github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-12 16:18:45 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
linux/drivers/gpu/drm
History
Francis, David 5e28b7b944 drm: Set old handle to NULL before prime swap in change_handle 
There was a potential race condition in change_handle. The ioctl
briefly had a single object with two idr entries; a concurrent
gem_close could delete the object and remove one of the handles
while leaving the other one dangling, which could subsequently
be dereferenced for a use-after-free.

To fix this, do the same dance that gem_close itself does.
(f6cd7daecf drm: Release driver references to handle before making it available again)
First idr_replace the old handle to NULL. Later, if the prime
operations are successful, actually close it.

create_tail required a similar dance to avoid a similar problem.
(bd46cece51 drm/gem: Fix race in drm_gem_handle_create_tail())
It idr_allocs the new handle with NULL, then swaps in the correct
object later to avoid races. We don't need to do that here, since
the only operations that could race are drm_prime, and
change_handle holds the prime lock for the entire duration.

v2: cleanups of error paths

Signed-off-by: David Francis <David.Francis@amd.com>
Co-authored-by: Dave Airlie <airlied@gmail.com>
Reported-by: Puttimet Thammasaeng <pwn8official@gmail.com>
Tested-by: Vitaly Prosyak <Vitaly.Prosyak@amd.com>
Cc: Simona Vetter <simona@ffwll.ch>
Cc: stable@vger.kernel.org
Cc: Christian Koenig <Christian.Koenig@amd.com>
Fixes: 53096728b8 ("drm: Add DRM prime interface to reassign GEM handle")
Signed-off-by: Dave Airlie <airlied@redhat.com>
2026-05-08 17:53:59 +10:00
..
adp
amd drm/amdgpu: nuke amdgpu_userq_fence_slab v2 2026-05-05 10:23:06 -04:00
arm drm/komeda: Add support for Arm China Linlon-D6 2026-03-24 16:08:54 +00:00
armada Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
aspeed
ast drm/ast: dp501: Fix initialization of SCU2C 2026-03-30 10:38:11 +02:00
atmel-hlcdc drm: atmel-hlcdc: add LCD controller layer definition for sama7d65 2026-02-25 09:20:45 +05:30
bridge drm/bridge: tda998x: Return NULL instead of 0 in tda998x_edid_read() 2026-05-04 16:52:40 +02:00
ci Merge tag 'drm-msm-next-2026-04-02' of https://gitlab.freedesktop.org/drm/msm into drm-next 2026-04-03 18:57:00 +10:00
clients Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
display drm/display: hdmi: Use drm_output_color_format instead of hdmi_colorspace 2026-03-24 13:54:35 +01:00
etnaviv drm/etnaviv: Fix armed job not being pushed to the DRM scheduler 2026-05-05 11:40:16 +02:00
exynos drm/exynos: remove bridge when component_add fails 2026-05-05 16:50:42 +02:00
fsl-dcu Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
gma500 drm/gma500: Create framebuffers with drm_gem_fb_create() 2026-03-03 09:28:56 +01:00
gud Merge drm/drm-fixes into drm-misc-next-fixes 2026-03-30 10:05:36 +02:00
hisilicon drm/hisilicon/hibmc: Adding reset colorbar cfg in dp init. 2026-01-20 10:53:14 +02:00
hyperv drm/hyperv: Remove reference to hyperv_fb driver 2026-02-14 11:09:38 +01:00
i915 drm/i915/display: enable ccs modifiers on dg2 2026-05-05 08:12:37 +01:00
imagination drm/imagination: Fix segfault when updating ftrace mask 2026-04-27 14:22:52 +01:00
imx drm/imx: ipuv3-plane: support underlay plane 2026-03-13 16:27:06 +01:00
ingenic drm/atomic: Remove state argument to drm_atomic_private_obj_init 2026-03-20 10:03:11 +01:00
kmb Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
lima Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
logicvc drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse() 2026-02-10 15:18:36 +01:00
loongson drm/loongson: use drm_gem_ttm_dumb_map_offset() 2026-03-11 09:40:07 +01:00
mcde drm/mcde: dsi: convert to of_drm_find_and_get_bridge() 2026-02-23 10:10:34 +01:00
mediatek Linux 7.0-rc6 2026-03-31 07:51:02 +10:00
meson Merge tag 'drm-msm-next-2026-04-02' of https://gitlab.freedesktop.org/drm/msm into drm-next 2026-04-03 18:57:00 +10:00
mgag200 Convert more 'alloc_obj' cases to default GFP_KERNEL arguments 2026-02-21 20:03:00 -08:00
msm Merge tag 'drm-msm-next-2026-04-02' of https://gitlab.freedesktop.org/drm/msm into drm-next 2026-04-03 18:57:00 +10:00
mxsfb drm: lcdif: Use dev_err_probe() 2026-03-10 09:42:09 +08:00
nouveau Revert "drm/nouveau/gsp: add support for GA100" 2026-05-01 01:08:00 +02:00
nova rust: gem: Introduce DriverObject::Args 2026-03-26 02:08:04 +01:00
omapdrm drm/atomic: Remove state argument to drm_atomic_private_obj_init 2026-03-20 10:03:11 +01:00
panel drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds 2026-05-05 14:43:36 +02:00
panfrost drm/panfrost: Test for imported buffers with drm_gem_is_imported() 2026-03-02 11:51:41 +00:00
panthor drm fixes for 7.1-rc1 2026-04-24 11:44:52 -07:00
pl111 Linux 6.19-rc7 2026-01-28 12:44:28 +10:00
qxl drm/qxl: Fix missing KMS poll cleanup 2026-05-04 14:54:44 +02:00
radeon drm/radeon: add missing revision check for CI 2026-05-05 10:15:49 -04:00
renesas drm: rcar-du: Fix crash when no CMM is available 2026-04-23 15:53:46 +03:00
rockchip drm/rockchip: analogix: Convert to drm_output_color_format 2026-03-24 13:54:34 +01:00
scheduler Linux 7.0-rc3 2026-03-11 11:18:31 +01:00
sitronix Merge drm/drm-fixes into drm-misc-next-fixes 2026-03-30 10:05:36 +02:00
solomon drm/solomon: Fix page start when updating rectangle in page addressing mode 2026-02-26 13:42:09 +01:00
sprd
sti drm/sti: remove bridge when sti_hda component_add fails 2026-05-04 22:52:39 +02:00
stm drm/bridge: stm_lvds: Do not fail atomic_check on disabled connector 2026-04-13 12:52:33 +02:00
sun4i drm/display: hdmi: Use drm_output_color_format instead of hdmi_colorspace 2026-03-24 13:54:35 +01:00
sysfb drm/sysfb: ofdrm: fix PCI device reference leaks 2026-04-27 11:30:49 +02:00
tegra drm for v7.1-rc1 2026-04-15 08:45:00 -07:00
tests drm/display: hdmi: Use drm_output_color_format instead of hdmi_colorspace 2026-03-24 13:54:35 +01:00
tidss Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
tilcdc drm/tilcdc: Fix type mismatch 2026-03-17 17:50:49 +01:00
tiny drm/bochs: Drop manual put on probe error path 2026-05-07 10:51:18 +02:00
ttm drm/ttm: Fix GPU MM stats during pool shrinking 2026-05-03 21:05:59 -07:00
tve200
tyr drm for v7.1-rc1 2026-04-15 08:45:00 -07:00
udl drm/udl: Increase GET_URB_TIMEOUT 2026-04-28 10:50:41 +02:00
v3d drm fixes for 7.1-rc1 2026-04-24 11:44:52 -07:00
vboxvideo Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
vc4 drm for v7.1-rc1 2026-04-15 08:45:00 -07:00
verisilicon drm: verisilicon: make vs_dc_platform_driver static 2026-03-25 15:21:23 +01:00
vgem Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
virtio Merge drm/drm-next into drm-misc-next 2026-02-23 11:48:20 +01:00
vkms drm/vkms: Support setting custom background color 2026-03-18 09:59:57 +00:00
