Jani Nikula <jani.nikula@intel.com> Cc: Karol Herbst <kherbst@redhat.com> Cc: David Airlie <airlied@linux.ie> Cc: Daniel Vetter <daniel@ffwll.ch> Cc: Lukas Wunner <lukas@wunner.de> Cc: Jonathan Neuschäfer <j.neuschaefer@gmx.net> Cc: linux-kernel@vger.kernel.org Signed-off-by:
Karol Herbst <kherbst@redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20210725150007.2818-2-alyssa@rosenzweig.io
-
Alyssa Rosenzweig authored
Like many free software projects, Nouveau recently moved from Freenode to OFTC. Update the reference. v3: Add acks. Signed-off-by:
-
Heiko Stuebner authored
SoCs like the rk3288 and rk3399 have 3 mipi dphys on them. One is TX- only, one is RX-only and one can be configured to do either TX or RX. The RX phy is statically connected to the first Image Signal Processor, the TX phy is statically connected to the first DSI controller and the TXRX phy is connected to both the second DSI controller as well as the second ISP. The RX dphy is controlled externally through registers in the "General Register Files", while the other two are controlled through the "Configuration and Test Interface" inside their DSI controller's io-memory area. The Rockchip dw-dsi controller already controls these dphys for the TX case in the driver, but when we want to also allow configuration for RX to the ISP from the media subsystem we need to expose phy- functionality instead. So add a bit of infrastructure to allow the dsi driver to work as a phy and make sure it can be only one or the other at a time. Similarly as the dsi-controller will be part of the drm-graph when active, add an empty component to the drm-graph when in phy-mode to make the rest of the drm-graph not wait for it. Signed-off-by:
Heiko Stuebner <heiko.stuebner@theobroma-systems.com> Tested-by:
Sebastian Fricke <sebastian.fricke@posteo.net> Acked-by:
Helen Koike <helen.koike@collabora.com> Link: https://patchwork.freedesktop.org/patch/msgid/20210210111020.2476369-4-heiko@sntech.de
-
Heiko Stuebner authored
The Rockchip DSI controller on some SoCs also controls a bidrectional dphy, which would be connected to an Image Signal Processor as a phy in the rx configuration. So allow a #phy-cells property for the dsi controller. Signed-off-by:
Rob Herring <robh@kernel.org> Tested-by:
-
Heiko Stuebner authored
In a followup patch, we'll need to access the pclk ourself to enable some functionality, so get and store it in the rockchip dw-dsi variant as well. Clocks are refcounted, so possible cascading enablements are no problem. Signed-off-by:
-
Geert Uytterhoeven authored
Convert the Solomon SSD1307 Framebuffer Device Tree binding documentation to json-schema. Fix the spelling of the "pwms" property. Document default values. Make properties with default values not required. Signed-off-by:
Geert Uytterhoeven <geert@linux-m68k.org> Reviewed-by:
-
Geert Uytterhoeven authored
As nwl_dsi.lanes is u32, and NSEC_PER_SEC is 1000000000L, the second multiplication in dsi->lanes * 8 * NSEC_PER_SEC will overflow on a 32-bit platform. Fix this by making the constant unsigned long long, forcing 64-bit arithmetic. As iMX8 is arm64, this driver is currently used on 64-bit platforms only, where long is 64-bit, so this cannot happen. But the issue will start to happen when the driver is reused for a 32-bit SoC (e.g. i.MX7ULP), or when code is copied for a new driver. Signed-off-by:Geert Uytterhoeven <geert+renesas@glider.be> Reviewed-by:
Fabio Estevam <festevam@gmail.com> Reviewed-by:
Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by:
-
Oleksij Rempel authored
Add Logictechno and Multi-Inno panels: - Logic Technologies LTTD800x480 L2RT 7" 800x480 TFT Resistive Touch Module - Logic Technologies LTTD800480070-L6WH-RT 7” 800x480 TFT Resistive Touch Module - Multi-Inno Technology Co.,Ltd MI1010AIT-1CP 10.1" 1280x800 LVDS IPS Cap Touch Mod. Signed-off-by:
Oleksij Rempel <o.rempel@pengutronix.de> Acked-by:
-
Thomas Zimmermann authored
Drop the DRM IRQ midlayer in favor of Linux IRQ interfaces. DRM's IRQ helpers are mostly useful for UMS drivers. Modern KMS drivers don't benefit from using it. v3: * return error if (ret < 0) (Geert) * remove duplicate error message (Geert) v2: * handle errors in platform_get_irq() (Geert, Sergei) * store IRQ number in struct shmob_drm_device (Laurent) Signed-off-by:
Thomas Zimmermann <tzimmermann@suse.de> Acked-by:
-
- 23 Jul, 2021 11 commits
-
-
Thomas Zimmermann authored
Replace dma_buf_begin_cpu_access() with drm_gem_fb_begin_cpu_access(); same for _end_cpu_access(). Remove some boiler-plate code. No functional changes. Signed-off-by:
Noralf Trønnes <noralf@tronnes.org> Acked-by:
David Lechner <david@lechnology.com> Link: https://patchwork.freedesktop.org/patch/msgid/20210716140801.1215-8-tzimmermann@suse.de
-
Thomas Zimmermann authored
Replace dma_buf_begin_cpu_access() with drm_gem_fb_begin_cpu_access(); same for _end_cpu_access(). Remove some boiler-plate code. No functional changes. Signed-off-by:
-
Thomas Zimmermann authored
Replace dma_buf_begin_cpu_access() with drm_gem_fb_begin_cpu_access(); same for _end_cpu_access(). Remove some boiler-plate code. No functional changes. Signed-off-by:
-
Thomas Zimmermann authored
Replace dma_buf_begin_cpu_access() with drm_gem_fb_begin_cpu_access(); same for _end_cpu_access(). Remove some boiler-plate code. No functional changes. Signed-off-by:
-
Thomas Zimmermann authored
Replace dma_buf_begin_cpu_access() with drm_gem_fb_begin_cpu_access(); same for _end_cpu_access(). Remove some boiler-plate code. No functional changes. There's one left-over reference to the imported attachment that we keep. GEM BOs with imported attachment are considered uncached and enables special handling within the drm_fb_swab(). Signed-off-by:
-
Thomas Zimmermann authored
Replace dma_buf_begin_cpu_access() with drm_gem_fb_begin_cpu_access(); same for _end_cpu_access(). Remove some boiler-plate code. No functional changes. Signed-off-by:
-
Thomas Zimmermann authored
Implement helpers drm_gem_fb_begin_cpu_access() and _end_cpu_access(), which call the rsp dma-buf functions for all GEM BOs of the given framebuffer. Calls to dma_buf_end_cpu_access() can return an error code on failure, while drm_gem_fb_end_cpu_access() does not. The latter runs during DRM's atomic commit or during cleanup. Both cases don't allow for errors, so leave out the return value. v2: * fix typo in docs (Daniel) Signed-off-by:
-
Thomas Zimmermann authored
The variable 'priv' got introduced in commit 39a364a1 ("drm/hisilicon/hibmc: Convert to Linux IRQ interfaces") by accident. It's unused; remove it. Fixes a compiler warning. Signed-off-by:
Tian Tao <tiantao6@hisilicon.com> Reviewed-by:
Dave Airlie <airlied@gmail.com> Cc: Thomas Zimmermann <tzimmermann@suse.de> Cc: Tian Tao <tiantao6@hisilicon.com> Cc: Maxime Ripard <maxime@cerno.tech> Cc: Daniel Vetter <daniel.vetter@ffwll.ch> Cc: Sam Ravnborg <sam@ravnborg.org> Link: https://patchwork.freedesktop.org/patch/msgid/20210721131704.10306-1-tzimmermann@suse.de
-
Normunds Rieksts authored
Arm Fixed Rate Compression (AFRC) is a proprietary fixed rate image compression protocol and format. It is designed to provide guaranteed bandwidth and memory footprint reductions in graphics and media use-cases. This patch aims to add modifier definitions for describing AFRC. Signed-off-by:
Normunds Rieksts <normunds.rieksts@arm.com> Reviewed-by:
Liviu Dudau <liviu.dudau@arm.com> Signed-off-by:
-
Maxime Ripard authored
New KMS properties come with a bunch of requirements to avoid each driver from running their own, inconsistent, set of properties, eventually leading to issues like property conflicts, inconsistencies between drivers and semantics, etc. Let's document what we expect. Acked-by:
Dave Airlie <airlied@redhat.com> Reviewed-by:
Maxime Ripard <maxime@cerno.tech> Link: https://patchwork.freedesktop.org/patch/msgid/20210720143544.571760-1-maxime@cerno.tech
-
Chris Morgan authored
Set a condition for the message of "Couldn't set OPP regulators" to not display if the error code is EPROBE_DEFER. Note that I used an if statement to capture the condition instead of the dev_err_probe function because I didn't want to change the DRM_DEV_ERROR usage. Signed-off-by:
Chris Morgan <macromorgan@hotmail.com> Reviewed-by:
Steven Price <steven.price@arm.com> Signed-off-by:
-
- 22 Jul, 2021 1 commit
-
-
Maxime Ripard authored
The corpro,gm7123 was in use in a DT but was never properly documented, let's add it. Cc: dri-devel@lists.freedesktop.org Reviewed-by:
-
- 21 Jul, 2021 11 commits
-
-
Zheyu Ma authored
