Received: by 2002:a05:7208:9594:b0:7e:5202:c8b4 with SMTP id gs20csp104401rbb; Fri, 23 Feb 2024 13:24:34 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXIRMcjtdZ3+9yVCasI2ml8vvOZ189VFcKqODKZUU7klwQXjC6okM2DK1dXGWX9sXcj93GWNi4rzBKoS4d11s+rLytPwMgoBaWQb0v0Dg== X-Google-Smtp-Source: AGHT+IEE27/tuxTN/ntUsB3B98zlaTzMILeyHrPVLaBcPCp2/Opw2z7ojmcfIZK+dEPmZv2+x+8a X-Received: by 2002:a17:906:cf8b:b0:a3f:3d0d:30bf with SMTP id um11-20020a170906cf8b00b00a3f3d0d30bfmr659644ejb.0.1708723474301; Fri, 23 Feb 2024 13:24:34 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708723474; cv=pass; d=google.com; s=arc-20160816; b=k5SS+IVmEEia/CHCwvlbCNzueiuaE7qznaHuk7jYQLlTXI29oJD1FZ6m1OPIwkLXtT +rn+mJvSQzOu08UV4JxrqksxK11F3HVjj9JYExl76WQkIb7zRbMSOee7TKJHd8NQ4ABO F2BMDSGvN6Vnlv2pIpdjZruYD6jj8LeWAbqfMWwFUo2nlUVr2lvOTkD4BBnfzos9nLa9 sjEwQ6+deMBaiqJsbFe12ihox5ZoZyGyg1uwtrAX4Jp6bzkZwSYRV/e7bz2gJsjaphVD nZW0uaU7SlGynhWbsuoVSIAKndn8I9/FajGhkmozG7N9q7HTzEQPl4U7DdVVxX6DAW8G pvsw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=0M8Ho4hghHsHT9QadaKTfyu0riwtgTi9mQkpLqOU5Dg=; fh=VqDiEPQjqR52eFzP/EjmFYwCM2OrCjYkg4piiBmmGP0=; b=L3XxF5WM/sBLJ2Us/S/egkWE5rnj2pmoE3KZvCSoAqgMDJJV8NCUrHEc8/qYoOxj6A NTi/FiUyUaRUkZCDFLf0B5dA7oD7xsOXrMKd0QwNDRuTVd6V1jUEA3grDXUyZ4D4gIFU frYcaWWj/BOtiqoXbta31gaDsFUoNeEkLSjKzSKE32uR5NKrbI2pPPi2E8xZ4sTQ58cf HjgSLpFDZwwtqTg/u//Qhltq+Hz+KNvH9xIL70tvzW3lFewAELxcQ13IwgxY/ckMzOfv 1vnHqRosJlBb4zeUbUscIatwd8QaBQld254z1n7SLp1ENYs8ooE08czY5dm1pcNGaj33 Fc5A==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=abnqJsqt; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-79206-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-79206-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id rs14-20020a170907036e00b00a3e9671aafasi4850659ejb.259.2024.02.23.13.24.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 23 Feb 2024 13:24:34 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-79206-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=abnqJsqt; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-79206-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-79206-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 13D5B1F26379 for ; Fri, 23 Feb 2024 21:24:34 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 055851493A5; Fri, 23 Feb 2024 21:24:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="abnqJsqt" Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8AC4C149382 for ; Fri, 23 Feb 2024 21:24:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.180 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708723453; cv=none; b=EYOMO/QsDCuz4MD5JdRNk/cPxvXo/oOxXipN+HxMH0552IM1ylFyzj/C9LmulxPgbXn0q2FWmiQ3tYlxtdmEN2+7BuAMAE5WfRLvSS3cN3UkllsXa5BQkR3JqIuyZouwdp/APxqZYSUd/PhkAqrblr9+5fIGzVwr6d1VjOPpDsc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708723453; c=relaxed/simple; bh=M33J+0Pv453G1Jv4haCud5wnpPj0c4hnwqkFQXtoS4E=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=DM1CxDdIf/exU1tVggra8SwsUJoU35H+lYbnLOuYcuMqhKBmEryi0wLQDQuYU+Dr1kPPU95q2/u0lJAqG9Fwx3JaC8Y0MiZw5IBApVI1h6el6W8C8168485nHFARK0SlgN09+TvL3Ez8qkrVJU9ugwP/R7nK/V+8MMSubNYEnME= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=abnqJsqt; arc=none smtp.client-ip=209.85.214.