vmwgfx Linux 7.0-rc6 2026-03-31 07:51:02 +10:00
xe drm/xe/guc: Exclude indirect ring state page from ADS engine state size 2026-05-05 16:15:04 -07:00
xen Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses 2026-02-22 08:26:33 -08:00
xlnx Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
drm_atomic_helper.c drm fixes for 7.1-rc1 2026-04-24 11:44:52 -07:00
drm_atomic_state_helper.c drm: Add CRTC background color property 2026-03-18 09:59:57 +00:00
drm_atomic_uapi.c drm: Add CRTC background color property 2026-03-18 09:59:57 +00:00
drm_atomic.c drm/atomic: Remove state argument to drm_atomic_private_obj_init 2026-03-20 10:03:11 +01:00
drm_auth.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
drm_blend.c drm: Add CRTC background color property 2026-03-18 09:59:57 +00:00
drm_bridge_helper.c
drm_bridge.c Linux 7.0-rc7 2026-04-07 12:36:31 +02:00
drm_buddy.c Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses 2026-02-22 08:26:33 -08:00
drm_cache.c
drm_client_event.c
drm_client_modeset.c drm/client: Do not destroy NULL modes 2026-02-25 09:31:54 +02:00
drm_client_sysrq.c
drm_client.c drm/client: Export drm_client_buffer_create() 2026-03-03 09:28:31 +01:00
drm_color_mgmt.c drm/color-mgmt: Typo s/R332/RGB332/ 2026-04-27 11:36:05 +02:00
drm_colorop.c drm/colorop: Preserve bypass value in duplicate_state() 2026-03-16 08:33:05 +05:30
drm_connector.c drm/display: hdmi: Use drm_output_color_format instead of hdmi_colorspace 2026-03-24 13:54:35 +01:00
drm_crtc_helper_internal.h
drm_crtc_helper.c Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses 2026-02-22 08:26:33 -08:00
drm_crtc_internal.h
drm_crtc.c drm/simple-kms: Deprecate simple-kms helpers 2026-03-25 15:05:22 +01:00
drm_damage_helper.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
drm_debugfs_crc.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
drm_debugfs.c drm/debug: don't register files for unsupported HDMI InfoFrames 2026-01-19 13:11:47 +02:00
drm_displayid_internal.h
drm_displayid.c
drm_draw_internal.h
drm_draw.c
drm_drv.c drm-misc-next for v7.1: 2026-03-27 12:45:54 +10:00
drm_dumb_buffers.c
drm_edid_load.c
drm_edid.c drm/edid: Parse AMD Vendor-Specific Data Block 2026-04-03 13:45:49 -04:00
drm_eld.c
drm_encoder.c
drm_exec.c
drm_fb_dma_helper.c
drm_fb_helper.c drm/fb-helper: Fix clipping when damage area spans a single scanline 2026-05-04 14:55:40 +02:00
drm_fbdev_dma.c
drm_fbdev_shmem.c
drm_fbdev_ttm.c
drm_file.c Revert "drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug" 2026-03-26 14:09:26 +01:00
drm_flip_work.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
drm_format_helper.c
drm_format_internal.h
drm_fourcc.c
drm_framebuffer.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
drm_gem_atomic_helper.c drm/simple-kms: Deprecate simple-kms helpers 2026-03-25 15:05:22 +01:00
drm_gem_dma_helper.c drm/gem-dma: set VM_DONTDUMP for mmap 2026-03-26 14:35:18 +08:00
drm_gem_framebuffer_helper.c drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() 2026-04-27 11:27:22 +02:00
drm_gem_shmem_helper.c drm/shmem_helper: Make sure PMD entries get the writeable upgrade 2026-04-03 10:11:04 +02:00
drm_gem_ttm_helper.c
drm_gem_vram_helper.c drm/vram: remove DRM_VRAM_MM_FILE_OPERATIONS from docs 2026-04-09 09:34:28 +02:00
drm_gem.c drm: Set old handle to NULL before prime swap in change_handle 2026-05-08 17:53:59 +10:00
