In the Linux kernel, the following vulnerability has been resolved:
drm/mediatek: Fix a null pointer crash in mtkdrmcrtcfinishpage_flip
It's possible that mtkcrtc->event is NULL in mtkdrmcrtcfinishpageflip().
pendingneedsvblank value is set by mtkcrtc->event, but in mtkdrmcrtcatomicflush(), it's is not guarded by the same lock in mtkdrmfinishpage_flip(), thus a race condition happens.
Consider the following case:
CPU1 CPU2 step 1: mtkdrmcrtcatomicbegin() mtkcrtc->event is not null, step 1: mtkdrmcrtcatomicflush: mtkdrmcrtcupdateconfig( !!mtkcrtc->event) step 2: mtkcrtcddpirq -> mtkdrmfinishpageflip: lock mtkcrtc->event set to null, pendingneedsvblank set to false unlock pendingneedsvblank set to true,
step 2:
mtk_crtc_ddp_irq ->
mtk_drm_finish_page_flip called again,
pending_needs_vblank is still true
//null pointer
Instead of guarding the entire mtkdrmcrtcatomicflush(), it's more efficient to just check if mtk_crtc->event is null before use.