Commit 0835201c authored by Ville Syrjälä's avatar Ville Syrjälä Committed by Yi Yang
Browse files

drm/client: Fully protect modes[] with dev->mode_config.mutex 

stable inclusion
from stable-v5.10.216
commit 41586487769eede64ab1aa6c65c74cbf76c12ef0
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QRRC
CVE: CVE-2024-35950

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=41586487769eede64ab1aa6c65c74cbf76c12ef0

--------------------------------

commit 3eadd887dbac1df8f25f701e5d404d1b90fd0fea upstream.

The modes[] array contains pointers to modes on the connectors'
mode lists, which are protected by dev->mode_config.mutex.
Thus we need to extend modes[] the same protection or by the
time we use it the elements may already be pointing to
freed/reused memory.

Cc: stable@vger.kernel.org
Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583


Signed-off-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240404203336.10454-2-ville.syrjala@linux.intel.com


Reviewed-by: default avatarDmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reviewed-by: default avatarJani Nikula <jani.nikula@intel.com>
Reviewed-by: default avatarThomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent f300accf

drivers/gpu/drm/drm_client_modeset.c

+2 −1
Original line number Diff line number Diff line
@@ -774,6 +774,7 @@ int drm_client_modeset_probe(struct drm_client_dev *client, unsigned int width, 
	unsigned int total_modes_count = 0;

	struct drm_client_offset *offsets;

	unsigned int connector_count = 0;

	/* points to modes protected by mode_config.mutex */

	struct drm_display_mode **modes;

	struct drm_crtc **crtcs;

	int i, ret = 0;
@@ -842,7 +843,6 @@ int drm_client_modeset_probe(struct drm_client_dev *client, unsigned int width, 
		drm_client_pick_crtcs(client, connectors, connector_count,

				      crtcs, modes, 0, width, height);

	}

	mutex_unlock(&dev->mode_config.mutex);



	drm_client_modeset_release(client);
@@ -872,6 +872,7 @@ int drm_client_modeset_probe(struct drm_client_dev *client, unsigned int width, 
			modeset->y = offset->y;

		}

	}

	mutex_unlock(&dev->mode_config.mutex);



	mutex_unlock(&client->modeset_mutex);

out: