diff options
| author | Tuo Li <islituo@gmail.com> | 2023-06-30 10:19:06 +0800 | 
|---|---|---|
| committer | Inki Dae <inki.dae@samsung.com> | 2023-08-08 09:35:11 +0900 | 
| commit | 2e63972a2de14482d0eae1a03a73e379f1c3f44c (patch) | |
| tree | c362d7f0b611d90170a1884b1a62114cf3323104 /lib/dynamic_debug.c | |
| parent | d9aa1da9a8cfb0387eb5703c15bd1f54421460ac (diff) | |
drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
The variable crtc->state->event is often protected by the lock
crtc->dev->event_lock when is accessed. However, it is accessed as a
condition of an if statement in exynos_drm_crtc_atomic_disable() without
holding the lock:
  if (crtc->state->event && !crtc->state->active)
However, if crtc->state->event is changed to NULL by another thread right
after the conditions of the if statement is checked to be true, a
null-pointer dereference can occur in drm_crtc_send_vblank_event():
  e->pipe = pipe;
To fix this possible null-pointer dereference caused by data race, the
spin lock coverage is extended to protect the if statement as well as the
function call to drm_crtc_send_vblank_event().
Reported-by: BassCheck <bass@buaa.edu.cn>
Link: https://sites.google.com/view/basscheck/home
Signed-off-by: Tuo Li <islituo@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Added relevant link.
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Diffstat (limited to 'lib/dynamic_debug.c')
0 files changed, 0 insertions, 0 deletions
