kernel_optimize_test/include/drm
Desmond Cheong Zhi Xi 34609faad0 drm: protect drm_master pointers in drm_lease.c
[ Upstream commit 56f0729a510f92151682ff6c89f69724d5595d6e ]

drm_file->master pointers should be protected by
drm_device.master_mutex or drm_file.master_lookup_lock when being
dereferenced.

However, in drm_lease.c, there are multiple instances where
drm_file->master is accessed and dereferenced while neither lock is
held. This makes drm_lease.c vulnerable to use-after-free bugs.

We address this issue in 2 ways:

1. Add a new drm_file_get_master() function that calls drm_master_get
on drm_file->master while holding on to
drm_file.master_lookup_lock. Since drm_master_get increments the
reference count of master, this prevents master from being freed until
we unreference it with drm_master_put.

2. In each case where drm_file->master is directly accessed and
eventually dereferenced in drm_lease.c, we wrap the access in a call
to the new drm_file_get_master function, then unreference the master
pointer once we are done using it.

Reported-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20210712043508.11584-6-desmondcheongzx@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-09-18 13:40:19 +02:00
..
bridge drm/bridge: dw-mipi-dsi: permit configuring the escape clock rate 2020-09-11 15:01:36 +02:00
i2c
ttm drm/ttm: drop evicted from ttm_bo. 2020-09-18 06:23:38 +10:00
amd_asic_type.h drm/amdgpu: add navy_flounder asic type 2020-07-15 12:45:39 -04:00
drm_agpsupport.h
drm_atomic_helper.h drm/atomic-helper: Extract drm_atomic_helper_calc_timestamping_constants() 2020-09-14 22:36:44 +03:00
drm_atomic_state_helper.h
drm_atomic_uapi.h
drm_atomic.h drm: drm_atomic.h: delete duplicated word in comment 2020-07-15 14:02:29 +02:00
drm_audio_component.h ALSA: hda/i915 - fix list corruption with concurrent probes 2020-10-09 16:46:04 +02:00
drm_auth.h drm: protect drm_master pointers in drm_lease.c 2021-09-18 13:40:19 +02:00
drm_blend.h
drm_bridge_connector.h
drm_bridge.h drm: drm_bridge.h: delete duplicated word in comment 2020-07-15 14:02:34 +02:00
drm_cache.h
drm_client.h drm/client: Add drm_client_modeset_check() 2020-05-26 13:32:03 +02:00
drm_color_mgmt.h
drm_connector.h drm: report dp downstream port type as a subconnector property 2020-08-11 14:06:04 +02:00
drm_crtc_helper.h
drm_crtc.h
drm_damage_helper.h
drm_debugfs_crc.h
drm_debugfs.h drm/debugfs: remove checks for return value of drm_debugfs functions. 2020-03-18 17:32:20 +01:00
drm_device.h drm/managed: Cleanup of unused functions and polishing docs 2020-09-03 16:25:06 +02:00
drm_displayid.h drm/edid: Replace zero-length array with flexible-array 2020-06-15 23:08:31 -05:00
drm_dp_dual_mode_helper.h
drm_dp_helper.h drm: kernel-doc: drm_dp_helper.h: fix a typo 2020-10-27 11:21:27 +01:00
drm_dp_mst_helper.h drm/dp/mst: Export drm_dp_get_vc_payload_bw() 2021-02-10 09:29:18 +01:00
drm_drv.h drm/dev: Remove drm_dev_init 2020-09-21 10:45:08 +02:00
drm_dsc.h drm: drm_dsc.h: fix a kernel-doc markup 2020-09-30 16:40:44 +02:00
drm_edid.h drm: drm_edid: remove a duplicated kernel-doc declaration 2020-10-27 11:20:55 +01:00
drm_encoder_slave.h
