diff options
| author | Jeongjun Park <aha310510@gmail.com> | 2026-01-19 17:25:53 +0900 |
|---|---|---|
| committer | Inki Dae <inki.dae@samsung.com> | 2026-02-01 23:28:01 +0900 |
| commit | 52b330799e2d6f825ae2bb74662ec1b10eb954bb (patch) | |
| tree | 96231a51cdc97b9e9d764e011ce7da47b7b2f387 /tools/perf/lib/Documentation/tutorial/git@git.tavy.me:linux.git | |
| parent | d4c98c077c7fb2dfdece7d605e694b5ea2665085 (diff) | |
drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free
Exynos Virtual Display driver performs memory alloc/free operations
without lock protection, which easily causes concurrency problem.
For example, use-after-free can occur in race scenario like this:
```
CPU0 CPU1 CPU2
---- ---- ----
vidi_connection_ioctl()
if (vidi->connection) // true
drm_edid = drm_edid_alloc(); // alloc drm_edid
...
ctx->raw_edid = drm_edid;
...
drm_mode_getconnector()
drm_helper_probe_single_connector_modes()
vidi_get_modes()
if (ctx->raw_edid) // true
drm_edid_dup(ctx->raw_edid);
if (!drm_edid) // false
...
vidi_connection_ioctl()
if (vidi->connection) // false
drm_edid_free(ctx->raw_edid); // free drm_edid
...
drm_edid_alloc(drm_edid->edid)
kmemdup(edid); // UAF!!
...
```
To prevent these vulns, at least in vidi_context, member variables related
to memory alloc/free should be protected with ctx->lock.
Cc: <stable@vger.kernel.org>
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Diffstat (limited to 'tools/perf/lib/Documentation/tutorial/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions