* [PATCH] drm/stm: Avoid use-after-free issues with crtc and plane
@ 2023-10-20 10:29 ` Katya Orlova
0 siblings, 0 replies; 19+ messages in thread
From: Katya Orlova @ 2023-10-20 10:29 UTC (permalink / raw)
To: Yannick Fertre
Cc: Katya Orlova, Raphael Gallais-Pou, Philippe Cornu, David Airlie,
Daniel Vetter, Maxime Coquelin, Alexandre Torgue, Philipp Zabel,
dri-devel, linux-stm32, linux-arm-kernel, linux-kernel,
lvc-project
ltdc_load() calls functions drm_crtc_init_with_planes() and
drm_universal_plane_init(). These functions should not be called with
parameters allocated with devm_kzalloc() to avoid use-after-free issues [1].
The patch replaces managed resource allocations with regular ones.
Found by Linux Verification Center (linuxtesting.org).
[1]
https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
---
drivers/gpu/drm/stm/drv.c | 11 ++++--
drivers/gpu/drm/stm/ltdc.c | 72 ++++++++++++++++++++++++++------------
2 files changed, 58 insertions(+), 25 deletions(-)
diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
index cb4404b3ce62..409f26d3e400 100644
--- a/drivers/gpu/drm/stm/drv.c
+++ b/drivers/gpu/drm/stm/drv.c
@@ -74,7 +74,7 @@ static int drv_load(struct drm_device *ddev)
DRM_DEBUG("%s\n", __func__);
- ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL);
+ ldev = kzalloc(sizeof(*ldev), GFP_KERNEL);
if (!ldev)
return -ENOMEM;
@@ -82,7 +82,7 @@ static int drv_load(struct drm_device *ddev)
ret = drmm_mode_config_init(ddev);
if (ret)
- return ret;
+ goto err;
/*
* set max width and height as default value.
@@ -98,7 +98,7 @@ static int drv_load(struct drm_device *ddev)
ret = ltdc_load(ddev);
if (ret)
- return ret;
+ goto err;
drm_mode_config_reset(ddev);
drm_kms_helper_poll_init(ddev);
@@ -106,6 +106,9 @@ static int drv_load(struct drm_device *ddev)
platform_set_drvdata(pdev, ddev);
return 0;
+err:
+ kfree(ldev);
+ return ret;
}
static void drv_unload(struct drm_device *ddev)
@@ -114,6 +117,8 @@ static void drv_unload(struct drm_device *ddev)
drm_kms_helper_poll_fini(ddev);
ltdc_unload(ddev);
+ kfree(ddev->dev_private);
+ ddev->dev_private = NULL;
}
static __maybe_unused int drv_suspend(struct device *dev)
diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
index b8be4c1db423..ec3bc3637a63 100644
--- a/drivers/gpu/drm/stm/ltdc.c
+++ b/drivers/gpu/drm/stm/ltdc.c
@@ -1120,6 +1120,12 @@ static const struct drm_crtc_helper_funcs ltdc_crtc_helper_funcs = {
.get_scanout_position = ltdc_crtc_get_scanout_position,
};
+static void ltdc_crtc_destroy(struct drm_crtc *crtc)
+{
+ drm_crtc_cleanup(crtc);
+ kfree(crtc);
+}
+
static int ltdc_crtc_enable_vblank(struct drm_crtc *crtc)
{
struct ltdc_device *ldev = crtc_to_ltdc(crtc);
@@ -1200,7 +1206,7 @@ static void ltdc_crtc_atomic_print_state(struct drm_printer *p,
}
static const struct drm_crtc_funcs ltdc_crtc_funcs = {
- .destroy = drm_crtc_cleanup,
+ .destroy = ltdc_crtc_destroy,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1213,7 +1219,7 @@ static const struct drm_crtc_funcs ltdc_crtc_funcs = {
};
static const struct drm_crtc_funcs ltdc_crtc_with_crc_support_funcs = {
- .destroy = drm_crtc_cleanup,
+ .destroy = ltdc_crtc_destroy,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1543,10 +1549,16 @@ static void ltdc_plane_atomic_print_state(struct drm_printer *p,
fpsi->counter = 0;
}
+static void ltdc_plane_destroy(struct drm_plane *plane)
+{
+ drm_plane_cleanup(plane);
+ kfree(plane);
+}
+
static const struct drm_plane_funcs ltdc_plane_funcs = {
.update_plane = drm_atomic_helper_update_plane,
.disable_plane = drm_atomic_helper_disable_plane,
- .destroy = drm_plane_cleanup,
+ .destroy = ltdc_plane_destroy,
.reset = drm_atomic_helper_plane_reset,
.atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
.atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
@@ -1565,7 +1577,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
{
unsigned long possible_crtcs = CRTC_MASK;
struct ltdc_device *ldev = ddev->dev_private;
- struct device *dev = ddev->dev;
struct drm_plane *plane;
unsigned int i, nb_fmt = 0;
u32 *formats;
@@ -1576,7 +1587,7 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
int ret;
/* Allocate the biggest size according to supported color formats */
- formats = devm_kzalloc(dev, (ldev->caps.pix_fmt_nb +
+ formats = kzalloc((ldev->caps.pix_fmt_nb +
ARRAY_SIZE(ltdc_drm_fmt_ycbcr_cp) +
ARRAY_SIZE(ltdc_drm_fmt_ycbcr_sp) +
ARRAY_SIZE(ltdc_drm_fmt_ycbcr_fp)) *
@@ -1614,15 +1625,20 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
}
}
- plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL);
- if (!plane)
+ plane = kzalloc(sizeof(*plane), GFP_KERNEL);
+ if (!plane) {
+ kfree(formats);
return NULL;
+ }
ret = drm_universal_plane_init(ddev, plane, possible_crtcs,
<dc_plane_funcs, formats, nb_fmt,
modifiers, type, NULL);
- if (ret < 0)
+ kfree(formats);
+ if (ret < 0) {
+ kfree(plane);
return NULL;
+ }
if (ldev->caps.ycbcr_input) {
if (val & (LXCR_C1R_YIA | LXCR_C1R_YSPA | LXCR_C1R_YFPA))
@@ -1650,7 +1666,7 @@ static void ltdc_plane_destroy_all(struct drm_device *ddev)
list_for_each_entry_safe(plane, plane_temp,
&ddev->mode_config.plane_list, head)
- drm_plane_cleanup(plane);
+ ltdc_plane_destroy(plane);
}
static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
@@ -1936,7 +1952,7 @@ int ltdc_load(struct drm_device *ddev)
if (!nb_endpoints)
return -ENODEV;
- ldev->pixel_clk = devm_clk_get(dev, "lcd");
+ ldev->pixel_clk = clk_get(dev, "lcd");
if (IS_ERR(ldev->pixel_clk)) {
if (PTR_ERR(ldev->pixel_clk) != -EPROBE_DEFER)
DRM_ERROR("Unable to get lcd clock\n");
@@ -1982,7 +1998,7 @@ int ltdc_load(struct drm_device *ddev)
}
}
- rstc = devm_reset_control_get_exclusive(dev, NULL);
+ rstc = reset_control_get_exclusive(dev, NULL);
mutex_init(&ldev->err_lock);
@@ -1993,25 +2009,25 @@ int ltdc_load(struct drm_device *ddev)
}
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
- ldev->regs = devm_ioremap_resource(dev, res);
+ ldev->regs = ioremap(res->start, resource_size(res));
if (IS_ERR(ldev->regs)) {
DRM_ERROR("Unable to get ltdc registers\n");
ret = PTR_ERR(ldev->regs);
goto err;
}
- ldev->regmap = devm_regmap_init_mmio(&pdev->dev, ldev->regs, &stm32_ltdc_regmap_cfg);
+ ldev->regmap = regmap_init_mmio(&pdev->dev, ldev->regs, &stm32_ltdc_regmap_cfg);
if (IS_ERR(ldev->regmap)) {
DRM_ERROR("Unable to regmap ltdc registers\n");
ret = PTR_ERR(ldev->regmap);
- goto err;
+ goto err_iounmap;
}
ret = ltdc_get_caps(ddev);
if (ret) {
DRM_ERROR("hardware identifier (0x%08x) not supported!\n",
ldev->caps.hw_version);
- goto err;
+ goto err_regmap_exit;
}
/* Disable interrupts */
@@ -2034,49 +2050,57 @@ int ltdc_load(struct drm_device *ddev)
irq = platform_get_irq(pdev, i);
if (irq < 0) {
ret = irq;
- goto err;
+ goto err_regmap_exit;
}
- ret = devm_request_threaded_irq(dev, irq, ltdc_irq,
+ ret = request_threaded_irq(irq, ltdc_irq,
ltdc_irq_thread, IRQF_ONESHOT,
dev_name(dev), ddev);
if (ret) {
DRM_ERROR("Failed to register LTDC interrupt\n");
- goto err;
+ goto err_regmap_exit;
}
}
- crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL);
+ crtc = kzalloc(sizeof(*crtc), GFP_KERNEL);
if (!crtc) {
DRM_ERROR("Failed to allocate crtc\n");
ret = -ENOMEM;
- goto err;
+ goto err_regmap_exit;
}
ret = ltdc_crtc_init(ddev, crtc);
if (ret) {
DRM_ERROR("Failed to init crtc\n");
- goto err;
+ goto free_crtc;
}
ret = drm_vblank_init(ddev, NB_CRTC);
if (ret) {
DRM_ERROR("Failed calling drm_vblank_init()\n");
- goto err;
+ goto free_crtc;
}
clk_disable_unprepare(ldev->pixel_clk);
+ clk_put(ldev->pixel_clk);
pinctrl_pm_select_sleep_state(ddev->dev);
pm_runtime_enable(ddev->dev);
return 0;
+free_crtc:
+ kfree(crtc);
+err_regmap_exit:
+ regmap_exit(ldev->regmap);
+err_iounmap:
+ iounmap(ldev->regs);
err:
for (i = 0; i < nb_endpoints; i++)
drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
clk_disable_unprepare(ldev->pixel_clk);
+ clk_put(ldev->pixel_clk);
return ret;
}
@@ -2084,6 +2108,7 @@ int ltdc_load(struct drm_device *ddev)
void ltdc_unload(struct drm_device *ddev)
{
struct device *dev = ddev->dev;
+ struct ltdc_device *ldev = ddev->dev_private;
int nb_endpoints, i;
DRM_DEBUG_DRIVER("\n");
@@ -2094,6 +2119,9 @@ void ltdc_unload(struct drm_device *ddev)
drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
pm_runtime_disable(ddev->dev);
+
+ regmap_exit(ldev->regmap);
+ iounmap(ldev->regs);
}
MODULE_AUTHOR("Philippe Cornu <philippe.cornu@st.com>");
--
2.30.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH] drm/stm: Avoid use-after-free issues with crtc and plane
@ 2023-10-20 10:29 ` Katya Orlova
0 siblings, 0 replies; 19+ messages in thread
From: Katya Orlova @ 2023-10-20 10:29 UTC (permalink / raw)
To: Yannick Fertre
Cc: Katya Orlova, Raphael Gallais-Pou, Philippe Cornu, David Airlie,
Daniel Vetter, Maxime Coquelin, Alexandre Torgue, Philipp Zabel,
dri-devel, linux-stm32, linux-arm-kernel, linux-kernel,
lvc-project
ltdc_load() calls functions drm_crtc_init_with_planes() and
drm_universal_plane_init(). These functions should not be called with
parameters allocated with devm_kzalloc() to avoid use-after-free issues [1].
The patch replaces managed resource allocations with regular ones.
Found by Linux Verification Center (linuxtesting.org).
[1]
https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
---
drivers/gpu/drm/stm/drv.c | 11 ++++--
drivers/gpu/drm/stm/ltdc.c | 72 ++++++++++++++++++++++++++------------
2 files changed, 58 insertions(+), 25 deletions(-)
diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
index cb4404b3ce62..409f26d3e400 100644
--- a/drivers/gpu/drm/stm/drv.c
+++ b/drivers/gpu/drm/stm/drv.c
@@ -74,7 +74,7 @@ static int drv_load(struct drm_device *ddev)
DRM_DEBUG("%s\n", __func__);
- ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL);
+ ldev = kzalloc(sizeof(*ldev), GFP_KERNEL);
if (!ldev)
return -ENOMEM;
@@ -82,7 +82,7 @@ static int drv_load(struct drm_device *ddev)
ret = drmm_mode_config_init(ddev);
if (ret)
- return ret;
+ goto err;
/*
* set max width and height as default value.
