From 1b67ca8a45ddf08dba9089dea09992570411afdd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= Date: Mon, 27 May 2024 09:23:42 +0000 Subject: [PATCH] drm/client: Fully protect modes[] with dev->mode_config.mutex MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit stable inclusion from stable-v5.10.216 commit 41586487769eede64ab1aa6c65c74cbf76c12ef0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QRRC CVE: CVE-2024-35950 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=41586487769eede64ab1aa6c65c74cbf76c12ef0 -------------------------------- commit 3eadd887dbac1df8f25f701e5d404d1b90fd0fea upstream. The modes[] array contains pointers to modes on the connectors' mode lists, which are protected by dev->mode_config.mutex. Thus we need to extend modes[] the same protection or by the time we use it the elements may already be pointing to freed/reused memory. Cc: stable@vger.kernel.org Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583 Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20240404203336.10454-2-ville.syrjala@linux.intel.com Reviewed-by: Dmitry Baryshkov Reviewed-by: Jani Nikula Reviewed-by: Thomas Zimmermann Signed-off-by: Greg Kroah-Hartman Conflicts: drivers/gpu/drm/drm_fb_helper.c drivers/gpu/drm/drm_client_modeset.c [Since commit e13a05831050 (drm/fb-helper: Stop using mode_config.mutex for internals) mode_config mutex introduced. adaptation mutex in drm_setup_crtcs()] Signed-off-by: Yi Yang --- drivers/gpu/drm/drm_fb_helper.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c index 8b546fde139d..4f5e3b3513d8 100644 --- a/drivers/gpu/drm/drm_fb_helper.c +++ b/drivers/gpu/drm/drm_fb_helper.c @@ -2507,6 +2507,7 @@ static void drm_setup_crtcs(struct drm_fb_helper *fb_helper, { struct drm_device *dev = fb_helper->dev; struct drm_fb_helper_crtc **crtcs; + /* points to modes protected by mode_config.mutex */ struct drm_display_mode **modes; struct drm_fb_offset *offsets; bool *enabled; @@ -2553,7 +2554,6 @@ static void drm_setup_crtcs(struct drm_fb_helper *fb_helper, drm_pick_crtcs(fb_helper, crtcs, modes, 0, width, height); } - mutex_unlock(&fb_helper->dev->mode_config.mutex); /* need to set the modesets up here for use later */ /* fill out the connector<->crtc mappings into the modesets */ @@ -2587,6 +2587,8 @@ static void drm_setup_crtcs(struct drm_fb_helper *fb_helper, modeset->y = offset->y; } } + mutex_unlock(&fb_helper->dev->mode_config.mutex); + out: kfree(crtcs); kfree(modes); -- Gitee