drm_encoder.h drm: Validate encoder->possible_crtcs 2020-03-18 18:38:27 +02:00
drm_fb_cma_helper.h
drm_fb_helper.h drm: Don't return 0 from a void drm_fbdev_generic_setup 2020-04-08 22:42:39 +01:00
drm_file.h drm: protect drm_master pointers in drm_lease.c 2021-09-18 13:40:19 +02:00
drm_fixed.h
drm_flip_work.h
drm_format_helper.h drm/format-helper: Add drm_fb_swab() 2020-05-26 13:33:08 +02:00
drm_fourcc.h
drm_framebuffer.h drm/core: Calculate bpp in afbc helper 2020-04-01 14:11:22 +02:00
drm_gem_cma_helper.h drm/cma-helper: Add DRM_GEM_CMA_DRIVER_OPS to set default GEM CMA functions 2020-06-10 09:01:49 +02:00
drm_gem_framebuffer_helper.h drm/core: Add drm_afbc_framebuffer and a corresponding helper 2020-03-18 11:22:05 +01:00
drm_gem_shmem_helper.h drm/shmem-helper: Add .gem_create_object helper that sets map_cached flag 2020-06-10 10:16:43 +02:00
drm_gem_ttm_helper.h
drm_gem_vram_helper.h drm/vboxvideo: Use drm_gem_vram_vmap() interfaces 2020-09-14 09:12:24 +02:00
drm_gem.h drm: drm_gem.h: delete duplicated words in comments 2020-07-15 14:02:42 +02:00
drm_hashtab.h
drm_hdcp.h drm/i915: Fix sha_text population code 2020-09-02 10:48:11 +03:00
drm_ioctl.h drm: Return -ENOTTY for non-drm ioctls 2021-07-28 14:35:47 +02:00
drm_irq.h
drm_lease.h
drm_legacy.h drm-misc-next for 5.8: 2020-04-22 10:41:35 +10:00
drm_managed.h drm: Add docs for managed resources 2020-03-26 16:09:48 +01:00
drm_mipi_dbi.h drm/mipi-dbi: Remove ->enabled 2020-06-24 09:17:34 +02:00
drm_mipi_dsi.h
drm_mm.h drm: fix spelling error in comments 2020-09-17 13:39:44 +02:00
drm_mode_config.h Merge drm/drm-next into drm-misc-next 2020-08-12 20:42:08 +02:00
drm_mode_object.h
drm_modes.h drm: Replace mode->export_head with a boolean 2020-09-01 13:38:34 +03:00
drm_modeset_helper_vtables.h drm/probe_helper: Add drm_connector_helper_funcs.mode_valid_ctx 2020-07-13 13:29:20 -04:00
drm_modeset_helper.h
drm_modeset_lock.h drm/modeset-lock: Take the modeset BKL for legacy drivers 2020-08-17 13:41:50 -04:00
drm_of.h
drm_panel.h drm/panel: Add helper for reading DT rotation 2020-08-16 17:12:18 +02:00
drm_pciids.h
drm_plane_helper.h
drm_plane.h
drm_prime.h drm-misc-next for 5.10: 2020-09-23 09:52:24 +10:00
drm_print.h drm: drm_print.h: fix kernel-doc markups 2020-10-27 11:21:39 +01:00
drm_probe_helper.h
drm_property.h
drm_rect.h drm: drm_rect.h: delete duplicated word in comment 2020-07-15 14:03:02 +02:00
drm_scdc_helper.h
drm_self_refresh_helper.h
drm_simple_kms_helper.h
drm_syncobj.h
drm_sysfs.h
drm_util.h
drm_utils.h
drm_vblank_work.h drm/vblank: Add vblank works 2020-07-16 18:16:31 -04:00
drm_vblank.h drm/vblank: Add vblank works 2020-07-16 18:16:31 -04:00
drm_vma_manager.h
drm_writeback.h drm/writeback: wire drm_writeback.h to kernel-doc 2020-04-07 17:39:46 +02:00
gma_drm.h
gpu_scheduler.h Merge tag 'amd-drm-next-5.10-2020-09-03' of git://people.freedesktop.org/~agd5f/linux into drm-next 2020-09-08 16:40:13 +10:00
i915_component.h
i915_drm.h
i915_mei_hdcp_interface.h
i915_pciids.h drm/i915: break TGL pci-ids in GT 1 & 2 2020-08-31 17:58:26 +03:00
intel_lpe_audio.h
intel-gtt.h iommu/vt-d: Move intel_iommu_gfx_mapped to Intel IOMMU header 2020-09-04 12:12:45 +02:00
spsc_queue.h
task_barrier.h