From patchwork Fri Feb 23 21:23:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hsin-Yi Wang X-Patchwork-Id: 13570066 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id DC739C5478C for ; Fri, 23 Feb 2024 21:27:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=Xzk4WyqBw1ADBjegNu31Y+rJu7CYZ41RQK/xWRHacyg=; b=nLyQQBv9xB7qKA NhXhMXZFYXWICmjTSK/S1S9mv6BU0GK/c+klRdGv++fvLaJqLg9JlPBZ4H/OmqJ9hnM0MvJHO/VAM pcoOZT1NF5D38KITJqMs2254q1oXt6YXgrLq+6dQLubwJKcUD6Bo+0+FIlhkgII9zaUy26Z0GIRZr l9Zv4LyFu+GxlPw92HH74jbtnewSF7EybjC6YTwgAgTia7Tzj+j9ILMMrhMO1bO7gJyyVlCzYT0Ur TRk1Nph/cW1EYuPQEx1kMYUMXJlViTsy33fObvH+EUv24/F/Okg5TntUg2PPXBBZnlC54qbHK2jfx ZBQ8hvsAfBw4URcJNbcQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rdd4R-0000000BKtN-2l3Q; Fri, 23 Feb 2024 21:27:10 +0000 Received: from desiato.infradead.org ([2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rdd1k-0000000BK5U-1EOl for linux-arm-kernel@bombadil.infradead.org; Fri, 23 Feb 2024 21:24:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=Content-Transfer-Encoding:MIME-Version :Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:In-Reply-To:References; bh=0M8Ho4hghHsHT9QadaKTfyu0riwtgTi9mQkpLqOU5Dg=; b=Rs9PgNkUidlLIj+i0PgtsGJ8G3 76stOhbHwh6DFz8kW3+ZP1hXvOeJfvtpsGKhEZFxNiREpnzL+h4fzaxd0LNRyfIg/ufk2x14cjkdx GFpdedpdiu+WvduOSnzXyZv/v/QvM9ymKAylmT3zbdBeStwVodq6dG8ioaEqnBJacSntZ/aKGx+07 jdwIlbrMz2XKXeRctUk7sidC5fQZAZaooeRjxGvaidcVgrdav6yWv4uYpfXrFyHtB/tFKb+kXbe7a upoV9E+ehaQByI5iuirw/S0apd9G/nuGEXgb/J3t5l1o8nK8CD4Bcg8AFvN8BOoC3MkSbUi9BmPJx dOIYBNLA==; Received: from mail-pl1-x636.google.com ([2607:f8b0:4864:20::636]) by desiato.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rdd1f-000000008bH-1qu5 for linux-arm-kernel@lists.infradead.org; Fri, 23 Feb 2024 21:24:14 +0000 Received: by mail-pl1-x636.google.com with SMTP id d9443c01a7336-1dbae7b8ff2so5416955ad.3 for ; Fri, 23 Feb 2024 13:24:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1708723449; x=1709328249; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=0M8Ho4hghHsHT9QadaKTfyu0riwtgTi9mQkpLqOU5Dg=; b=QdPwiH55TJH40aMrYMsUN2zKMhmSZjm6X0psW2HmpSPZhZtRNM9dEbsrWVymxz1G9b a/OLGu0WmX/CWOPyMz6sBFx24oQke6yk9qIReM9YIqyX+btGFgKGDek6rYninr5vTtY5 mGDnJkgYQ4Qu2bRnrzwbZ35Zau65UiQqmgO2g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708723449; x=1709328249; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0M8Ho4hghHsHT9QadaKTfyu0riwtgTi9mQkpLqOU5Dg=; b=IxMEvx5RVmU+CDllHqzN4autxlfiqLakh6/hFAjl/1cX6crNuT2YWM0X1mpjonoYFg gBqByHJvNYGmJXJB6JEscom7YK6at5AijD3QP+Nh7YlLm+H2NeaIUTyI3YL6jYQ9o1Ro e6WUtCtB6MdOvZcNue+U1kYGE76Y5KOTFP+Krbk0hEOTQmrXsdO6vmzYGTyrLziDXG8h M1tPNh6Ud+60fuiuuLTczP46ByLdVfmDqioR1DRmx3bZouMqEUkEVATI49GqupF9jUX3 aU0aYSOktjHOElGT9GYvQ0/rboWiELzIKrlPYkomztHFAkSuzkxvWvcc2bszAfb+paec I/mg== X-Forwarded-Encrypted: i=1; AJvYcCUbZuKxBIFFTKaRoYdh+itXD0urXWyD6hrp2B3WvMwg9mGEAnC+fsqOThHg/tnBGpboZ8c6r0Qy9vszsS7Q++H0z67/SanArw+1Bg5IzmCSF2iR2D4= X-Gm-Message-State: AOJu0YyN0frWSG9G2D7DsgnO4gF4yewUY0SI0fnqMMjG9K6G7MS8zww2 