Commit 99c2c466 authored May 26, 2023 by Min Li Committed by sanglipeng Nov 30, 2023

drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl

stable inclusion
from stable-v5.10.186
commit 485fe165084bdff372049f9d109326756764b620
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I8J4KH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=485fe165084bdff372049f9d109326756764b620



--------------------------------

[ Upstream commit 48bfd025 ]

If it is async, runqueue_node is freed in g2d_runqueue_worker on another
worker thread. So in extreme cases, if g2d_runqueue_worker runs first, and
then executes the following if statement, there will be use-after-free.

Signed-off-by: Min Li <lm0963hack@gmail.com>
Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: sanglipeng <sanglipeng1@jd.com>

parent 9bb5b9b0

drivers/gpu/drm/exynos/exynos_drm_g2d.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1332,7 +1332,7 @@ int exynos_g2d_exec_ioctl(struct drm_device drm_dev, void data,
		/* Let the runqueue know that there is work to do. */
		queue_work(g2d->g2d_workq, &g2d->runqueue_work);

		if (runqueue_node->async)
		if (req->async)
		goto out;

		wait_for_completion(&runqueue_node->complete);