@@ -98,7 +98,7 @@ static int drv_load(struct drm_device *ddev)
ret = ltdc_load(ddev);
if (ret)
- return ret;
+ goto err;
drm_mode_config_reset(ddev);
drm_kms_helper_poll_init(ddev);
@@ -106,6 +106,9 @@ static int drv_load(struct drm_device *ddev)
platform_set_drvdata(pdev, ddev);
return 0;
+err:
+ kfree(ldev);
+ return ret;
}
static void drv_unload(struct drm_device *ddev)
@@ -114,6 +117,8 @@ static void drv_unload(struct drm_device *ddev)
drm_kms_helper_poll_fini(ddev);
ltdc_unload(ddev);
+ kfree(ddev->dev_private);
+ ddev->dev_private = NULL;
}
static __maybe_unused int drv_suspend(struct device *dev)
diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
index b8be4c1db423..ec3bc3637a63 100644
--- a/drivers/gpu/drm/stm/ltdc.c
+++ b/drivers/gpu/drm/stm/ltdc.c
@@ -1120,6 +1120,12 @@ static const struct drm_crtc_helper_funcs ltdc_crtc_helper_funcs = {
.get_scanout_position = ltdc_crtc_get_scanout_position,
};
+static void ltdc_crtc_destroy(struct drm_crtc *crtc)
+{
+ drm_crtc_cleanup(crtc);
+ kfree(crtc);
+}
+
static int ltdc_crtc_enable_vblank(struct drm_crtc *crtc)
{
struct ltdc_device *ldev = crtc_to_ltdc(crtc);
@@ -1200,7 +1206,7 @@ static void ltdc_crtc_atomic_print_state(struct drm_printer *p,
}
static const struct drm_crtc_funcs ltdc_crtc_funcs = {
- .destroy = drm_crtc_cleanup,
+ .destroy = ltdc_crtc_destroy,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1213,7 +1219,7 @@ static const struct drm_crtc_funcs ltdc_crtc_funcs = {
};
static const struct drm_crtc_funcs ltdc_crtc_with_crc_support_funcs = {
- .destroy = drm_crtc_cleanup,
+ .destroy = ltdc_crtc_destroy,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1543,10 +1549,16 @@ static void ltdc_plane_atomic_print_state(struct drm_printer *p,
fpsi->counter = 0;
}
+static void ltdc_plane_destroy(struct drm_plane *plane)
+{
+ drm_plane_cleanup(plane);
+ kfree(plane);
+}
+
static const struct drm_plane_funcs ltdc_plane_funcs = {
.update_plane = drm_atomic_helper_update_plane,
.disable_plane = drm_atomic_helper_disable_plane,
- .destroy = drm_plane_cleanup,
+ .destroy = ltdc_plane_destroy,
.reset = drm_atomic_helper_plane_reset,
.atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
.atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
@@ -1565,7 +1577,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
{
unsigned long possible_crtcs = CRTC_MASK;
struct ltdc_device *ldev = ddev->dev_private;
- struct device *dev = ddev->dev;
struct drm_plane *plane;
unsigned int i, nb_fmt = 0;
u32 *formats;
@@ -1576,7 +1587,7 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
int ret;
/* Allocate the biggest size according to supported color formats */
- formats = devm_kzalloc(dev, (ldev->caps.pix_fmt_nb +
+ formats = kzalloc((ldev->caps.pix_fmt_nb +
ARRAY_SIZE(ltdc_drm_fmt_ycbcr_cp) +
ARRAY_SIZE(ltdc_drm_fmt_ycbcr_sp) +
ARRAY_SIZE(ltdc_drm_fmt_ycbcr_fp)) *
@@ -1614,15 +1625,20 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
}
}
- plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL);
- if (!plane)
+ plane = kzalloc(sizeof(*plane), GFP_KERNEL);
+ if (!plane) {
+ kfree(formats);
return NULL;
+ }
ret = drm_universal_plane_init(ddev, plane, possible_crtcs,
<dc_plane_funcs, formats, nb_fmt,
modifiers, type, NULL);
- if (ret < 0)
+ kfree(formats);
+ if (ret < 0) {
+ kfree(plane);
return NULL;
+ }
if (ldev->caps.ycbcr_input) {
if (val & (LXCR_C1R_YIA | LXCR_C1R_YSPA | LXCR_C1R_YFPA))
@@ -1650,7 +1666,7 @@ static void ltdc_plane_destroy_all(struct drm_device *ddev)
list_for_each_entry_safe(plane, plane_temp,
&ddev->mode_config.plane_list, head)
- drm_plane_cleanup(plane);
+ ltdc_plane_destroy(plane);
}
static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
@@ -1936,7 +1952,7 @@ int ltdc_load(struct drm_device *ddev)
if (!nb_endpoints)
return -ENODEV;
- ldev->pixel_clk = devm_clk_get(dev, "lcd");
+ ldev->pixel_clk = clk_get(dev, "lcd");
if (IS_ERR(ldev->pixel_clk)) {
if (PTR_ERR(ldev->pixel_clk) != -EPROBE_DEFER)
DRM_ERROR("Unable to get lcd clock\n");
@@ -1982,7 +1998,7 @@ int ltdc_load(struct drm_device *ddev)
}
}
- rstc = devm_reset_control_get_exclusive(dev, NULL);
+ rstc = reset_control_get_exclusive(dev, NULL);
mutex_init(&ldev->err_lock);
@@ -1993,25 +2009,25 @@ int ltdc_load(struct drm_device *ddev)
}
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
- ldev->regs = devm_ioremap_resource(dev, res);
+ ldev->regs = ioremap(res->start, resource_size(res));
if (IS_ERR(ldev->regs)) {
DRM_ERROR("Unable to get ltdc registers\n");
ret = PTR_ERR(ldev->regs);
goto err;
}
- ldev->regmap = devm_regmap_init_mmio(&pdev->dev, ldev->regs, &stm32_ltdc_regmap_cfg);
+ ldev->regmap = regmap_init_mmio(&pdev->dev, ldev->regs, &stm32_ltdc_regmap_cfg);
if (IS_ERR(ldev->regmap)) {
DRM_ERROR("Unable to regmap ltdc registers\n");
ret = PTR_ERR(ldev->regmap);
- goto err;
+ goto err_iounmap;
}
ret = ltdc_get_caps(ddev);
if (ret) {
DRM_ERROR("hardware identifier (0x%08x) not supported!\n",
ldev->caps.hw_version);
- goto err;
+ goto err_regmap_exit;
}
/* Disable interrupts */
@@ -2034,49 +2050,57 @@ int ltdc_load(struct drm_device *ddev)
irq = platform_get_irq(pdev, i);
if (irq < 0) {
ret = irq;
- goto err;
+ goto err_regmap_exit;
}
- ret = devm_request_threaded_irq(dev, irq, ltdc_irq,
+ ret = request_threaded_irq(irq, ltdc_irq,
ltdc_irq_thread, IRQF_ONESHOT,
dev_name(dev), ddev);
if (ret) {
DRM_ERROR("Failed to register LTDC interrupt\n");
- goto err;
+ goto err_regmap_exit;
}
}
- crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL);
+ crtc = kzalloc(sizeof(*crtc), GFP_KERNEL);
if (!crtc) {
DRM_ERROR("Failed to allocate crtc\n");
ret = -ENOMEM;
- goto err;
+ goto err_regmap_exit;
}
ret = ltdc_crtc_init(ddev, crtc);
if (ret) {
DRM_ERROR("Failed to init crtc\n");
- goto err;
+ goto free_crtc;
}
ret = drm_vblank_init(ddev, NB_CRTC);
if (ret) {
DRM_ERROR("Failed calling drm_vblank_init()\n");
- goto err;
+ goto free_crtc;
}
clk_disable_unprepare(ldev->pixel_clk);
+ clk_put(ldev->pixel_clk);
pinctrl_pm_select_sleep_state(ddev->dev);
pm_runtime_enable(ddev->dev);
return 0;
+free_crtc:
+ kfree(crtc);
+err_regmap_exit:
+ regmap_exit(ldev->regmap);
+err_iounmap:
+ iounmap(ldev->regs);
err:
for (i = 0; i < nb_endpoints; i++)
drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
clk_disable_unprepare(ldev->pixel_clk);
+ clk_put(ldev->pixel_clk);
return ret;
}
@@ -2084,6 +2108,7 @@ int ltdc_load(struct drm_device *ddev)
void ltdc_unload(struct drm_device *ddev)
{
struct device *dev = ddev->dev;
+ struct ltdc_device *ldev = ddev->dev_private;
int nb_endpoints, i;
DRM_DEBUG_DRIVER("\n");
@@ -2094,6 +2119,9 @@ void ltdc_unload(struct drm_device *ddev)
drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
pm_runtime_disable(ddev->dev);
+
+ regmap_exit(ldev->regmap);
+ iounmap(ldev->regs);
}
MODULE_AUTHOR("Philippe Cornu <philippe.cornu@st.com>");
--
2.30.2
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH] drm/stm: Avoid use-after-free issues with crtc and plane
@ 2023-10-20 10:29 ` Katya Orlova
0 siblings, 0 replies; 19+ messages in thread
From: Katya Orlova @ 2023-10-20 10:29 UTC (permalink / raw)
To: Yannick Fertre
Cc: Raphael Gallais-Pou, Alexandre Torgue, dri-devel, linux-kernel,
Philippe Cornu, Maxime Coquelin, Katya Orlova, linux-stm32,
linux-arm-kernel, lvc-project
ltdc_load() calls functions drm_crtc_init_with_planes() and
drm_universal_plane_init(). These functions should not be called with
parameters allocated with devm_kzalloc() to avoid use-after-free issues [1].
The patch replaces managed resource allocations with regular ones.
Found by Linux Verification Center (linuxtesting.org).
[1]
https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
---
drivers/gpu/drm/stm/drv.c | 11 ++++--
drivers/gpu/drm/stm/ltdc.c | 72 ++++++++++++++++++++++++++------------
2 files changed, 58 insertions(+), 25 deletions(-)
diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
index cb4404b3ce62..409f26d3e400 100644
--- a/drivers/gpu/drm/stm/drv.c
+++ b/drivers/gpu/drm/stm/drv.c
@@ -74,7 +74,7 @@ static int drv_load(struct drm_device *ddev)
DRM_DEBUG("%s\n", __func__);
- ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL);
+ ldev = kzalloc(sizeof(*ldev), GFP_KERNEL);
if (!ldev)
return -ENOMEM;
@@ -82,7 +82,7 @@ static int drv_load(struct drm_device *ddev)
ret = drmm_mode_config_init(ddev);
if (ret)
- return ret;
+ goto err;
/*
* set max width and height as default value.