Rbl+uB5eLoxh/jGl2Emt1xCddrxRi61MkJGn1ekfVXwySBwc4eVo6ByO3YjQ2Q== X-Google-Smtp-Source: AGHT+IF/iOCf8G84HtjaG5OPfPAZChzYV76riZA2G3uYSX6UcLKBg0B+sc+slfUuIZE19uyFrsPkxw== X-Received: by 2002:a17:902:7b87:b0:1d9:a2b1:8693 with SMTP id w7-20020a1709027b8700b001d9a2b18693mr1106969pll.23.1708723449437; Fri, 23 Feb 2024 13:24:09 -0800 (PST) Received: from hsinyi.sjc.corp.google.com ([2620:15c:9d:2:8ff9:a089:c05c:9af]) by smtp.gmail.com with ESMTPSA id b15-20020a170902d50f00b001db4b3769f6sm11970413plg.280.2024.02.23.13.24.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 23 Feb 2024 13:24:09 -0800 (PST) From: Hsin-Yi Wang To: Chun-Kuang Hu Cc: Philipp Zabel , David Airlie , Daniel Vetter , Matthias Brugger , AngeloGioacchino Del Regno , dri-devel@lists.freedesktop.org, linux-mediatek@lists.infradead.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Subject: [PATCH] drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip Date: Fri, 23 Feb 2024 13:23:29 -0800 Message-ID: <20240223212404.3709690-1-hsinyi@chromium.org> X-Mailer: git-send-email 2.44.0.rc0.258.g7320e95886-goog MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240223_212412_920994_6AC7C861 X-CRM114-Status: GOOD ( 13.13 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org It's possible that mtk_crtc->event is NULL in mtk_drm_crtc_finish_page_flip(). pending_needs_vblank value is set by mtk_crtc->event, but in mtk_drm_crtc_atomic_flush(), it's is not guarded by the same lock in mtk_drm_finish_page_flip(), thus a race condition happens. Consider the following case: CPU1 CPU2 step 1: mtk_drm_crtc_atomic_begin() mtk_crtc->event is not null, step 1: mtk_drm_crtc_atomic_flush: mtk_drm_crtc_update_config( !!mtk_crtc->event) step 2: mtk_crtc_ddp_irq -> mtk_drm_finish_page_flip: lock mtk_crtc->event set to null, pending_needs_vblank set to false unlock pending_needs_vblank set to true, step 2: mtk_crtc_ddp_irq -> mtk_drm_finish_page_flip called again, pending_needs_vblank is still true //null pointer Instead of guarding the entire mtk_drm_crtc_atomic_flush(), it's more efficient to just check if mtk_crtc->event is null before use. Signed-off-by: Hsin-Yi Wang Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") Reviewed-by: CK Hu --- drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c index db43f9dff912..d645b85f9721 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c @@ -95,11 +95,13 @@ static void mtk_drm_crtc_finish_page_flip(struct mtk_drm_crtc *mtk_crtc) struct drm_crtc *crtc = &mtk_crtc->base; unsigned long flags; - spin_lock_irqsave(&crtc->dev->event_lock, flags); - drm_crtc_send_vblank_event(crtc, mtk_crtc->event); - drm_crtc_vblank_put(crtc); - mtk_crtc->event = NULL; - spin_unlock_irqrestore(&crtc->dev->event_lock, flags); + if (mtk_crtc->event) { + spin_lock_irqsave(&crtc->dev->event_lock, flags); + drm_crtc_send_vblank_event(crtc, mtk_crtc->event); + drm_crtc_vblank_put(crtc); + mtk_crtc->event = NULL; + spin_unlock_irqrestore(&crtc->dev->event_lock, flags); + } } static void mtk_drm_finish_page_flip(struct mtk_drm_crtc *mtk_crtc)