drm_gpusvm.c drm/pagemap: Add helper to access zone_device_data 2026-03-13 18:12:07 -07:00
drm_gpuvm.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
drm_internal.h
drm_ioc32.c drm/ioc32: stop speculation on the drm_compat_ioctl path 2026-04-02 08:24:55 +02:00
drm_ioctl.c
drm_kms_helper_common.c
drm_lease.c Convert more 'alloc_obj' cases to default GFP_KERNEL arguments 2026-02-21 20:03:00 -08:00
drm_managed.c
drm_mipi_dbi.c drm/mipi-dbi: Remove simple-display helpers from mipi-dbi 2026-03-25 15:05:17 +01:00
drm_mipi_dsi.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
drm_mm.c
drm_mode_config.c Linux 7.0-rc7 2026-04-07 12:36:31 +02:00
drm_mode_object.c drm/mode_object: add drm_object_immutable_property_get_value() 2026-01-14 02:18:31 +02:00
drm_modes.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
drm_modeset_helper.c drm/simple-kms: Deprecate simple-kms helpers 2026-03-25 15:05:22 +01:00
drm_modeset_lock.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
drm_of.c
drm_pagemap_util.c drm/pagemap_util: Ensure proper cache lock management on free 2026-03-17 15:39:07 +01:00
drm_pagemap.c drm/pagemap: Enable THP support for GPU memory migration 2026-03-13 18:12:59 -07:00
drm_panel_backlight_quirks.c
drm_panel_orientation_quirks.c
drm_panel.c
drm_panic_qr.rs
drm_panic.c drm/panic: Fix expected string for QR_CODE in drm_panic_type_map 2026-01-09 08:53:27 +00:00
drm_pci.c
drm_plane_helper.c Convert more 'alloc_obj' cases to default GFP_KERNEL arguments 2026-02-21 20:03:00 -08:00
drm_plane.c Convert more 'alloc_obj' cases to default GFP_KERNEL arguments 2026-02-21 20:03:00 -08:00
drm_prime.c drm/prime: Limit scatter list size with dedicated DMA device 2026-03-23 13:23:29 +08:00
drm_print.c
drm_privacy_screen_x86.c
drm_privacy_screen.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
drm_probe_helper.c drm/probe-helper: replace use of system_wq with system_percpu_wq 2026-02-09 09:41:09 +01:00
drm_property.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
drm_ras_genl_family.c drm/ras: Introduce the DRM RAS infrastructure over generic netlink 2026-03-05 19:38:55 -05:00
drm_ras_nl.c drm/ras: Introduce the DRM RAS infrastructure over generic netlink 2026-03-05 19:38:55 -05:00
drm_ras_nl.h drm/ras: Introduce the DRM RAS infrastructure over generic netlink 2026-03-05 19:38:55 -05:00
drm_ras.c drm/ras: Introduce the DRM RAS infrastructure over generic netlink 2026-03-05 19:38:55 -05:00
drm_rect.c
drm_self_refresh_helper.c Merge drm/drm-next into drm-misc-next 2026-02-23 11:48:20 +01:00
drm_simple_kms_helper.c drm/simple-kms: Deprecate simple-kms helpers 2026-03-25 15:05:22 +01:00
drm_suballoc.c Merge tag 'drm-xe-next-2026-03-02' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-next 2026-03-03 10:37:29 +10:00
drm_syncobj.c drm/syncobj: Fix xa_alloc allocation flags 2026-03-25 08:05:35 +00:00
drm_sysfs.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
drm_trace_points.c
drm_trace.h
drm_vblank_helper.c
drm_vblank_work.c
drm_vblank.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
drm_vma_manager.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
drm_writeback.c dma-buf: inline spinlock for fence protection v5 2026-02-23 16:14:19 +01:00
Kconfig DRM Rust changes for v7.1-rc1 2026-04-01 07:32:05 +10:00
Kconfig.debug drm: fix dead default for DRM_TTM_KUNIT_TEST 2026-03-24 16:19:04 +01:00
Makefile Merge drm/drm-next into drm-xe-next 2026-03-12 07:23:23 -07:00