@@ -98,7 +98,7 @@ static int drv_load(struct drm_device *ddev)
ret = ltdc_load(ddev);
if (ret)
- return ret;
+ goto err;
drm_mode_config_reset(ddev);
drm_kms_helper_poll_init(ddev);
@@ -106,6 +106,9 @@ static int drv_load(struct drm_device *ddev)
platform_set_drvdata(pdev, ddev);
return 0;
+err:
+ kfree(ldev);
+ return ret;
}
static void drv_unload(struct drm_device *ddev)
@@ -114,6 +117,8 @@ static void drv_unload(struct drm_device *ddev)
drm_kms_helper_poll_fini(ddev);
ltdc_unload(ddev);
+ kfree(ddev->dev_private);
+ ddev->dev_private = NULL;
}
static __maybe_unused int drv_suspend(struct device *dev)
diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
index b8be4c1db423..ec3bc3637a63 100644
--- a/drivers/gpu/drm/stm/ltdc.c
+++ b/drivers/gpu/drm/stm/ltdc.c
@@ -1120,6 +1120,12 @@ static const struct drm_crtc_helper_funcs ltdc_crtc_helper_funcs = {
.get_scanout_position = ltdc_crtc_get_scanout_position,
};
+static void ltdc_crtc_destroy(struct drm_crtc *crtc)
+{
+ drm_crtc_cleanup(crtc);
+ kfree(crtc);
+}
+
static int ltdc_crtc_enable_vblank(struct drm_crtc *crtc)
{
struct ltdc_device *ldev = crtc_to_ltdc(crtc);
@@ -1200,7 +1206,7 @@ static void ltdc_crtc_atomic_print_state(struct drm_printer *p,
}
static const struct drm_crtc_funcs ltdc_crtc_funcs = {
- .destroy = drm_crtc_cleanup,
+ .destroy = ltdc_crtc_destroy,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1213,7 +1219,7 @@ static const struct drm_crtc_funcs ltdc_crtc_funcs = {
};
static const struct drm_crtc_funcs ltdc_crtc_with_crc_support_funcs = {
- .destroy = drm_crtc_cleanup,
+ .destroy = ltdc_crtc_destroy,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1543,10 +1549,16 @@ static void ltdc_plane_atomic_print_state(struct drm_printer *p,
fpsi->counter = 0;
}
+static void ltdc_plane_destroy(struct drm_plane *plane)
+{
+ drm_plane_cleanup(plane);
+ kfree(plane);
+}
+
static const struct drm_plane_funcs ltdc_plane_funcs = {
.update_plane = drm_atomic_helper_update_plane,
.disable_plane = drm_atomic_helper_disable_plane,
- .destroy = drm_plane_cleanup,
+ .destroy = ltdc_plane_destroy,
.reset = drm_atomic_helper_plane_reset,
.atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
.atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
@@ -1565,7 +1577,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
{
unsigned long possible_crtcs = CRTC_MASK;
struct ltdc_device *ldev = ddev->dev_private;
- struct device *dev = ddev->dev;
struct drm_plane *plane;
unsigned int i, nb_fmt = 0;
u32 *formats;
@@ -1576,7 +1587,7 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
int ret;
/* Allocate the biggest size according to supported color formats */
- formats = devm_kzalloc(dev, (ldev->caps.pix_fmt_nb +
+ formats = kzalloc((ldev->caps.pix_fmt_nb +
ARRAY_SIZE(ltdc_drm_fmt_ycbcr_cp) +
ARRAY_SIZE(ltdc_drm_fmt_ycbcr_sp) +
ARRAY_SIZE(ltdc_drm_fmt_ycbcr_fp)) *
@@ -1614,15 +1625,20 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
}
}
- plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL);
- if (!plane)
+ plane = kzalloc(sizeof(*plane), GFP_KERNEL);
+ if (!plane) {
+ kfree(formats);
return NULL;
+ }
ret = drm_universal_plane_init(ddev, plane, possible_crtcs,
<dc_plane_funcs, formats, nb_fmt,
modifiers, type, NULL);
- if (ret < 0)
+ kfree(formats);
+ if (ret < 0) {
+ kfree(plane);
return NULL;
+ }
if (ldev->caps.ycbcr_input) {
if (val & (LXCR_C1R_YIA | LXCR_C1R_YSPA | LXCR_C1R_YFPA))
@@ -1650,7 +1666,7 @@ static void ltdc_plane_destroy_all(struct drm_device *ddev)
list_for_each_entry_safe(plane, plane_temp,
&ddev->mode_config.plane_list, head)
- drm_plane_cleanup(plane);
+ ltdc_plane_destroy(plane);
}
static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
@@ -1936,7 +1952,7 @@ int ltdc_load(struct drm_device *ddev)
if (!nb_endpoints)
return -ENODEV;
- ldev->pixel_clk = devm_clk_get(dev, "lcd");
+ ldev->pixel_clk = clk_get(dev, "lcd");
if (IS_ERR(ldev->pixel_clk)) {
if (PTR_ERR(ldev->pixel_clk) != -EPROBE_DEFER)
DRM_ERROR("Unable to get lcd clock\n");
@@ -1982,7 +1998,7 @@ int ltdc_load(struct drm_device *ddev)
}
}
- rstc = devm_reset_control_get_exclusive(dev, NULL);
+ rstc = reset_control_get_exclusive(dev, NULL);
mutex_init(&ldev->err_lock);
@@ -1993,25 +2009,25 @@ int ltdc_load(struct drm_device *ddev)
}
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
- ldev->regs = devm_ioremap_resource(dev, res);
+ ldev->regs = ioremap(res->start, resource_size(res));
if (IS_ERR(ldev->regs)) {
DRM_ERROR("Unable to get ltdc registers\n");
ret = PTR_ERR(ldev->regs);
goto err;
}
- ldev->regmap = devm_regmap_init_mmio(&pdev->dev, ldev->regs, &stm32_ltdc_regmap_cfg);
+ ldev->regmap = regmap_init_mmio(&pdev->dev, ldev->regs, &stm32_ltdc_regmap_cfg);
if (IS_ERR(ldev->regmap)) {
DRM_ERROR("Unable to regmap ltdc registers\n");
ret = PTR_ERR(ldev->regmap);
- goto err;
+ goto err_iounmap;
}
ret = ltdc_get_caps(ddev);
if (ret) {
DRM_ERROR("hardware identifier (0x%08x) not supported!\n",
ldev->caps.hw_version);
- goto err;
+ goto err_regmap_exit;
}
/* Disable interrupts */
@@ -2034,49 +2050,57 @@ int ltdc_load(struct drm_device *ddev)
irq = platform_get_irq(pdev, i);
if (irq < 0) {
ret = irq;
- goto err;
+ goto err_regmap_exit;
}
- ret = devm_request_threaded_irq(dev, irq, ltdc_irq,
+ ret = request_threaded_irq(irq, ltdc_irq,
ltdc_irq_thread, IRQF_ONESHOT,
dev_name(dev), ddev);
if (ret) {
DRM_ERROR("Failed to register LTDC interrupt\n");
- goto err;
+ goto err_regmap_exit;
}
}
- crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL);
+ crtc = kzalloc(sizeof(*crtc), GFP_KERNEL);
if (!crtc) {
DRM_ERROR("Failed to allocate crtc\n");
ret = -ENOMEM;
- goto err;
+ goto err_regmap_exit;
}
ret = ltdc_crtc_init(ddev, crtc);
if (ret) {
DRM_ERROR("Failed to init crtc\n");
- goto err;
+ goto free_crtc;
}
ret = drm_vblank_init(ddev, NB_CRTC);
if (ret) {
DRM_ERROR("Failed calling drm_vblank_init()\n");
- goto err;
+ goto free_crtc;
}
clk_disable_unprepare(ldev->pixel_clk);
+ clk_put(ldev->pixel_clk);
pinctrl_pm_select_sleep_state(ddev->dev);
pm_runtime_enable(ddev->dev);
return 0;
+free_crtc:
+ kfree(crtc);
+err_regmap_exit:
+ regmap_exit(ldev->regmap);
+err_iounmap:
+ iounmap(ldev->regs);
err:
for (i = 0; i < nb_endpoints; i++)
drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
clk_disable_unprepare(ldev->pixel_clk);
+ clk_put(ldev->pixel_clk);
return ret;
}
@@ -2084,6 +2108,7 @@ int ltdc_load(struct drm_device *ddev)
void ltdc_unload(struct drm_device *ddev)
{
struct device *dev = ddev->dev;
+ struct ltdc_device *ldev = ddev->dev_private;
int nb_endpoints, i;
DRM_DEBUG_DRIVER("\n");
@@ -2094,6 +2119,9 @@ void ltdc_unload(struct drm_device *ddev)
drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
pm_runtime_disable(ddev->dev);
+
+ regmap_exit(ldev->regmap);
+ iounmap(ldev->regs);
}
MODULE_AUTHOR("Philippe Cornu <philippe.cornu@st.com>");
--
2.30.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [PATCH] drm/stm: Avoid use-after-free issues with crtc and plane
2023-10-20 10:29 ` Katya Orlova
(?)
@ 2023-10-23 8:19 ` Raphael Gallais-Pou
-1 siblings, 0 replies; 19+ messages in thread
From: Raphael Gallais-Pou @ 2023-10-23 8:19 UTC (permalink / raw)
To: Katya Orlova, Yannick Fertre
Cc: Philippe Cornu, David Airlie, Daniel Vetter, Maxime Coquelin,
Alexandre Torgue, Philipp Zabel, dri-devel, linux-stm32,
linux-arm-kernel, linux-kernel, lvc-project
Hello Katya,
Thanks for your submission.
Please see drivers/gpu/drm/cr
On 10/20/23 12:29, Katya Orlova wrote:
> ltdc_load() calls functions drm_crtc_init_with_planes() and
> drm_universal_plane_init(). These functions should not be called with
> parameters allocated with devm_kzalloc() to avoid use-after-free issues [1].
What about drmm_kzalloc() ? By doing so the drm device is properly destroyed
using DRM internals, rather than handling the allocation within the LTDC driver.
This way has two benefits IMHO : you don't have to implement the .destroy hook
for CRTC and planes and since the allocation is managed by the DRM framework it
is less likely to make resources allocation errors on future patches.
You would then have to use drmm_universal_plane_init() and
drmm_crtc_init_with_planes().
see include/drm/drm_plane.h:779 and drivers/gpu/drm/drm_crtc.c:409
Regards,
Raphaël Gallais-Pou
>
> The patch replaces managed resource allocations with regular ones.
>
> Found by Linux Verification Center (linuxtesting.org).
>
> [1]
> https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
>
> Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
> ---
> drivers/gpu/drm/stm/drv.c | 11 ++++--
> drivers/gpu/drm/stm/ltdc.c | 72 ++++++++++++++++++++++++++------------
> 2 files changed, 58 insertions(+), 25 deletions(-)
>
> diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
> index cb4404b3ce62..409f26d3e400 100644
> --- a/drivers/gpu/drm/stm/drv.c
> +++ b/drivers/gpu/drm/stm/drv.c
> @@ -74,7 +74,7 @@ static int drv_load(struct drm_device *ddev)
>
> DRM_DEBUG("%s\n", __func__);
>
> - ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL);
> + ldev = kzalloc(sizeof(*ldev), GFP_KERNEL);
> if (!ldev)
> return -ENOMEM;
>
> @@ -82,7 +82,7 @@ static int drv_load(struct drm_device *ddev)
>
> ret = drmm_mode_config_init(ddev);
> if (ret)
> - return ret;
> + goto err;
>
> /*
> * set max width and height as default value.
> @@ -98,7 +98,7 @@ static int drv_load(struct drm_device *ddev)
>
> ret = ltdc_load(ddev);
> if (ret)
> - return ret;
> + goto err;
>
> drm_mode_config_reset(ddev);
> drm_kms_helper_poll_init(ddev);
> @@ -106,6 +106,9 @@ static int drv_load(struct drm_device *ddev)
> platform_set_drvdata(pdev, ddev);
>
> return 0;
> +err:
> + kfree(ldev);
> + return ret;
> }
>
> static void drv_unload(struct drm_device *ddev)
> @@ -114,6 +117,8 @@ static void drv_unload(struct drm_device *ddev)
>
> drm_kms_helper_poll_fini(ddev);
> ltdc_unload(ddev);
> + kfree(ddev->dev_private);
> + ddev->dev_private = NULL;
> }
>
> static __maybe_unused int drv_suspend(struct device *dev)
> diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
> index b8be4c1db423..ec3bc3637a63 100644
> --- a/drivers/gpu/drm/stm/ltdc.c
> +++ b/drivers/gpu/drm/stm/ltdc.c
> @@ -1120,6 +1120,12 @@ static const struct drm_crtc_helper_funcs ltdc_crtc_helper_funcs = {
> .get_scanout_position = ltdc_crtc_get_scanout_position,
> };
>
> +static void ltdc_crtc_destroy(struct drm_crtc *crtc)
> +{
> + drm_crtc_cleanup(crtc);
> + kfree(crtc);
> +}
> +
> static int ltdc_crtc_enable_vblank(struct drm_crtc *crtc)
> {
> struct ltdc_device *ldev = crtc_to_ltdc(crtc);
> @@ -1200,7 +1206,7 @@ static void ltdc_crtc_atomic_print_state(struct drm_printer *p,
> }
>
> static const struct drm_crtc_funcs ltdc_crtc_funcs = {
> - .destroy = drm_crtc_cleanup,
> + .destroy = ltdc_crtc_destroy,
> .set_config = drm_atomic_helper_set_config,
> .page_flip = drm_atomic_helper_page_flip,
> .reset = drm_atomic_helper_crtc_reset,
> @@ -1213,7 +1219,7 @@ static const struct drm_crtc_funcs ltdc_crtc_funcs = {
> };
>
> static const struct drm_crtc_funcs ltdc_crtc_with_crc_support_funcs = {
> - .destroy = drm_crtc_cleanup,
> + .destroy = ltdc_crtc_destroy,
> .set_config = drm_atomic_helper_set_config,
> .page_flip = drm_atomic_helper_page_flip,
> .reset = drm_atomic_helper_crtc_reset,
> @@ -1543,10 +1549,16 @@ static void ltdc_plane_atomic_print_state(struct drm_printer *p,
> fpsi->counter = 0;
> }
>
> +static void ltdc_plane_destroy(struct drm_plane *plane)
> +{
> + drm_plane_cleanup(plane);
> + kfree(plane);
> +}
> +
> static const struct drm_plane_funcs ltdc_plane_funcs = {
> .update_plane = drm_atomic_helper_update_plane,
> .disable_plane = drm_atomic_helper_disable_plane,
> - .destroy = drm_plane_cleanup,
> + .destroy = ltdc_plane_destroy,
> .reset = drm_atomic_helper_plane_reset,
> .atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
> .atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
> @@ -1565,7 +1577,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
> {
> unsigned long possible_crtcs = CRTC_MASK;
> struct ltdc_device *ldev = ddev->dev_private;
> - struct device *dev = ddev->dev;
> struct drm_plane *plane;
> unsigned int i, nb_fmt = 0;
> u32 *formats;
> @@ -1576,7 +1587,7 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
> int ret;
>
> /* Allocate the biggest size according to supported color formats */
> - formats = devm_kzalloc(dev, (ldev->caps.pix_fmt_nb +
> + formats = kzalloc((ldev->caps.pix_fmt_nb +
> ARRAY_SIZE(ltdc_drm_fmt_ycbcr_cp) +
> ARRAY_SIZE(ltdc_drm_fmt_ycbcr_sp) +
> ARRAY_SIZE(ltdc_drm_fmt_ycbcr_fp)) *
> @@ -1614,15 +1625,20 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
> }
> }
>
> - plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL);
> - if (!plane)
> + plane = kzalloc(sizeof(*plane), GFP_KERNEL);
> + if (!plane) {
> + kfree(formats);
> return NULL;
> + }
>
> ret = drm_universal_plane_init(ddev, plane, possible_crtcs,
> <dc_plane_funcs, formats, nb_fmt,
> modifiers, type, NULL);
> - if (ret < 0)
> + kfree(formats);
> + if (ret < 0) {
> + kfree(plane);
> return NULL;
> + }
>
> if (ldev->caps.ycbcr_input) {
> if (val & (LXCR_C1R_YIA | LXCR_C1R_YSPA | LXCR_C1R_YFPA))
> @@ -1650,7 +1666,7 @@ static void ltdc_plane_destroy_all(struct drm_device *ddev)
>
> list_for_each_entry_safe(plane, plane_temp,
> &ddev->mode_config.plane_list, head)
> - drm_plane_cleanup(plane);
> + ltdc_plane_destroy(plane);
> }
>
> static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
> @@ -1936,7 +1952,7 @@ int ltdc_load(struct drm_device *ddev)
> if (!nb_endpoints)
> return -ENODEV;
>
> - ldev->pixel_clk = devm_clk_get(dev, "lcd");
> + ldev->pixel_clk = clk_get(dev, "lcd");
> if (IS_ERR(ldev->pixel_clk)) {
> if (PTR_ERR(ldev->pixel_clk) != -EPROBE_DEFER)
> DRM_ERROR("Unable to get lcd clock\n");
> @@ -1982,7 +1998,7 @@ int ltdc_load(struct drm_device *ddev)
> }
> }
>
> - rstc = devm_reset_control_get_exclusive(dev, NULL);
> + rstc = reset_control_get_exclusive(dev, NULL);
>
> mutex_init(&ldev->err_lock);
>
> @@ -1993,25 +2009,25 @@ int ltdc_load(struct drm_device *ddev)
> }
>
> res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
> - ldev->regs = devm_ioremap_resource(dev, res);
> + ldev->regs = ioremap(res->start, resource_size(res));
> if (IS_ERR(ldev->regs)) {
> DRM_ERROR("Unable to get ltdc registers\n");
> ret = PTR_ERR(ldev->regs);
> goto err;
> }
>
> - ldev->regmap = devm_regmap_init_mmio(&pdev->dev, ldev->regs, &stm32_ltdc_regmap_cfg);
> + ldev->regmap = regmap_init_mmio(&pdev->dev, ldev->regs, &stm32_ltdc_regmap_cfg);
> if (IS_ERR(ldev->regmap)) {
> DRM_ERROR("Unable to regmap ltdc registers\n");
> ret = PTR_ERR(ldev->regmap);
> - goto err;
> + goto err_iounmap;
> }
>
> ret = ltdc_get_caps(ddev);
> if (ret) {
> DRM_ERROR("hardware identifier (0x%08x) not supported!\n",
> ldev->caps.hw_version);
> - goto err;
> + goto err_regmap_exit;
> }
>
> /* Disable interrupts */
> @@ -2034,49 +2050,57 @@ int ltdc_load(struct drm_device *ddev)
> irq = platform_get_irq(pdev, i);
> if (irq < 0) {
> ret = irq;
> - goto err;
> + goto err_regmap_exit;
> }
>
> - ret = devm_request_threaded_irq(dev, irq, ltdc_irq,
> + ret = request_threaded_irq(irq, ltdc_irq,
> ltdc_irq_thread, IRQF_ONESHOT,
> dev_name(dev), ddev);
> if (ret) {
> DRM_ERROR("Failed to register LTDC interrupt\n");
> - goto err;
> + goto err_regmap_exit;
> }
> }
>
> - crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL);
> + crtc = kzalloc(sizeof(*crtc), GFP_KERNEL);
> if (!crtc) {
> DRM_ERROR("Failed to allocate crtc\n");
> ret = -ENOMEM;
> - goto err;
> + goto err_regmap_exit;
> }
>
> ret = ltdc_crtc_init(ddev, crtc);
> if (ret) {
> DRM_ERROR("Failed to init crtc\n");
> - goto err;
> + goto free_crtc;
> }
>
> ret = drm_vblank_init(ddev, NB_CRTC);
> if (ret) {
> DRM_ERROR("Failed calling drm_vblank_init()\n");
> - goto err;
> + goto free_crtc;
> }
>
> clk_disable_unprepare(ldev->pixel_clk);
> + clk_put(ldev->pixel_clk);
>
> pinctrl_pm_select_sleep_state(ddev->dev);
>
> pm_runtime_enable(ddev->dev);
>
> return 0;
> +free_crtc:
> + kfree(crtc);
> +err_regmap_exit:
> + regmap_exit(ldev->regmap);
> +err_iounmap:
> + iounmap(ldev->regs);
> err:
> for (i = 0; i < nb_endpoints; i++)
> drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
>
> clk_disable_unprepare(ldev->pixel_clk);
> + clk_put(ldev->pixel_clk);
>
> return ret;
> }
> @@ -2084,6 +2108,7 @@ int ltdc_load(struct drm_device *ddev)
> void ltdc_unload(struct drm_device *ddev)
> {
> struct device *dev = ddev->dev;
> + struct ltdc_device *ldev = ddev->dev_private;
> int nb_endpoints, i;
>
> DRM_DEBUG_DRIVER("\n");
> @@ -2094,6 +2119,9 @@ void ltdc_unload(struct drm_device *ddev)
> drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
>
> pm_runtime_disable(ddev->dev);
> +
> + regmap_exit(ldev->regmap);
> + iounmap(ldev->regs);
> }
>
> MODULE_AUTHOR("Philippe Cornu <philippe.cornu@st.com>");
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] drm/stm: Avoid use-after-free issues with crtc and plane
@ 2023-10-23 8:19 ` Raphael Gallais-Pou
0 siblings, 0 replies; 19+ messages in thread
From: Raphael Gallais-Pou @ 2023-10-23 8:19 UTC (permalink / raw)
To: Katya Orlova, Yannick Fertre
Cc: Philippe Cornu, David Airlie, Daniel Vetter, Maxime Coquelin,
Alexandre Torgue, Philipp Zabel, dri-devel, linux-stm32,
linux-arm-kernel, linux-kernel, lvc-project
Hello Katya,
Thanks for your submission.
Please see drivers/gpu/drm/cr
On 10/20/23 12:29, Katya Orlova wrote:
> ltdc_load() calls functions drm_crtc_init_with_planes() and
> drm_universal_plane_init(). These functions should not be called with
> parameters allocated with devm_kzalloc() to avoid use-after-free issues [1].
What about drmm_kzalloc() ? By doing so the drm device is properly destroyed
using DRM internals, rather than handling the allocation within the LTDC driver.
This way has two benefits IMHO : you don't have to implement the .destroy hook
for CRTC and planes and since the allocation is managed by the DRM framework it
is less likely to make resources allocation errors on future patches.
You would then have to use drmm_universal_plane_init() and
drmm_crtc_init_with_planes().
see include/drm/drm_plane.h:779 and drivers/gpu/drm/drm_crtc.c:409
Regards,
Raphaël Gallais-Pou
>
> The patch replaces managed resource allocations with regular ones.
>
> Found by Linux Verification Center (linuxtesting.org).
>
> [1]
> https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
>
> Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
> ---
> drivers/gpu/drm/stm/drv.c | 11 ++++--
> drivers/gpu/drm/stm/ltdc.c | 72 ++++++++++++++++++++++++++------------
> 2 files changed, 58 insertions(+), 25 deletions(-)
>
> diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
> index cb4404b3ce62..409f26d3e400 100644
> --- a/drivers/gpu/drm/stm/drv.c
> +++ b/drivers/gpu/drm/stm/drv.c
> @@ -74,7 +74,7 @@ static int drv_load(struct drm_device *ddev)
>
> DRM_DEBUG("%s\n", __func__);
>
> - ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL);
> + ldev = kzalloc(sizeof(*ldev), GFP_KERNEL);
> if (!ldev)
> return -ENOMEM;
>
> @@ -82,7 +82,7 @@ static int drv_load(struct drm_device *ddev)
>
> ret = drmm_mode_config_init(ddev);
> if (ret)
> - return ret;
> + goto err;
>
> /*
> * set max width and height as default value.
