• M
    drm/amd/display: Clear dm_state for fast updates · 76195175
    Mazin Rezk 提交于
    This patch fixes a race condition that causes a use-after-free during
    amdgpu_dm_atomic_commit_tail. This can occur when 2 non-blocking commits
    are requested and the second one finishes before the first. Essentially,
    this bug occurs when the following sequence of events happens:
    
    1. Non-blocking commit #1 is requested w/ a new dm_state #1 and is
    deferred to the workqueue.
    
    2. Non-blocking commit #2 is requested w/ a new dm_state #2 and is
    deferred to the workqueue.
    
    3. Commit #2 starts before commit #1, dm_state #1 is used in the
    commit_tail and commit #2 completes, freeing dm_state #1.
    
    4. Commit #1 starts after commit #2 completes, uses the freed dm_state
    1 and dereferences a freelist pointer while setting the context.
    
    Since this bug has only been spotted with fast commits, this patch fixes
    the bug by clearing the dm_state instead of using the old dc_state for
    fast updates. In addition, since dm_state is only used for its dc_state
    and amdgpu_dm_atomic_commit_tail will retain the dc_state if none is found,
    removing the dm_state should not have any consequences in fast updates.
    
    This use-after-free bug has existed for a while now, but only caused a
    noticeable issue starting from 5.7-rc1 due to 3202fa62 ("slub: relocate
    freelist pointer to middle of object") moving the freelist pointer from
    dm_state->base (which was unused) to dm_state->context (which is
    dereferenced).
    
    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=207383
    Fixes: bd200d19 ("drm/amd/display: Don't replace the dc_state for fast updates")
    Reported-by: NDuncan <1i5t5.duncan@cox.net>
    Signed-off-by: NMazin Rezk <mnrzk@protonmail.com>
    Reviewed-by: NNicholas Kazlauskas <nicholas.kazlauskas@amd.com>
    Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
    76195175
amdgpu_dm.c 255.9 KB