mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-18 18:56:37 +00:00
45 lines
1.9 KiB
Diff
45 lines
1.9 KiB
Diff
|
From c417eda92ac1a1a89c160826eb2068fbdf1895ab Mon Sep 17 00:00:00 2001
|
||
|
From: Maxime Ripard <maxime@cerno.tech>
|
||
|
Date: Fri, 4 Dec 2020 16:11:33 +0100
|
||
|
Subject: [PATCH] drm: Document use-after-free gotcha with private
|
||
|
objects
|
||
|
|
||
|
The private objects have a gotcha that could result in a use-after-free,
|
||
|
make sure it's properly documented.
|
||
|
|
||
|
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
|
||
|
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
|
||
|
---
|
||
|
include/drm/drm_atomic.h | 20 ++++++++++++++++++++
|
||
|
1 file changed, 20 insertions(+)
|
||
|
|
||
|
--- a/include/drm/drm_atomic.h
|
||
|
+++ b/include/drm/drm_atomic.h
|
||
|
@@ -248,6 +248,26 @@ struct drm_private_state_funcs {
|
||
|
* drm_dev_register()
|
||
|
* 2/ all calls to drm_atomic_private_obj_fini() must be done after calling
|
||
|
* drm_dev_unregister()
|
||
|
+ *
|
||
|
+ * If that private object is used to store a state shared by multiple
|
||
|
+ * CRTCs, proper care must be taken to ensure that non-blocking commits are
|
||
|
+ * properly ordered to avoid a use-after-free issue.
|
||
|
+ *
|
||
|
+ * Indeed, assuming a sequence of two non-blocking &drm_atomic_commit on two
|
||
|
+ * different &drm_crtc using different &drm_plane and &drm_connector, so with no
|
||
|
+ * resources shared, there's no guarantee on which commit is going to happen
|
||
|
+ * first. However, the second &drm_atomic_commit will consider the first
|
||
|
+ * &drm_private_obj its old state, and will be in charge of freeing it whenever
|
||
|
+ * the second &drm_atomic_commit is done.
|
||
|
+ *
|
||
|
+ * If the first &drm_atomic_commit happens after it, it will consider its
|
||
|
+ * &drm_private_obj the new state and will be likely to access it, resulting in
|
||
|
+ * an access to a freed memory region. Drivers should store (and get a reference
|
||
|
+ * to) the &drm_crtc_commit structure in our private state in
|
||
|
+ * &drm_mode_config_helper_funcs.atomic_commit_setup, and then wait for that
|
||
|
+ * commit to complete as the first step of
|
||
|
+ * &drm_mode_config_helper_funcs.atomic_commit_tail, similar to
|
||
|
+ * drm_atomic_helper_wait_for_dependencies().
|
||
|
*/
|
||
|
struct drm_private_obj {
|
||
|
/**
|