> @@ -98,7 +98,7 @@ static int drv_load(struct drm_device *ddev)
>
> ret = ltdc_load(ddev);
> if (ret)
> - return ret;
> + goto err;
>
> drm_mode_config_reset(ddev);
> drm_kms_helper_poll_init(ddev);
> @@ -106,6 +106,9 @@ static int drv_load(struct drm_device *ddev)
> platform_set_drvdata(pdev, ddev);
>
> return 0;
> +err:
> + kfree(ldev);
> + return ret;
> }
>
> static void drv_unload(struct drm_device *ddev)
> @@ -114,6 +117,8 @@ static void drv_unload(struct drm_device *ddev)
>
> drm_kms_helper_poll_fini(ddev);
> ltdc_unload(ddev);
> + kfree(ddev->dev_private);
> + ddev->dev_private = NULL;
> }
>
> static __maybe_unused int drv_suspend(struct device *dev)
> diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
> index b8be4c1db423..ec3bc3637a63 100644
> --- a/drivers/gpu/drm/stm/ltdc.c
> +++ b/drivers/gpu/drm/stm/ltdc.c
> @@ -1120,6 +1120,12 @@ static const struct drm_crtc_helper_funcs ltdc_crtc_helper_funcs = {
> .get_scanout_position = ltdc_crtc_get_scanout_position,
> };
>
> +static void ltdc_crtc_destroy(struct drm_crtc *crtc)
> +{
> + drm_crtc_cleanup(crtc);
> + kfree(crtc);
> +}
> +
> static int ltdc_crtc_enable_vblank(struct drm_crtc *crtc)
> {
> struct ltdc_device *ldev = crtc_to_ltdc(crtc);
> @@ -1200,7 +1206,7 @@ static void ltdc_crtc_atomic_print_state(struct drm_printer *p,
> }
>
> static const struct drm_crtc_funcs ltdc_crtc_funcs = {
> - .destroy = drm_crtc_cleanup,
> + .destroy = ltdc_crtc_destroy,
> .set_config = drm_atomic_helper_set_config,
> .page_flip = drm_atomic_helper_page_flip,
> .reset = drm_atomic_helper_crtc_reset,
> @@ -1213,7 +1219,7 @@ static const struct drm_crtc_funcs ltdc_crtc_funcs = {
> };
>
> static const struct drm_crtc_funcs ltdc_crtc_with_crc_support_funcs = {
> - .destroy = drm_crtc_cleanup,
> + .destroy = ltdc_crtc_destroy,
> .set_config = drm_atomic_helper_set_config,
> .page_flip = drm_atomic_helper_page_flip,
> .reset = drm_atomic_helper_crtc_reset,
> @@ -1543,10 +1549,16 @@ static void ltdc_plane_atomic_print_state(struct drm_printer *p,
> fpsi->counter = 0;
> }
>
> +static void ltdc_plane_destroy(struct drm_plane *plane)
> +{
> + drm_plane_cleanup(plane);
> + kfree(plane);
> +}
> +
> static const struct drm_plane_funcs ltdc_plane_funcs = {
> .update_plane = drm_atomic_helper_update_plane,
> .disable_plane = drm_atomic_helper_disable_plane,
> - .destroy = drm_plane_cleanup,
> + .destroy = ltdc_plane_destroy,
> .reset = drm_atomic_helper_plane_reset,
> .atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
> .atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
> @@ -1565,7 +1577,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
> {
> unsigned long possible_crtcs = CRTC_MASK;
> struct ltdc_device *ldev = ddev->dev_private;
> - struct device *dev = ddev->dev;
> struct drm_plane *plane;
> unsigned int i, nb_fmt = 0;
> u32 *formats;
> @@ -1576,7 +1587,7 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
> int ret;
>
> /* Allocate the biggest size according to supported color formats */
> - formats = devm_kzalloc(dev, (ldev->caps.pix_fmt_nb +
> + formats = kzalloc((ldev->caps.pix_fmt_nb +
> ARRAY_SIZE(ltdc_drm_fmt_ycbcr_cp) +
> ARRAY_SIZE(ltdc_drm_fmt_ycbcr_sp) +
> ARRAY_SIZE(ltdc_drm_fmt_ycbcr_fp)) *
> @@ -1614,15 +1625,20 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
> }
> }
>
> - plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL);
> - if (!plane)
> + plane = kzalloc(sizeof(*plane), GFP_KERNEL);
> + if (!plane) {
> + kfree(formats);
> return NULL;
> + }
>
> ret = drm_universal_plane_init(ddev, plane, possible_crtcs,
> <dc_plane_funcs, formats, nb_fmt,
> modifiers, type, NULL);
> - if (ret < 0)
> + kfree(formats);
> + if (ret < 0) {
> + kfree(plane);
> return NULL;
> + }
>
> if (ldev->caps.ycbcr_input) {
> if (val & (LXCR_C1R_YIA | LXCR_C1R_YSPA | LXCR_C1R_YFPA))
> @@ -1650,7 +1666,7 @@ static void ltdc_plane_destroy_all(struct drm_device *ddev)
>
> list_for_each_entry_safe(plane, plane_temp,
> &ddev->mode_config.plane_list, head)
> - drm_plane_cleanup(plane);
> + ltdc_plane_destroy(plane);
> }
>
> static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
> @@ -1936,7 +1952,7 @@ int ltdc_load(struct drm_device *ddev)
> if (!nb_endpoints)
> return -ENODEV;
>
> - ldev->pixel_clk = devm_clk_get(dev, "lcd");
> + ldev->pixel_clk = clk_get(dev, "lcd");
> if (IS_ERR(ldev->pixel_clk)) {
> if (PTR_ERR(ldev->pixel_clk) != -EPROBE_DEFER)
> DRM_ERROR("Unable to get lcd clock\n");
> @@ -1982,7 +1998,7 @@ int ltdc_load(struct drm_device *ddev)
> }
> }
>
> - rstc = devm_reset_control_get_exclusive(dev, NULL);
> + rstc = reset_control_get_exclusive(dev, NULL);
>
> mutex_init(&ldev->err_lock);
>
> @@ -1993,25 +2009,25 @@ int ltdc_load(struct drm_device *ddev)
> }
>
> res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
> - ldev->regs = devm_ioremap_resource(dev, res);
> + ldev->regs = ioremap(res->start, resource_size(res));
> if (IS_ERR(ldev->regs)) {
> DRM_ERROR("Unable to get ltdc registers\n");
> ret = PTR_ERR(ldev->regs);
> goto err;
> }
>
> - ldev->regmap = devm_regmap_init_mmio(&pdev->dev, ldev->regs, &stm32_ltdc_regmap_cfg);
> + ldev->regmap = regmap_init_mmio(&pdev->dev, ldev->regs, &stm32_ltdc_regmap_cfg);
> if (IS_ERR(ldev->regmap)) {
> DRM_ERROR("Unable to regmap ltdc registers\n");
> ret = PTR_ERR(ldev->regmap);
> - goto err;
> + goto err_iounmap;
> }
>
> ret = ltdc_get_caps(ddev);
> if (ret) {
> DRM_ERROR("hardware identifier (0x%08x) not supported!\n",
> ldev->caps.hw_version);
> - goto err;
> + goto err_regmap_exit;
> }
>
> /* Disable interrupts */
> @@ -2034,49 +2050,57 @@ int ltdc_load(struct drm_device *ddev)
> irq = platform_get_irq(pdev, i);
> if (irq < 0) {
> ret = irq;
> - goto err;
> + goto err_regmap_exit;
> }
>
> - ret = devm_request_threaded_irq(dev, irq, ltdc_irq,
> + ret = request_threaded_irq(irq, ltdc_irq,
> ltdc_irq_thread, IRQF_ONESHOT,
> dev_name(dev), ddev);
> if (ret) {
> DRM_ERROR("Failed to register LTDC interrupt\n");
> - goto err;
> + goto err_regmap_exit;
> }
> }
>
> - crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL);
> + crtc = kzalloc(sizeof(*crtc), GFP_KERNEL);
> if (!crtc) {
> DRM_ERROR("Failed to allocate crtc\n");
> ret = -ENOMEM;
> - goto err;
> + goto err_regmap_exit;
> }
>
> ret = ltdc_crtc_init(ddev, crtc);
> if (ret) {
> DRM_ERROR("Failed to init crtc\n");
> - goto err;
> + goto free_crtc;
> }
>
> ret = drm_vblank_init(ddev, NB_CRTC);
> if (ret) {
> DRM_ERROR("Failed calling drm_vblank_init()\n");
> - goto err;
> + goto free_crtc;
> }
>
> clk_disable_unprepare(ldev->pixel_clk);
> + clk_put(ldev->pixel_clk);
>
> pinctrl_pm_select_sleep_state(ddev->dev);
>
> pm_runtime_enable(ddev->dev);
>
> return 0;
> +free_crtc:
> + kfree(crtc);
> +err_regmap_exit:
> + regmap_exit(ldev->regmap);
> +err_iounmap:
> + iounmap(ldev->regs);
> err:
> for (i = 0; i < nb_endpoints; i++)
> drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
>
> clk_disable_unprepare(ldev->pixel_clk);
> + clk_put(ldev->pixel_clk);
>
> return ret;
> }
> @@ -2084,6 +2108,7 @@ int ltdc_load(struct drm_device *ddev)
> void ltdc_unload(struct drm_device *ddev)
> {
> struct device *dev = ddev->dev;
> + struct ltdc_device *ldev = ddev->dev_private;
> int nb_endpoints, i;
>
> DRM_DEBUG_DRIVER("\n");
> @@ -2094,6 +2119,9 @@ void ltdc_unload(struct drm_device *ddev)
> drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
>
> pm_runtime_disable(ddev->dev);
> +
> + regmap_exit(ldev->regmap);
> + iounmap(ldev->regs);
> }
>
> MODULE_AUTHOR("Philippe Cornu <philippe.cornu@st.com>");
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] drm/stm: Avoid use-after-free issues with crtc and plane
@ 2023-10-23 8:19 ` Raphael Gallais-Pou
0 siblings, 0 replies; 19+ messages in thread
From: Raphael Gallais-Pou @ 2023-10-23 8:19 UTC (permalink / raw)
To: Katya Orlova, Yannick Fertre
Cc: Maxime Coquelin, Alexandre Torgue, dri-devel, linux-kernel,
Philippe Cornu, linux-stm32, linux-arm-kernel, lvc-project
Hello Katya,
Thanks for your submission.
Please see drivers/gpu/drm/cr
On 10/20/23 12:29, Katya Orlova wrote:
> ltdc_load() calls functions drm_crtc_init_with_planes() and
> drm_universal_plane_init(). These functions should not be called with
> parameters allocated with devm_kzalloc() to avoid use-after-free issues [1].
What about drmm_kzalloc() ? By doing so the drm device is properly destroyed
using DRM internals, rather than handling the allocation within the LTDC driver.
This way has two benefits IMHO : you don't have to implement the .destroy hook
for CRTC and planes and since the allocation is managed by the DRM framework it
is less likely to make resources allocation errors on future patches.
You would then have to use drmm_universal_plane_init() and
drmm_crtc_init_with_planes().
see include/drm/drm_plane.h:779 and drivers/gpu/drm/drm_crtc.c:409
Regards,
Raphaël Gallais-Pou
>
> The patch replaces managed resource allocations with regular ones.
>
> Found by Linux Verification Center (linuxtesting.org).
>
> [1]
> https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
>
> Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
> ---
> drivers/gpu/drm/stm/drv.c | 11 ++++--
> drivers/gpu/drm/stm/ltdc.c | 72 ++++++++++++++++++++++++++------------
> 2 files changed, 58 insertions(+), 25 deletions(-)
>
> diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
> index cb4404b3ce62..409f26d3e400 100644
> --- a/drivers/gpu/drm/stm/drv.c
> +++ b/drivers/gpu/drm/stm/drv.c
> @@ -74,7 +74,7 @@ static int drv_load(struct drm_device *ddev)
>
> DRM_DEBUG("%s\n", __func__);
>
> - ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL);
> + ldev = kzalloc(sizeof(*ldev), GFP_KERNEL);
> if (!ldev)
> return -ENOMEM;
>
> @@ -82,7 +82,7 @@ static int drv_load(struct drm_device *ddev)
>
> ret = drmm_mode_config_init(ddev);
> if (ret)
> - return ret;
> + goto err;
>
> /*
> * set max width and height as default value.
