LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	"Maarten Lankhorst" <maarten.lankhorst@linux.intel.com>,
	"Laurent Pinchart" <laurent.pinchart@ideasonboard.com>,
	"Abhay Kumar" <abhay.kumar@intel.com>,
	"Ville Syrjälä" <ville.syrjala@linux.intel.com>,
	"Daniel Vetter" <daniel.vetter@ffwll.ch>,
	"Sean Paul" <seanpaul@chromium.org>
Subject: [PATCH 4.16 48/72] drm/atomic: Clean old_state/new_state in drm_atomic_state_default_clear()
Date: Mon, 14 May 2018 08:49:05 +0200	[thread overview]
Message-ID: <20180514064825.244393480@linuxfoundation.org> (raw)
In-Reply-To: <20180514064823.033169170@linuxfoundation.org>

4.16-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ville Syrjälä <ville.syrjala@linux.intel.com>

commit f0b408eebc993310bea3f2daae286c40bd3f063b upstream.

Clear the old_state and new_state pointers for every object in
drm_atomic_state_default_clear(). Otherwise
drm_atomic_get_{new,old}_*_state() will hand out stale pointers to
anyone who hasn't first confirmed that the object is in fact part of
the current atomic transcation, if they are called after we've done
the ww backoff dance while hanging on to the same drm_atomic_state.

For example, handle_conflicting_encoders() looks like it could hit
this since it iterates the full connector list and just calls
drm_atomic_get_new_connector_state() for each.

And I believe we have now witnessed this happening at least once in
i915 check_digital_port_conflicts(). Commit 8b69449d2663 ("drm/i915:
Remove last references to drm_atomic_get_existing* macros") changed
the safe drm_atomic_get_existing_connector_state() to the unsafe
drm_atomic_get_new_connector_state(), which opened the doors for
this particular bug there as well.

v2: Split private objs out to a separate patch (Daniel)

Cc: stable@vger.kernel.org
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: Abhay Kumar <abhay.kumar@intel.com>
Fixes: 581e49fe6b41 ("drm/atomic: Add new iterators over all state, v3.")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20180502183247.5746-1-ville.syrjala@linux.intel.com
Reviewed-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/drm_atomic.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/gpu/drm/drm_atomic.c
+++ b/drivers/gpu/drm/drm_atomic.c
@@ -155,6 +155,8 @@ void drm_atomic_state_default_clear(stru
 						       state->connectors[i].state);
 		state->connectors[i].ptr = NULL;
 		state->connectors[i].state = NULL;
+		state->connectors[i].old_state = NULL;
+		state->connectors[i].new_state = NULL;
 		drm_connector_put(connector);
 	}
 
@@ -169,6 +171,8 @@ void drm_atomic_state_default_clear(stru
 
 		state->crtcs[i].ptr = NULL;
 		state->crtcs[i].state = NULL;
+		state->crtcs[i].old_state = NULL;
+		state->crtcs[i].new_state = NULL;
 	}
 
 	for (i = 0; i < config->num_total_plane; i++) {
@@ -181,6 +185,8 @@ void drm_atomic_state_default_clear(stru
 						   state->planes[i].state);
 		state->planes[i].ptr = NULL;
 		state->planes[i].state = NULL;
+		state->planes[i].old_state = NULL;
+		state->planes[i].new_state = NULL;
 	}
 
 	for (i = 0; i < state->num_private_objs; i++) {

  parent reply	other threads:[~2018-05-14  6:49 UTC|newest]

Thread overview: 86+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-14  6:48 [PATCH 4.16 00/72] 4.16.9-stable review Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 01/72] ipvs: fix rtnl_lock lockups caused by start_sync_thread Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 02/72] netfilter: ebtables: dont attempt to allocate 0-sized compat array Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 03/72] clk: ti: fix flag space conflict with clkctrl clocks Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 04/72] kcm: Call strp_stop before strp_done in kcm_attach Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 05/72] rds: tcp: must use spin_lock_irq* and not spin_lock_bh with rds_tcp_conn_lock Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 06/72] crypto: af_alg - fix possible uninit-value in alg_bind() Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 07/72] netlink: fix uninit-value in netlink_sendmsg Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 08/72] net: fix rtnh_ok() Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 09/72] net: initialize skb->peeked when cloning Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 10/72] net: fix uninit-value in __hw_addr_add_ex() Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 11/72] dccp: initialize ireq->ir_mark Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 12/72] ipv4: fix uninit-value in ip_route_output_key_hash_rcu() Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 13/72] soreuseport: initialise timewait reuseport field Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 14/72] inetpeer: fix uninit-value in inet_getpeer Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 15/72] bpf/tracing: fix a deadlock in perf_event_detach_bpf_prog Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 16/72] memcg: fix per_node_info cleanup Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 17/72] perf: Remove superfluous allocation error check Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 18/72] i2c: dev: prevent ZERO_SIZE_PTR deref in i2cdev_ioctl_rdwr() Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 19/72] tcp: fix TCP_REPAIR_QUEUE bound checking Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 20/72] bdi: wake up concurrent wb_shutdown() callers Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 21/72] bdi: Fix use after free bug in debugfs_remove() Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 22/72] bdi: Fix oops in wb_workfn() Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 23/72] compat: fix 4-byte infoleak via uninitialized struct field Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 24/72] gpioib: do not free unrequested descriptors Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 25/72] gpio: fix aspeed_gpio unmask irq Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 26/72] gpio: fix error path in lineevent_create Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 27/72] rfkill: gpio: fix memory leak in probe error path Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 28/72] libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 29/72] dm integrity: use kvfree for kvmallocd memory Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 30/72] tracing: Fix regex_match_front() to not over compare the test string Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 31/72] z3fold: fix reclaim lock-ups Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 32/72] mm: sections are not offlined during memory hotremove Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 33/72] mm, oom: fix concurrent munlock and oom reaper unmap, v3 Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 34/72] ceph: fix rsize/wsize capping in ceph_direct_read_write() Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 35/72] can: flexcan: fix endianess detection Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 36/72] can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 37/72] can: hi311x: Acquire SPI lock on ->do_get_berr_counter Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 38/72] can: hi311x: Work around TX complete interrupt erratum Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 39/72] mtd: rawnand: marvell: pass ms delay to wait_op Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 40/72] mtd: rawnand: marvell: fix command xtype in BCH write hook Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 41/72] mtd: rawnand: Make sure we wait tWB before polling the STATUS reg Greg Kroah-Hartman
2018-05-14  7:32   ` Geert Uytterhoeven
2018-05-14  9:04     ` Greg Kroah-Hartman
2018-05-14  9:09       ` Boris Brezillon
2018-05-14 10:54         ` Geert Uytterhoeven
2018-05-14  9:32       ` Geert Uytterhoeven
2018-05-14 16:50       ` Greg Kroah-Hartman
2018-05-14  6:48 ` [PATCH 4.16 42/72] drm/vc4: Fix scaling of uni-planar formats Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 43/72] drm/ttm: Use GFP_TRANSHUGE_LIGHT for allocating huge pages Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 44/72] drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 45/72] drm/i915: Adjust eDPs logical vco in a reliable place Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 46/72] drm/nouveau: Fix deadlock in nv50_mstm_register_connector() Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 47/72] drm/nouveau/ttm: dont dereference nvbo::cli, it can outlive client Greg Kroah-Hartman
2018-05-14  6:49 ` Greg Kroah-Hartman [this message]
2018-05-14  6:49 ` [PATCH 4.16 49/72] drm/atomic: Clean private obj old_state/new_state in drm_atomic_state_default_clear() Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 50/72] net: atm: Fix potential Spectre v1 Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 51/72] atm: zatm: " Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 52/72] PCI / PM: Always check PME wakeup capability for runtime wakeup support Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 53/72] PCI / PM: Check device_may_wakeup() in pci_enable_wake() Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 54/72] cpufreq: schedutil: Avoid using invalid next_freq Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 55/72] arm: dts: imx[35]*: declare flexcan devices to be compatible to imx25s flexcan Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 56/72] Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174" Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 57/72] Bluetooth: btusb: Add Dell XPS 13 9360 to btusb_needs_reset_resume_table Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 58/72] Bluetooth: btusb: Only check needs_reset_resume DMI table for QCA rome chipsets Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 59/72] thermal: exynos: Reading temperature makes sense only when TMU is turned on Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 60/72] thermal: exynos: Propagate error value from tmu_read() Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 61/72] nvme: add quirk to force medium priority for SQ creation Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 62/72] nvme: Fix sync controller reset return Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 63/72] smb3: directory sync should not return an error Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 64/72] swiotlb: silent unwanted warning "buffer is full" Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 65/72] sched/core: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 66/72] sched/autogroup: " Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 67/72] tracing/uprobe_event: Fix strncpy corner case Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 68/72] perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 69/72] perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 70/72] perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 71/72] perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[] Greg Kroah-Hartman
2018-05-14  6:49 ` [PATCH 4.16 72/72] perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() Greg Kroah-Hartman
2018-05-14 13:45 ` [PATCH 4.16 00/72] 4.16.9-stable review kernelci.org bot
2018-05-14 16:27 ` Guenter Roeck
2018-05-14 16:51   ` Greg Kroah-Hartman
2018-05-14 22:01 ` Shuah Khan
2018-05-15  6:47   ` Greg Kroah-Hartman
2018-05-15  5:31 ` Naresh Kamboju
2018-05-15  6:47   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180514064825.244393480@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=abhay.kumar@intel.com \
    --cc=daniel.vetter@ffwll.ch \
    --cc=laurent.pinchart@ideasonboard.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=maarten.lankhorst@linux.intel.com \
    --cc=seanpaul@chromium.org \
    --cc=stable@vger.kernel.org \
    --cc=ville.syrjala@linux.intel.com \
    --subject='Re: [PATCH 4.16 48/72] drm/atomic: Clean old_state/new_state in drm_atomic_state_default_clear()' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).