[PATCH] drm/vc4: Fix atomicity violation in vc4_crtc_send_vblank()
Qiu-ji Chen
chenqiuji666 at gmail.com
Tue Sep 24 12:01:06 UTC 2024
Hi,
In the drm_device structure, it is mentioned: "@event_lock: Protects
@vblank_event_list and event delivery in general." I believe that the
validity check and the subsequent null assignment operation are part
of the event delivery process, and all of these should be protected by
the event_lock. If there is no lock protection before the validity
check, it is possible for a null crtc->state->event to be passed into
the drm_crtc_send_vblank_event() function, leading to a null pointer
dereference error.
We have observed its callers and found that they are from the
drm_crtc_helper_funcs driver interface. We believe that functions
within driver interfaces can be concurrent, potentially causing a data
race on crtc->state->event.
Qiu-ji Chen
More information about the dri-devel
mailing list