> @@ -98,7 +98,7 @@ static int drv_load(struct drm_device *ddev)
>
> ret = ltdc_load(ddev);
> if (ret)
> - return ret;
> + goto err;
>
> drm_mode_config_reset(ddev);
> drm_kms_helper_poll_init(ddev);
> @@ -106,6 +106,9 @@ static int drv_load(struct drm_device *ddev)
> platform_set_drvdata(pdev, ddev);
>
> return 0;
> +err:
> + kfree(ldev);
> + return ret;
> }
>
> static void drv_unload(struct drm_device *ddev)
> @@ -114,6 +117,8 @@ static void drv_unload(struct drm_device *ddev)
>
> drm_kms_helper_poll_fini(ddev);
> ltdc_unload(ddev);
> + kfree(ddev->dev_private);
> + ddev->dev_private = NULL;
> }
>
> static __maybe_unused int drv_suspend(struct device *dev)
> diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
> index b8be4c1db423..ec3bc3637a63 100644
> --- a/drivers/gpu/drm/stm/ltdc.c
> +++ b/drivers/gpu/drm/stm/ltdc.c
> @@ -1120,6 +1120,12 @@ static const struct drm_crtc_helper_funcs ltdc_crtc_helper_funcs = {
> .get_scanout_position = ltdc_crtc_get_scanout_position,
> };
>
> +static void ltdc_crtc_destroy(struct drm_crtc *crtc)
> +{
> + drm_crtc_cleanup(crtc);
> + kfree(crtc);
> +}
> +
> static int ltdc_crtc_enable_vblank(struct drm_crtc *crtc)
> {
> struct ltdc_device *ldev = crtc_to_ltdc(crtc);
> @@ -1200,7 +1206,7 @@ static void ltdc_crtc_atomic_print_state(struct drm_printer *p,
> }
>
> static const struct drm_crtc_funcs ltdc_crtc_funcs = {
> - .destroy = drm_crtc_cleanup,
> + .destroy = ltdc_crtc_destroy,
> .set_config = drm_atomic_helper_set_config,
> .page_flip = drm_atomic_helper_page_flip,
> .reset = drm_atomic_helper_crtc_reset,
> @@ -1213,7 +1219,7 @@ static const struct drm_crtc_funcs ltdc_crtc_funcs = {
> };
>
> static const struct drm_crtc_funcs ltdc_crtc_with_crc_support_funcs = {
> - .destroy = drm_crtc_cleanup,
> + .destroy = ltdc_crtc_destroy,
> .set_config = drm_atomic_helper_set_config,
> .page_flip = drm_atomic_helper_page_flip,
> .reset = drm_atomic_helper_crtc_reset,
> @@ -1543,10 +1549,16 @@ static void ltdc_plane_atomic_print_state(struct drm_printer *p,
> fpsi->counter = 0;
> }
>
> +static void ltdc_plane_destroy(struct drm_plane *plane)
> +{
> + drm_plane_cleanup(plane);
> + kfree(plane);
> +}
> +
> static const struct drm_plane_funcs ltdc_plane_funcs = {
> .update_plane = drm_atomic_helper_update_plane,
> .disable_plane = drm_atomic_helper_disable_plane,
> - .destroy = drm_plane_cleanup,
> + .destroy = ltdc_plane_destroy,
> .reset = drm_atomic_helper_plane_reset,
> .atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
> .atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
> @@ -1565,7 +1577,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
> {
> unsigned long possible_crtcs = CRTC_MASK;
> struct ltdc_device *ldev = ddev->dev_private;
> - struct device *dev = ddev->dev;
> struct drm_plane *plane;
> unsigned int i, nb_fmt = 0;
> u32 *formats;
> @@ -1576,7 +1587,7 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
> int ret;
>
> /* Allocate the biggest size according to supported color formats */
> - formats = devm_kzalloc(dev, (ldev->caps.pix_fmt_nb +
> + formats = kzalloc((ldev->caps.pix_fmt_nb +
> ARRAY_SIZE(ltdc_drm_fmt_ycbcr_cp) +
> ARRAY_SIZE(ltdc_drm_fmt_ycbcr_sp) +
> ARRAY_SIZE(ltdc_drm_fmt_ycbcr_fp)) *
> @@ -1614,15 +1625,20 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
> }
> }
>
> - plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL);
> - if (!plane)
> + plane = kzalloc(sizeof(*plane), GFP_KERNEL);
> + if (!plane) {
> + kfree(formats);
> return NULL;
> + }
>
> ret = drm_universal_plane_init(ddev, plane, possible_crtcs,
> <dc_plane_funcs, formats, nb_fmt,
> modifiers, type, NULL);
> - if (ret < 0)
> + kfree(formats);
> + if (ret < 0) {
> + kfree(plane);
> return NULL;
> + }
>
> if (ldev->caps.ycbcr_input) {
> if (val & (LXCR_C1R_YIA | LXCR_C1R_YSPA | LXCR_C1R_YFPA))
> @@ -1650,7 +1666,7 @@ static void ltdc_plane_destroy_all(struct drm_device *ddev)
>
> list_for_each_entry_safe(plane, plane_temp,
> &ddev->mode_config.plane_list, head)
> - drm_plane_cleanup(plane);
> + ltdc_plane_destroy(plane);
> }
>
> static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
> @@ -1936,7 +1952,7 @@ int ltdc_load(struct drm_device *ddev)
> if (!nb_endpoints)
> return -ENODEV;
>
> - ldev->pixel_clk = devm_clk_get(dev, "lcd");
> + ldev->pixel_clk = clk_get(dev, "lcd");
> if (IS_ERR(ldev->pixel_clk)) {
> if (PTR_ERR(ldev->pixel_clk) != -EPROBE_DEFER)
> DRM_ERROR("Unable to get lcd clock\n");
> @@ -1982,7 +1998,7 @@ int ltdc_load(struct drm_device *ddev)
> }
> }
>
> - rstc = devm_reset_control_get_exclusive(dev, NULL);
> + rstc = reset_control_get_exclusive(dev, NULL);
>
> mutex_init(&ldev->err_lock);
>
> @@ -1993,25 +2009,25 @@ int ltdc_load(struct drm_device *ddev)
> }
>
> res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
> - ldev->regs = devm_ioremap_resource(dev, res);
> + ldev->regs = ioremap(res->start, resource_size(res));
> if (IS_ERR(ldev->regs)) {
> DRM_ERROR("Unable to get ltdc registers\n");
> ret = PTR_ERR(ldev->regs);
> goto err;
> }
>
> - ldev->regmap = devm_regmap_init_mmio(&pdev->dev, ldev->regs, &stm32_ltdc_regmap_cfg);
> + ldev->regmap = regmap_init_mmio(&pdev->dev, ldev->regs, &stm32_ltdc_regmap_cfg);
> if (IS_ERR(ldev->regmap)) {
> DRM_ERROR("Unable to regmap ltdc registers\n");
> ret = PTR_ERR(ldev->regmap);
> - goto err;
> + goto err_iounmap;
> }
>
> ret = ltdc_get_caps(ddev);
> if (ret) {
> DRM_ERROR("hardware identifier (0x%08x) not supported!\n",
> ldev->caps.hw_version);
> - goto err;
> + goto err_regmap_exit;
> }
>
> /* Disable interrupts */
> @@ -2034,49 +2050,57 @@ int ltdc_load(struct drm_device *ddev)
> irq = platform_get_irq(pdev, i);
> if (irq < 0) {
> ret = irq;
> - goto err;
> + goto err_regmap_exit;
> }
>
> - ret = devm_request_threaded_irq(dev, irq, ltdc_irq,
> + ret = request_threaded_irq(irq, ltdc_irq,
> ltdc_irq_thread, IRQF_ONESHOT,
> dev_name(dev), ddev);
> if (ret) {
> DRM_ERROR("Failed to register LTDC interrupt\n");
> - goto err;
> + goto err_regmap_exit;
> }
> }
>
> - crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL);
> + crtc = kzalloc(sizeof(*crtc), GFP_KERNEL);
> if (!crtc) {
> DRM_ERROR("Failed to allocate crtc\n");
> ret = -ENOMEM;
> - goto err;
> + goto err_regmap_exit;
> }
>
> ret = ltdc_crtc_init(ddev, crtc);
> if (ret) {
> DRM_ERROR("Failed to init crtc\n");
> - goto err;
> + goto free_crtc;
> }
>
> ret = drm_vblank_init(ddev, NB_CRTC);
> if (ret) {
> DRM_ERROR("Failed calling drm_vblank_init()\n");
> - goto err;
> + goto free_crtc;
> }
>
> clk_disable_unprepare(ldev->pixel_clk);
> + clk_put(ldev->pixel_clk);
>
> pinctrl_pm_select_sleep_state(ddev->dev);
>
> pm_runtime_enable(ddev->dev);
>
> return 0;
> +free_crtc:
> + kfree(crtc);
> +err_regmap_exit:
> + regmap_exit(ldev->regmap);
> +err_iounmap:
> + iounmap(ldev->regs);
> err:
> for (i = 0; i < nb_endpoints; i++)
> drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
>
> clk_disable_unprepare(ldev->pixel_clk);
> + clk_put(ldev->pixel_clk);
>
> return ret;
> }
> @@ -2084,6 +2108,7 @@ int ltdc_load(struct drm_device *ddev)
> void ltdc_unload(struct drm_device *ddev)
> {
> struct device *dev = ddev->dev;
> + struct ltdc_device *ldev = ddev->dev_private;
> int nb_endpoints, i;
>
> DRM_DEBUG_DRIVER("\n");
> @@ -2094,6 +2119,9 @@ void ltdc_unload(struct drm_device *ddev)
> drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
>
> pm_runtime_disable(ddev->dev);
> +
> + regmap_exit(ldev->regmap);
> + iounmap(ldev->regs);
> }
>
> MODULE_AUTHOR("Philippe Cornu <philippe.cornu@st.com>");
^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH v2] drm/stm: Avoid use-after-free issues with crtc and plane
2023-10-23 8:19 ` Raphael Gallais-Pou
(?)
@ 2023-11-24 10:04 ` Katya Orlova
-1 siblings, 0 replies; 19+ messages in thread
From: Katya Orlova @ 2023-11-24 10:04 UTC (permalink / raw)
To: Raphael Gallais-Pou
Cc: Katya Orlova, Yannick Fertre, Philippe Cornu, David Airlie,
Daniel Vetter, Maxime Coquelin, Alexandre Torgue, Philipp Zabel,
dri-devel, linux-stm32, linux-arm-kernel, linux-kernel,
lvc-project
ltdc_load() calls functions drm_crtc_init_with_planes(),
drm_universal_plane_init() and drm_encoder_init(). These functions
should not be called with parameters allocated with devm_kzalloc()
to avoid use-after-free issues [1].
Use allocations managed by the DRM framework.
Found by Linux Verification Center (linuxtesting.org).
[1]
https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
---
v2: use allocations managed by the DRM as
Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com> suggested.
Also add a fix for encoder.
drivers/gpu/drm/stm/drv.c | 3 +-
drivers/gpu/drm/stm/ltdc.c | 68 +++++++++-----------------------------
2 files changed, 18 insertions(+), 53 deletions(-)
diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
index e8523abef27a..152bec2c0238 100644
--- a/drivers/gpu/drm/stm/drv.c
+++ b/drivers/gpu/drm/stm/drv.c
@@ -25,6 +25,7 @@
#include <drm/drm_module.h>
#include <drm/drm_probe_helper.h>
#include <drm/drm_vblank.h>
+#include <drm/drm_managed.h>
#include "ltdc.h"
@@ -75,7 +76,7 @@ static int drv_load(struct drm_device *ddev)
DRM_DEBUG("%s\n", __func__);
- ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL);
+ ldev = drmm_kzalloc(ddev, sizeof(*ldev), GFP_KERNEL);
if (!ldev)
return -ENOMEM;
diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
index 5576fdae4962..02a7c8375f44 100644
--- a/drivers/gpu/drm/stm/ltdc.c
+++ b/drivers/gpu/drm/stm/ltdc.c
@@ -36,6 +36,7 @@
#include <drm/drm_probe_helper.h>
#include <drm/drm_simple_kms_helper.h>
#include <drm/drm_vblank.h>
+#include <drm/drm_managed.h>
#include <video/videomode.h>
@@ -1199,7 +1200,6 @@ static void ltdc_crtc_atomic_print_state(struct drm_printer *p,
}
static const struct drm_crtc_funcs ltdc_crtc_funcs = {
- .destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1212,7 +1212,6 @@ static const struct drm_crtc_funcs ltdc_crtc_funcs = {
};
static const struct drm_crtc_funcs ltdc_crtc_with_crc_support_funcs = {
- .destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1545,7 +1544,6 @@ static void ltdc_plane_atomic_print_state(struct drm_printer *p,
static const struct drm_plane_funcs ltdc_plane_funcs = {
.update_plane = drm_atomic_helper_update_plane,
.disable_plane = drm_atomic_helper_disable_plane,
- .destroy = drm_plane_cleanup,
.reset = drm_atomic_helper_plane_reset,
.atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
.atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
@@ -1572,7 +1570,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
const u64 *modifiers = ltdc_format_modifiers;
u32 lofs = index * LAY_OFS;
u32 val;
- int ret;
/* Allocate the biggest size according to supported color formats */
formats = devm_kzalloc(dev, (ldev->caps.pix_fmt_nb +
@@ -1613,14 +1610,10 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
}
}
- plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL);
- if (!plane)
- return NULL;
-
- ret = drm_universal_plane_init(ddev, plane, possible_crtcs,
- <dc_plane_funcs, formats, nb_fmt,
- modifiers, type, NULL);
- if (ret < 0)
+ plane = drmm_universal_plane_alloc(ddev, struct drm_plane, dev,
+ possible_crtcs, <dc_plane_funcs, formats, nb_fmt,
+ modifiers, type, NULL);
+ if (IS_ERR(plane))
return NULL;
if (ldev->caps.ycbcr_input) {
@@ -1643,15 +1636,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
return plane;
}
-static void ltdc_plane_destroy_all(struct drm_device *ddev)
-{
- struct drm_plane *plane, *plane_temp;
-
- list_for_each_entry_safe(plane, plane_temp,
- &ddev->mode_config.plane_list, head)
- drm_plane_cleanup(plane);
-}
-
static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
{
struct ltdc_device *ldev = ddev->dev_private;
@@ -1677,14 +1661,14 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
/* Init CRTC according to its hardware features */
if (ldev->caps.crc)
- ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
+ ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
<dc_crtc_with_crc_support_funcs, NULL);
else
- ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
+ ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
<dc_crtc_funcs, NULL);
if (ret) {
DRM_ERROR("Can not initialize CRTC\n");
- goto cleanup;
+ return ret;
}
drm_crtc_helper_add(crtc, <dc_crtc_helper_funcs);
@@ -1698,9 +1682,8 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
for (i = 1; i < ldev->caps.nb_layers; i++) {
overlay = ltdc_plane_create(ddev, DRM_PLANE_TYPE_OVERLAY, i);
if (!overlay) {
- ret = -ENOMEM;
DRM_ERROR("Can not create overlay plane %d\n", i);
- goto cleanup;
+ return -ENOMEM;
}
if (ldev->caps.dynamic_zorder)
drm_plane_create_zpos_property(overlay, i, 0, ldev->caps.nb_layers - 1);
@@ -1713,10 +1696,6 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
}
return 0;
-
-cleanup:
- ltdc_plane_destroy_all(ddev);
- return ret;
}
static void ltdc_encoder_disable(struct drm_encoder *encoder)
@@ -1776,23 +1755,19 @@ static int ltdc_encoder_init(struct drm_device *ddev, struct drm_bridge *bridge)
struct drm_encoder *encoder;
int ret;
- encoder = devm_kzalloc(ddev->dev, sizeof(*encoder), GFP_KERNEL);
- if (!encoder)
- return -ENOMEM;
+ encoder = drmm_simple_encoder_alloc(ddev, struct drm_encoder, dev,
+ DRM_MODE_ENCODER_DPI);
+ if (IS_ERR(encoder))
+ return PTR_ERR(encoder);
encoder->possible_crtcs = CRTC_MASK;
encoder->possible_clones = 0; /* No cloning support */
- drm_simple_encoder_init(ddev, encoder, DRM_MODE_ENCODER_DPI);
-
drm_encoder_helper_add(encoder, <dc_encoder_helper_funcs);
ret = drm_bridge_attach(encoder, bridge, NULL, 0);
- if (ret) {
- if (ret != -EPROBE_DEFER)
- drm_encoder_cleanup(encoder);
+ if (ret)
return ret;
- }
DRM_DEBUG_DRIVER("Bridge encoder:%d created\n", encoder->base.id);
@@ -1962,8 +1937,7 @@ int ltdc_load(struct drm_device *ddev)
goto err;
if (panel) {
- bridge = drm_panel_bridge_add_typed(panel,
- DRM_MODE_CONNECTOR_DPI);
+ bridge = drmm_panel_bridge_add(ddev, panel);
if (IS_ERR(bridge)) {
DRM_ERROR("panel-bridge endpoint %d\n", i);
ret = PTR_ERR(bridge);
@@ -2045,7 +2019,7 @@ int ltdc_load(struct drm_device *ddev)
}
}
- crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL);
+ crtc = drmm_kzalloc(ddev, sizeof(*crtc), GFP_KERNEL);
if (!crtc) {
DRM_ERROR("Failed to allocate crtc\n");
ret = -ENOMEM;
@@ -2072,8 +2046,6 @@ int ltdc_load(struct drm_device *ddev)
return 0;
err:
- for (i = 0; i < nb_endpoints; i++)
- drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
clk_disable_unprepare(ldev->pixel_clk);
@@ -2082,16 +2054,8 @@ int ltdc_load(struct drm_device *ddev)
void ltdc_unload(struct drm_device *ddev)
{
- struct device *dev = ddev->dev;
- int nb_endpoints, i;
-
DRM_DEBUG_DRIVER("\n");
- nb_endpoints = of_graph_get_endpoint_count(dev->of_node);
-
- for (i = 0; i < nb_endpoints; i++)
- drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
-
pm_runtime_disable(ddev->dev);
}
--
2.30.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH v2] drm/stm: Avoid use-after-free issues with crtc and plane
@ 2023-11-24 10:04 ` Katya Orlova
0 siblings, 0 replies; 19+ messages in thread
From: Katya Orlova @ 2023-11-24 10:04 UTC (permalink / raw)
To: Raphael Gallais-Pou
Cc: Yannick Fertre, Alexandre Torgue, dri-devel, linux-kernel,
Philippe Cornu, Maxime Coquelin, Katya Orlova, linux-stm32,
linux-arm-kernel, lvc-project
ltdc_load() calls functions drm_crtc_init_with_planes(),
drm_universal_plane_init() and drm_encoder_init(). These functions
should not be called with parameters allocated with devm_kzalloc()
to avoid use-after-free issues [1].