The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error because of the 'PICOS2KHZ' macro. Fix this by checking whether 'pixclock' is zero first. The following log reveals it: [ 53.093806] divide error: 0000 [#1] PREEMPT SMP KASAN PTI [ 53.093838] CPU: 3 PID: 11763 Comm: hang Not tainted 5.14.0-rc2-00478-g2734d6c1 #215 [ 53.093859] RIP: 0010:neofb_check_var+0x80/0xe50 [ 53.093951] Call Trace: [ 53.093956] ? neofb_setcolreg+0x2b0/0x2b0 [ 53.093968] fb_set_var+0x2e4/0xeb0 [ 53.093977] ? fb_blank+0x1a0/0x1a0 [ 53.093984] ? lock_acquire+0x1ef/0x530 [ 53.093996] ? lock_release+0x810/0x810 [ 53.094005] ? lock_is_held_type+0x100/0x140 [ 53.094016] ? ___might_sleep+0x1ee/0x2d0 [ 53.094028] ? __mutex_lock+0x620/0x1190 [ 53.094036] ? do_fb_ioctl+0x313/0x700 [ 53.094044] ? mutex_lock_io_nested+0xfa0/0xfa0 [ 53.094051] ? __this_cpu_preempt_check+0x1d/0x30 [ 53.094060] ? _raw_spin_unlock_irqrestore+0x46/0x60 [ 53.094069] ? lockdep_hardirqs_on+0x59/0x100 [ 53.094076] ? _raw_spin_unlock_irqrestore+0x46/0x60 [ 53.094085] ? trace_hardirqs_on+0x6a/0x1c0 [ 53.094096] do_fb_ioctl+0x31e/0x700 Signed-off-by:
-
Colin Ian King authored
The variable err is being initialized with a value that is never read, the assignment is redundant and can be removed. Addresses-Coverity: ("Unused value") Signed-off-by:Colin Ian King <colin.king@canonical.com> Signed-off-by:
-
Javier Martinez Canillas authored
The register_gop_device() function registers an "efi-framebuffer" platform device to match against the efifb driver, to have an early framebuffer for EFI platforms. But there is already support to do exactly the same by the Generic System Framebuffers (sysfb) driver. This used to be only for X86 but it has been moved to drivers/firmware and could be reused by other architectures. Also, besides supporting registering an "efi-framebuffer", this driver can register a "simple-framebuffer" allowing to use the siple{fb,drm} drivers on non-X86 EFI platforms. For example, on aarch64 these drivers can only be used with DT and doesn't have code to register a "simple-frambuffer" platform device when booting with EFI. For these reasons, let's remove the register_gop_device() duplicated code and instead move the platform specific logic that's there to sysfb driver. Signed-off-by:Javier Martinez Canillas <javierm@redhat.com> Acked-by:
Borislav Petkov <bp@suse.de> Acked-by:
-
Javier Martinez Canillas authored
The x86 architecture has generic support to register a system framebuffer platform device. It either registers a "simple-framebuffer" if the config option CONFIG_X86_SYSFB is enabled, or a legacy VGA/VBE/EFI FB device. But the code is generic enough to be reused by other architectures and can be moved out of the arch/x86 directory. This will allow to also support the simple{fb,drm} drivers on non-x86 EFI platforms, such as aarch64 where these drivers are only supported with DT. Signed-off-by:Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by:
-
Christoph Hellwig authored
The VGA arbitration is entirely based on pci_dev structures, so just pass that back to the set_vga_decode callback. Signed-off-by:
Christoph Hellwig <hch@lst.de> Link: https://patchwork.freedesktop.org/patch/msgid/20210716061634.2446357-8-hch@lst.deAcked-by:
Christian König <christian.koenig@amd.com> Signed-off-by:
-
Christoph Hellwig authored
All callers pass NULL as the irq_set_state argument, so remove it and the ->irq_set_state member in struct vga_device. Signed-off-by:
-
Christoph Hellwig authored
Add a trivial wrapper for the unregister case that sets all fields to NULL. Signed-off-by:
-
Christoph Hellwig authored
Merge the different CONFIG_VGA_ARB ifdef blocks, remove superflous externs, and regularize the stubs for !CONFIG_VGA_ARB. Signed-off-by:
-
Christoph Hellwig authored
Kerneldoc comments should be at the implementation side, not in the header just declaring the prototype. Signed-off-by:
-
Christoph Hellwig authored
vga_conflicts only has a single caller and none of the arch overrides mentioned in the comment. Just remove it and the thus dead check in the caller. Signed-off-by:
-
Christoph Hellwig authored
The define is entirely unused. Signed-off-by:
-
- 20 Jul, 2021 4 commits
-
-
Juan A. Suarez Romero authored
The V3D engine has several hardware performance counters that can of interest for userspace performance analysis tools. This exposes new ioctls to create and destroy performance monitor objects, as well as to query the counter values. Each created performance monitor object has an ID that can be attached to CL/CSD submissions, so the driver enables the requested counters when the job is submitted, and updates the performance monitor values when the job is done. It is up to the user to ensure all the jobs have been finished before getting the performance monitor values. It is also up to the user to properly synchronize BCL jobs when submitting jobs with different performance monitors attached. Cc: Daniel Vetter <daniel@ffwll.ch> Cc: David Airlie <airlied@linux.ie> Cc: Emma Anholt <emma@anholt.net> To: dri-devel@lists.freedesktop.org Signed-off-by:
Juan A. Suarez Romero <jasuarez@igalia.com> Acked-by:
Melissa Wen <mwen@igalia.com> Signed-off-by:
Melissa Wen <melissa.srw@gmail.com> Link: https://patchwork.freedesktop.org/patch/msgid/20210608111541.461991-1-jasuarez@igalia.com
-
Desmond Cheong Zhi Xi authored
drm_file->master pointers should be protected by drm_device.master_mutex or drm_file.master_lookup_lock when being dereferenced. However, in drm_lease.c, there are multiple instances where drm_file->master is accessed and dereferenced while neither lock is held. This makes drm_lease.c vulnerable to use-after-free bugs. We address this issue in 2 ways: 1. Add a new drm_file_get_master() function that calls drm_master_get on drm_file->master while holding on to drm_file.master_lookup_lock. Since drm_master_get increments the reference count of master, this prevents master from being freed until we unreference it with drm_master_put. 2. In each case where drm_file->master is directly accessed and eventually dereferenced in drm_lease.c, we wrap the access in a call to the new drm_file_get_master function, then unreference the master pointer once we are done using it. Reported-by:
Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com> Reviewed-by:
Emil Velikov <emil.l.velikov@gmail.com> Signed-off-by:
-
Desmond Cheong Zhi Xi authored
Currently, drm_file.master pointers should be protected by drm_device.master_mutex when being dereferenced. This is because drm_file.master is not invariant for the lifetime of drm_file. If drm_file is not the creator of master, then drm_file.is_master is false, and a call to drm_setmaster_ioctl will invoke drm_new_set_master, which then allocates a new master for drm_file and puts the old master. Thus, without holding drm_device.master_mutex, the old value of drm_file.master could be freed while it is being used by another concurrent process. However, it is not always possible to lock drm_device.master_mutex to dereference drm_file.master. Through the fbdev emulation code, this might occur in a deep nest of other locks. But drm_device.master_mutex is also the outermost lock in the nesting hierarchy, so this leads to potential deadlocks. To address this, we introduce a new spin lock at the bottom of the lock hierarchy that only serializes drm_file.master. With this change, the value of drm_file.master changes only when both drm_device.master_mutex and drm_file.master_lookup_lock are held. Hence, any process holding either of those locks can ensure that the value of drm_file.master will not change concurrently. Since no lock depends on the new drm_file.master_lookup_lock, when drm_file.master is dereferenced, but drm_device.master_mutex cannot be held, we can safely protect the master pointer with drm_file.master_lookup_lock. Reported-by:
-
Desmond Cheong Zhi Xi authored
While checking the master status of the DRM file in drm_is_current_master(), the device's master mutex should be held. Without the mutex, the pointer fpriv->master may be freed concurrently by another process calling drm_setmaster_ioctl(). This could lead to use-after-free errors when the pointer is subsequently dereferenced in drm_lease_owner(). The callers of drm_is_current_master() from drm_auth.c hold the device's master mutex, but external callers do not. Hence, we implement drm_is_current_master_locked() to be used within drm_auth.c, and modify drm_is_current_master() to grab the device's master mutex before checking the master status. Reported-by:
-