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-1d911c2103aso5665295ad.0 for ; Fri, 23 Feb 2024 13:24:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1708723449; x=1709328249; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=0M8Ho4hghHsHT9QadaKTfyu0riwtgTi9mQkpLqOU5Dg=; b=abnqJsqtEtnNmLwzBbNfqyuQh0+hAXypX/EBmTXcPvICdLmMrgH51gDJUyWXJKZoJW xcB1n6M1+QJxxr3LliUivrxFqX4vPn1CS8qH0ufNKhHpe7B3u6zWXBVCXwNFB5iHr542 6RaoMpZsefpv9P40SwtCE92S1s2UKBiyk5OVY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708723449; x=1709328249; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0M8Ho4hghHsHT9QadaKTfyu0riwtgTi9mQkpLqOU5Dg=; b=k8PZj3rtfhw34LVercLbw8pfihxlKxzSeonBZFciMTTVm+AzgvPRBrTPG3iopsaFhx 656tkA28+74e3L7RN9bQeyB9J6pl7nrFgnkyfeHcLSu1YgwvDYoEANyLGYiEjffBAqU9 7hV9KB+yGtlIuXv/gV+U+yDT3XiSyVEuF3qcpVh6tiW1ujltm+p4/rRuOatD/l6lKvBQ 6BEbTwHxhz+Cqs+HtNlInXwZX25DXM15uXiumPVRRi21m49GVO9I7iT1wsAQjfXR5vna TnrMD/DbQuu3K7MLf8fhq5SiXZEItR0dlaFHYL9WLUM65lgqPfA9JO3P138OsUu1OlNE zJCw== X-Forwarded-Encrypted: i=1; AJvYcCVrFs6g7a0WHv9mpzLVpuSMlx8jS9opjqYETOo+0aGSJxCK1X4RDGaDLBazfclyh75THLHC+o8MeW8FucUVWzSDoJ1zTZblwPsEyHcS X-Gm-Message-State: AOJu0YxLwbn5SkoZ4cRDeH6BGribwqgzgmEzagoOQvwt2+ymPzDRE17T ySkrfxerB0D5eZRpmfbZ2M6cjtszreO0D8QH5mRrOktsuWqsuEaFFpM5iA+GIA== X-Received: by 2002:a17:902:7b87:b0:1d9:a2b1:8693 with SMTP id w7-20020a1709027b8700b001d9a2b18693mr1106969pll.23.1708723449437; Fri, 23 Feb 2024 13:24:09 -0800 (PST) Received: from hsinyi.sjc.corp.google.com ([2620:15c:9d:2:8ff9:a089:c05c:9af]) by smtp.gmail.com with ESMTPSA id b15-20020a170902d50f00b001db4b3769f6sm11970413plg.280.2024.02.23.13.24.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 23 Feb 2024 13:24:09 -0800 (PST) From: Hsin-Yi Wang To: Chun-Kuang Hu Cc: Philipp Zabel , David Airlie , Daniel Vetter , Matthias Brugger , AngeloGioacchino Del Regno , dri-devel@lists.freedesktop.org, linux-mediatek@lists.infradead.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Subject: [PATCH] drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip Date: Fri, 23 Feb 2024 13:23:29 -0800 Message-ID: <20240223212404.3709690-1-hsinyi@chromium.org> X-Mailer: git-send-email 2.44.0.rc0.258.g7320e95886-goog Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit It's possible that mtk_crtc->event is NULL in mtk_drm_crtc_finish_page_flip(). pending_needs_vblank value is set by mtk_crtc->event, but in mtk_drm_crtc_atomic_flush(), it's is not guarded by the same lock in mtk_drm_finish_page_flip(), thus a race condition happens. Consider the following case: CPU1 CPU2 step 1: mtk_drm_crtc_atomic_begin() mtk_crtc->event is not null, step 1: mtk_drm_crtc_atomic_flush: mtk_drm_crtc_update_config( !!mtk_crtc->event) step 2: mtk_crtc_ddp_irq -> mtk_drm_finish_page_flip: lock mtk_crtc->event set to null, pending_needs_vblank set to false unlock pending_needs_vblank set to true, step 2: mtk_crtc_ddp_irq -> mtk_drm_finish_page_flip called again, pending_needs_vblank is still true //null pointer Instead of guarding the entire mtk_drm_crtc_atomic_flush(), it's more efficient to just check if mtk_crtc->event is null before use. Signed-off-by: Hsin-Yi Wang Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") --- drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c index db43f9dff912..d645b85f9721 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c @@ -95,11 +95,13 @@ static void mtk_drm_crtc_finish_page_flip(struct mtk_drm_crtc *mtk_crtc) struct drm_crtc *crtc = &mtk_crtc->base; unsigned long flags; - spin_lock_irqsave(&crtc->dev->event_lock, flags); - drm_crtc_send_vblank_event(crtc, mtk_crtc->event); - drm_crtc_vblank_put(crtc); - mtk_crtc->event = NULL; - spin_unlock_irqrestore(&crtc->dev->event_lock, flags); + if (mtk_crtc->event) { + spin_lock_irqsave(&crtc->dev->event_lock, flags); + drm_crtc_send_vblank_event(crtc, mtk_crtc->event); + drm_crtc_vblank_put(crtc); + mtk_crtc->event = NULL; + spin_unlock_irqrestore(&crtc->dev->event_lock, flags); + } } static void mtk_drm_finish_page_flip(struct mtk_drm_crtc *mtk_crtc) -- 2.44.0.rc0.258.g7320e95886-goog