Use allocations managed by the DRM framework.
Found by Linux Verification Center (linuxtesting.org).
[1]
https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
---
v2: use allocations managed by the DRM as
Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com> suggested.
Also add a fix for encoder.
drivers/gpu/drm/stm/drv.c | 3 +-
drivers/gpu/drm/stm/ltdc.c | 68 +++++++++-----------------------------
2 files changed, 18 insertions(+), 53 deletions(-)
diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
index e8523abef27a..152bec2c0238 100644
--- a/drivers/gpu/drm/stm/drv.c
+++ b/drivers/gpu/drm/stm/drv.c
@@ -25,6 +25,7 @@
#include <drm/drm_module.h>
#include <drm/drm_probe_helper.h>
#include <drm/drm_vblank.h>
+#include <drm/drm_managed.h>
#include "ltdc.h"
@@ -75,7 +76,7 @@ static int drv_load(struct drm_device *ddev)
DRM_DEBUG("%s\n", __func__);
- ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL);
+ ldev = drmm_kzalloc(ddev, sizeof(*ldev), GFP_KERNEL);
if (!ldev)
return -ENOMEM;
diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
index 5576fdae4962..02a7c8375f44 100644
--- a/drivers/gpu/drm/stm/ltdc.c
+++ b/drivers/gpu/drm/stm/ltdc.c
@@ -36,6 +36,7 @@
#include <drm/drm_probe_helper.h>
#include <drm/drm_simple_kms_helper.h>
#include <drm/drm_vblank.h>
+#include <drm/drm_managed.h>
#include <video/videomode.h>
@@ -1199,7 +1200,6 @@ static void ltdc_crtc_atomic_print_state(struct drm_printer *p,
}
static const struct drm_crtc_funcs ltdc_crtc_funcs = {
- .destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1212,7 +1212,6 @@ static const struct drm_crtc_funcs ltdc_crtc_funcs = {
};
static const struct drm_crtc_funcs ltdc_crtc_with_crc_support_funcs = {
- .destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1545,7 +1544,6 @@ static void ltdc_plane_atomic_print_state(struct drm_printer *p,
static const struct drm_plane_funcs ltdc_plane_funcs = {
.update_plane = drm_atomic_helper_update_plane,
.disable_plane = drm_atomic_helper_disable_plane,
- .destroy = drm_plane_cleanup,
.reset = drm_atomic_helper_plane_reset,
.atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
.atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
@@ -1572,7 +1570,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
const u64 *modifiers = ltdc_format_modifiers;
u32 lofs = index * LAY_OFS;
u32 val;
- int ret;
/* Allocate the biggest size according to supported color formats */
formats = devm_kzalloc(dev, (ldev->caps.pix_fmt_nb +
@@ -1613,14 +1610,10 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
}
}
- plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL);
- if (!plane)
- return NULL;
-
- ret = drm_universal_plane_init(ddev, plane, possible_crtcs,
- <dc_plane_funcs, formats, nb_fmt,
- modifiers, type, NULL);
- if (ret < 0)
+ plane = drmm_universal_plane_alloc(ddev, struct drm_plane, dev,
+ possible_crtcs, <dc_plane_funcs, formats, nb_fmt,
+ modifiers, type, NULL);
+ if (IS_ERR(plane))
return NULL;
if (ldev->caps.ycbcr_input) {
@@ -1643,15 +1636,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
return plane;
}
-static void ltdc_plane_destroy_all(struct drm_device *ddev)
-{
- struct drm_plane *plane, *plane_temp;
-
- list_for_each_entry_safe(plane, plane_temp,
- &ddev->mode_config.plane_list, head)
- drm_plane_cleanup(plane);
-}
-
static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
{
struct ltdc_device *ldev = ddev->dev_private;
@@ -1677,14 +1661,14 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
/* Init CRTC according to its hardware features */
if (ldev->caps.crc)
- ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
+ ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
<dc_crtc_with_crc_support_funcs, NULL);
else
- ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
+ ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
<dc_crtc_funcs, NULL);
if (ret) {
DRM_ERROR("Can not initialize CRTC\n");
- goto cleanup;
+ return ret;
}
drm_crtc_helper_add(crtc, <dc_crtc_helper_funcs);
@@ -1698,9 +1682,8 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
for (i = 1; i < ldev->caps.nb_layers; i++) {
overlay = ltdc_plane_create(ddev, DRM_PLANE_TYPE_OVERLAY, i);
if (!overlay) {
- ret = -ENOMEM;
DRM_ERROR("Can not create overlay plane %d\n", i);
- goto cleanup;
+ return -ENOMEM;
}
if (ldev->caps.dynamic_zorder)
drm_plane_create_zpos_property(overlay, i, 0, ldev->caps.nb_layers - 1);
@@ -1713,10 +1696,6 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
}
return 0;
-
-cleanup:
- ltdc_plane_destroy_all(ddev);
- return ret;
}
static void ltdc_encoder_disable(struct drm_encoder *encoder)
@@ -1776,23 +1755,19 @@ static int ltdc_encoder_init(struct drm_device *ddev, struct drm_bridge *bridge)
struct drm_encoder *encoder;
int ret;
- encoder = devm_kzalloc(ddev->dev, sizeof(*encoder), GFP_KERNEL);
- if (!encoder)
- return -ENOMEM;
+ encoder = drmm_simple_encoder_alloc(ddev, struct drm_encoder, dev,
+ DRM_MODE_ENCODER_DPI);
+ if (IS_ERR(encoder))
+ return PTR_ERR(encoder);
encoder->possible_crtcs = CRTC_MASK;
encoder->possible_clones = 0; /* No cloning support */
- drm_simple_encoder_init(ddev, encoder, DRM_MODE_ENCODER_DPI);
-
drm_encoder_helper_add(encoder, <dc_encoder_helper_funcs);
ret = drm_bridge_attach(encoder, bridge, NULL, 0);
- if (ret) {
- if (ret != -EPROBE_DEFER)
- drm_encoder_cleanup(encoder);
+ if (ret)
return ret;
- }
DRM_DEBUG_DRIVER("Bridge encoder:%d created\n", encoder->base.id);
@@ -1962,8 +1937,7 @@ int ltdc_load(struct drm_device *ddev)
goto err;
if (panel) {
- bridge = drm_panel_bridge_add_typed(panel,
- DRM_MODE_CONNECTOR_DPI);
+ bridge = drmm_panel_bridge_add(ddev, panel);
if (IS_ERR(bridge)) {
DRM_ERROR("panel-bridge endpoint %d\n", i);
ret = PTR_ERR(bridge);
@@ -2045,7 +2019,7 @@ int ltdc_load(struct drm_device *ddev)
}
}
- crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL);
+ crtc = drmm_kzalloc(ddev, sizeof(*crtc), GFP_KERNEL);
if (!crtc) {
DRM_ERROR("Failed to allocate crtc\n");
ret = -ENOMEM;
@@ -2072,8 +2046,6 @@ int ltdc_load(struct drm_device *ddev)
return 0;
err:
- for (i = 0; i < nb_endpoints; i++)
- drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
clk_disable_unprepare(ldev->pixel_clk);
@@ -2082,16 +2054,8 @@ int ltdc_load(struct drm_device *ddev)
void ltdc_unload(struct drm_device *ddev)
{
- struct device *dev = ddev->dev;
- int nb_endpoints, i;
-
DRM_DEBUG_DRIVER("\n");
- nb_endpoints = of_graph_get_endpoint_count(dev->of_node);
-
- for (i = 0; i < nb_endpoints; i++)
- drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
-
pm_runtime_disable(ddev->dev);
}
--
2.30.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH v2] drm/stm: Avoid use-after-free issues with crtc and plane
@ 2023-11-24 10:04 ` Katya Orlova
0 siblings, 0 replies; 19+ messages in thread
From: Katya Orlova @ 2023-11-24 10:04 UTC (permalink / raw)
To: Raphael Gallais-Pou
Cc: Katya Orlova, Yannick Fertre, Philippe Cornu, David Airlie,
Daniel Vetter, Maxime Coquelin, Alexandre Torgue, Philipp Zabel,
dri-devel, linux-stm32, linux-arm-kernel, linux-kernel,
lvc-project
ltdc_load() calls functions drm_crtc_init_with_planes(),
drm_universal_plane_init() and drm_encoder_init(). These functions
should not be called with parameters allocated with devm_kzalloc()
to avoid use-after-free issues [1].
Use allocations managed by the DRM framework.
Found by Linux Verification Center (linuxtesting.org).
[1]
https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
---
v2: use allocations managed by the DRM as
Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com> suggested.
