| Description: | In the Linux kernel, the following vulnerability has been resolved:
drm: Don't unref the same fb many times by mistake due to deadlock
handling If we get a deadlock after the fb lookup in
drm_mode_page_flip_ioctl() we proceed to unref the fb and then retry
the whole thing from the top. But we forget to reset the fb pointer
back to NULL, and so if we then get another error during the retry,
before the fb lookup, we proceed the unref the same fb again without
having gotten another reference. The end result is that the fb will
(eventually) end up being freed while it's still in use. Reset fb to
NULL once we've unreffed it to avoid doing it again until we've done
another fb lookup. This turned out to be pretty easy to hit on a DG2
when doing async flips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The
first symptom I saw that drm_closefb() simply got stuck in a busy loop
while walking the framebuffer list. Fortunately I was able to convince
it to oops instead, and from there it was easier to track down the
culprit.
|
