From 8299d1f057439f94c6a4412e2e5c5082b82a30c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lvaro=20Fern=C3=A1ndez=20Rojas?= Date: Sat, 21 Aug 2021 10:54:34 +0200 Subject: bcm27xx: add kernel 5.10 support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Rebased RPi foundation patches on linux 5.10.59, removed applied and reverted patches, wireless patches and defconfig patches. bcm2708: boot tested on RPi B+ v1.2 bcm2709: boot tested on RPi 4B v1.1 4G bcm2711: boot tested on RPi 4B v1.1 4G Signed-off-by: Álvaro Fernández Rojas --- ...t-use-after-free-gotcha-with-private-obje.patch | 44 ++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 target/linux/bcm27xx/patches-5.10/950-0682-drm-Document-use-after-free-gotcha-with-private-obje.patch (limited to 'target/linux/bcm27xx/patches-5.10/950-0682-drm-Document-use-after-free-gotcha-with-private-obje.patch') diff --git a/target/linux/bcm27xx/patches-5.10/950-0682-drm-Document-use-after-free-gotcha-with-private-obje.patch b/target/linux/bcm27xx/patches-5.10/950-0682-drm-Document-use-after-free-gotcha-with-private-obje.patch new file mode 100644 index 0000000000..da5fa9c64b --- /dev/null +++ b/target/linux/bcm27xx/patches-5.10/950-0682-drm-Document-use-after-free-gotcha-with-private-obje.patch @@ -0,0 +1,44 @@ +From c417eda92ac1a1a89c160826eb2068fbdf1895ab Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Fri, 4 Dec 2020 16:11:33 +0100 +Subject: [PATCH] drm: Document use-after-free gotcha with private + objects + +The private objects have a gotcha that could result in a use-after-free, +make sure it's properly documented. + +Reviewed-by: Daniel Vetter +Signed-off-by: Maxime Ripard +--- + include/drm/drm_atomic.h | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/include/drm/drm_atomic.h ++++ b/include/drm/drm_atomic.h +@@ -248,6 +248,26 @@ struct drm_private_state_funcs { + * drm_dev_register() + * 2/ all calls to drm_atomic_private_obj_fini() must be done after calling + * drm_dev_unregister() ++ * ++ * If that private object is used to store a state shared by multiple ++ * CRTCs, proper care must be taken to ensure that non-blocking commits are ++ * properly ordered to avoid a use-after-free issue. ++ * ++ * Indeed, assuming a sequence of two non-blocking &drm_atomic_commit on two ++ * different &drm_crtc using different &drm_plane and &drm_connector, so with no ++ * resources shared, there's no guarantee on which commit is going to happen ++ * first. However, the second &drm_atomic_commit will consider the first ++ * &drm_private_obj its old state, and will be in charge of freeing it whenever ++ * the second &drm_atomic_commit is done. ++ * ++ * If the first &drm_atomic_commit happens after it, it will consider its ++ * &drm_private_obj the new state and will be likely to access it, resulting in ++ * an access to a freed memory region. Drivers should store (and get a reference ++ * to) the &drm_crtc_commit structure in our private state in ++ * &drm_mode_config_helper_funcs.atomic_commit_setup, and then wait for that ++ * commit to complete as the first step of ++ * &drm_mode_config_helper_funcs.atomic_commit_tail, similar to ++ * drm_atomic_helper_wait_for_dependencies(). + */ + struct drm_private_obj { + /** -- cgit v1.2.3