Also add a fix for encoder.
drivers/gpu/drm/stm/drv.c | 3 +-
drivers/gpu/drm/stm/ltdc.c | 68 +++++++++-----------------------------
2 files changed, 18 insertions(+), 53 deletions(-)
diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
index e8523abef27a..152bec2c0238 100644
--- a/drivers/gpu/drm/stm/drv.c
+++ b/drivers/gpu/drm/stm/drv.c
@@ -25,6 +25,7 @@
#include <drm/drm_module.h>
#include <drm/drm_probe_helper.h>
#include <drm/drm_vblank.h>
+#include <drm/drm_managed.h>
#include "ltdc.h"
@@ -75,7 +76,7 @@ static int drv_load(struct drm_device *ddev)
DRM_DEBUG("%s\n", __func__);
- ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL);
+ ldev = drmm_kzalloc(ddev, sizeof(*ldev), GFP_KERNEL);
if (!ldev)
return -ENOMEM;
diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
index 5576fdae4962..02a7c8375f44 100644
--- a/drivers/gpu/drm/stm/ltdc.c
+++ b/drivers/gpu/drm/stm/ltdc.c
@@ -36,6 +36,7 @@
#include <drm/drm_probe_helper.h>
#include <drm/drm_simple_kms_helper.h>
#include <drm/drm_vblank.h>
+#include <drm/drm_managed.h>
#include <video/videomode.h>
@@ -1199,7 +1200,6 @@ static void ltdc_crtc_atomic_print_state(struct drm_printer *p,
}
static const struct drm_crtc_funcs ltdc_crtc_funcs = {
- .destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1212,7 +1212,6 @@ static const struct drm_crtc_funcs ltdc_crtc_funcs = {
};
static const struct drm_crtc_funcs ltdc_crtc_with_crc_support_funcs = {
- .destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1545,7 +1544,6 @@ static void ltdc_plane_atomic_print_state(struct drm_printer *p,
static const struct drm_plane_funcs ltdc_plane_funcs = {
.update_plane = drm_atomic_helper_update_plane,
.disable_plane = drm_atomic_helper_disable_plane,
- .destroy = drm_plane_cleanup,
.reset = drm_atomic_helper_plane_reset,
.atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
.atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
@@ -1572,7 +1570,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
const u64 *modifiers = ltdc_format_modifiers;
u32 lofs = index * LAY_OFS;
u32 val;
- int ret;
/* Allocate the biggest size according to supported color formats */
formats = devm_kzalloc(dev, (ldev->caps.pix_fmt_nb +
@@ -1613,14 +1610,10 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
}
}
- plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL);
- if (!plane)
- return NULL;
-
- ret = drm_universal_plane_init(ddev, plane, possible_crtcs,
- <dc_plane_funcs, formats, nb_fmt,
- modifiers, type, NULL);
- if (ret < 0)
+ plane = drmm_universal_plane_alloc(ddev, struct drm_plane, dev,
+ possible_crtcs, <dc_plane_funcs, formats, nb_fmt,
+ modifiers, type, NULL);
+ if (IS_ERR(plane))
return NULL;
if (ldev->caps.ycbcr_input) {
@@ -1643,15 +1636,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
return plane;
}
-static void ltdc_plane_destroy_all(struct drm_device *ddev)
-{
- struct drm_plane *plane, *plane_temp;
-
- list_for_each_entry_safe(plane, plane_temp,
- &ddev->mode_config.plane_list, head)
- drm_plane_cleanup(plane);
-}
-
static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
{
struct ltdc_device *ldev = ddev->dev_private;
@@ -1677,14 +1661,14 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
/* Init CRTC according to its hardware features */
if (ldev->caps.crc)
- ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
+ ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
<dc_crtc_with_crc_support_funcs, NULL);
else
- ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
+ ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
<dc_crtc_funcs, NULL);
if (ret) {
DRM_ERROR("Can not initialize CRTC\n");
- goto cleanup;
+ return ret;
}
drm_crtc_helper_add(crtc, <dc_crtc_helper_funcs);
@@ -1698,9 +1682,8 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
for (i = 1; i < ldev->caps.nb_layers; i++) {
overlay = ltdc_plane_create(ddev, DRM_PLANE_TYPE_OVERLAY, i);
if (!overlay) {
- ret = -ENOMEM;
DRM_ERROR("Can not create overlay plane %d\n", i);
- goto cleanup;
+ return -ENOMEM;
}
if (ldev->caps.dynamic_zorder)
drm_plane_create_zpos_property(overlay, i, 0, ldev->caps.nb_layers - 1);
@@ -1713,10 +1696,6 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
}
return 0;
-
-cleanup:
- ltdc_plane_destroy_all(ddev);
- return ret;
}
static void ltdc_encoder_disable(struct drm_encoder *encoder)
@@ -1776,23 +1755,19 @@ static int ltdc_encoder_init(struct drm_device *ddev, struct drm_bridge *bridge)
struct drm_encoder *encoder;
int ret;
- encoder = devm_kzalloc(ddev->dev, sizeof(*encoder), GFP_KERNEL);
- if (!encoder)
- return -ENOMEM;
+ encoder = drmm_simple_encoder_alloc(ddev, struct drm_encoder, dev,
+ DRM_MODE_ENCODER_DPI);
+ if (IS_ERR(encoder))
+ return PTR_ERR(encoder);
encoder->possible_crtcs = CRTC_MASK;
encoder->possible_clones = 0; /* No cloning support */
- drm_simple_encoder_init(ddev, encoder, DRM_MODE_ENCODER_DPI);
-
drm_encoder_helper_add(encoder, <dc_encoder_helper_funcs);
ret = drm_bridge_attach(encoder, bridge, NULL, 0);
- if (ret) {
- if (ret != -EPROBE_DEFER)
- drm_encoder_cleanup(encoder);
+ if (ret)
return ret;
- }
DRM_DEBUG_DRIVER("Bridge encoder:%d created\n", encoder->base.id);
@@ -1962,8 +1937,7 @@ int ltdc_load(struct drm_device *ddev)
goto err;
if (panel) {
- bridge = drm_panel_bridge_add_typed(panel,
- DRM_MODE_CONNECTOR_DPI);
+ bridge = drmm_panel_bridge_add(ddev, panel);
if (IS_ERR(bridge)) {
DRM_ERROR("panel-bridge endpoint %d\n", i);
ret = PTR_ERR(bridge);
@@ -2045,7 +2019,7 @@ int ltdc_load(struct drm_device *ddev)
}
}
- crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL);
+ crtc = drmm_kzalloc(ddev, sizeof(*crtc), GFP_KERNEL);
if (!crtc) {
DRM_ERROR("Failed to allocate crtc\n");
ret = -ENOMEM;
@@ -2072,8 +2046,6 @@ int ltdc_load(struct drm_device *ddev)
return 0;
err:
- for (i = 0; i < nb_endpoints; i++)
- drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
clk_disable_unprepare(ldev->pixel_clk);
@@ -2082,16 +2054,8 @@ int ltdc_load(struct drm_device *ddev)
void ltdc_unload(struct drm_device *ddev)
{
- struct device *dev = ddev->dev;
- int nb_endpoints, i;
-
DRM_DEBUG_DRIVER("\n");
- nb_endpoints = of_graph_get_endpoint_count(dev->of_node);
-
- for (i = 0; i < nb_endpoints; i++)
- drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
-
pm_runtime_disable(ddev->dev);
}
--
2.30.2
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [PATCH v2] drm/stm: Avoid use-after-free issues with crtc and plane
2023-11-24 10:04 ` Katya Orlova
(?)
@ 2024-01-05 9:21 ` Raphael Gallais-Pou
-1 siblings, 0 replies; 19+ messages in thread
From: Raphael Gallais-Pou @ 2024-01-05 9:21 UTC (permalink / raw)
To: Katya Orlova
Cc: Yannick Fertre, Philippe Cornu, David Airlie, Daniel Vetter,
Maxime Coquelin, Alexandre Torgue, Philipp Zabel, dri-devel,
linux-stm32, linux-arm-kernel, linux-kernel, lvc-project
On 11/24/23 11:04, Katya Orlova wrote:
> ltdc_load() calls functions drm_crtc_init_with_planes(),
> drm_universal_plane_init() and drm_encoder_init(). These functions
> should not be called with parameters allocated with devm_kzalloc()
> to avoid use-after-free issues [1].
>
> Use allocations managed by the DRM framework.
>
> Found by Linux Verification Center (linuxtesting.org).
>
> [1]
> https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
>
> Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
> ---
> v2: use allocations managed by the DRM as
> Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com> suggested.
> Also add a fix for encoder.
> drivers/gpu/drm/stm/drv.c | 3 +-
> drivers/gpu/drm/stm/ltdc.c | 68 +++++++++-----------------------------
> 2 files changed, 18 insertions(+), 53 deletions(-)
>
> diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
> index e8523abef27a..152bec2c0238 100644
> --- a/drivers/gpu/drm/stm/drv.c
> +++ b/drivers/gpu/drm/stm/drv.c
> @@ -25,6 +25,7 @@
> #include <drm/drm_module.h>
> #include <drm/drm_probe_helper.h>
> #include <drm/drm_vblank.h>
> +#include <drm/drm_managed.h>
>
> #include "ltdc.h"
>
> @@ -75,7 +76,7 @@ static int drv_load(struct drm_device *ddev)
>
> DRM_DEBUG("%s\n", __func__);
>
> - ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL);
> + ldev = drmm_kzalloc(ddev, sizeof(*ldev), GFP_KERNEL);
> if (!ldev)
> return -ENOMEM;
>
> diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
> index 5576fdae4962..02a7c8375f44 100644
> --- a/drivers/gpu/drm/stm/ltdc.c
> +++ b/drivers/gpu/drm/stm/ltdc.c
> @@ -36,6 +36,7 @@
> #include <drm/drm_probe_helper.h>
> #include <drm/drm_simple_kms_helper.h>
> #include <drm/drm_vblank.h>
> +#include <drm/drm_managed.h>
>
> #include <video/videomode.h>
>
> @@ -1199,7 +1200,6 @@ static void ltdc_crtc_atomic_print_state(struct drm_printer *p,
> }
>
> static const struct drm_crtc_funcs ltdc_crtc_funcs = {
> - .destroy = drm_crtc_cleanup,
> .set_config = drm_atomic_helper_set_config,
> .page_flip = drm_atomic_helper_page_flip,
> .reset = drm_atomic_helper_crtc_reset,
> @@ -1212,7 +1212,6 @@ static const struct drm_crtc_funcs ltdc_crtc_funcs = {
> };
>
> static const struct drm_crtc_funcs ltdc_crtc_with_crc_support_funcs = {
> - .destroy = drm_crtc_cleanup,
> .set_config = drm_atomic_helper_set_config,
> .page_flip = drm_atomic_helper_page_flip,
> .reset = drm_atomic_helper_crtc_reset,
> @@ -1545,7 +1544,6 @@ static void ltdc_plane_atomic_print_state(struct drm_printer *p,
> static const struct drm_plane_funcs ltdc_plane_funcs = {
> .update_plane = drm_atomic_helper_update_plane,
> .disable_plane = drm_atomic_helper_disable_plane,
> - .destroy = drm_plane_cleanup,
> .reset = drm_atomic_helper_plane_reset,
> .atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
> .atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
> @@ -1572,7 +1570,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
> const u64 *modifiers = ltdc_format_modifiers;
> u32 lofs = index * LAY_OFS;
> u32 val;
> - int ret;
>
> /* Allocate the biggest size according to supported color formats */
> formats = devm_kzalloc(dev, (ldev->caps.pix_fmt_nb +
> @@ -1613,14 +1610,10 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
> }
> }
>
> - plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL);
> - if (!plane)
> - return NULL;
> -
> - ret = drm_universal_plane_init(ddev, plane, possible_crtcs,
> - <dc_plane_funcs, formats, nb_fmt,
> - modifiers, type, NULL);
> - if (ret < 0)
> + plane = drmm_universal_plane_alloc(ddev, struct drm_plane, dev,
> + possible_crtcs, <dc_plane_funcs, formats, nb_fmt,
> + modifiers, type, NULL);
Hi Katya,
Thanks for your submission, and sorry for the delay.
There is several alignment style problems, such as the lines above.
You can use "--strict" option with checkpatch script to show you all the faulty
alignment before sending a patch.
Other than that this patch looks pretty good to me.
Regards,
Raphaël
> + if (IS_ERR(plane))
> return NULL;
>
> if (ldev->caps.ycbcr_input) {
> @@ -1643,15 +1636,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
> return plane;
> }
>
> -static void ltdc_plane_destroy_all(struct drm_device *ddev)
> -{
> - struct drm_plane *plane, *plane_temp;
> -
> - list_for_each_entry_safe(plane, plane_temp,
> - &ddev->mode_config.plane_list, head)
> - drm_plane_cleanup(plane);
> -}
> -
> static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
> {
> struct ltdc_device *ldev = ddev->dev_private;
> @@ -1677,14 +1661,14 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
>
> /* Init CRTC according to its hardware features */
> if (ldev->caps.crc)
> - ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
> + ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
> <dc_crtc_with_crc_support_funcs, NULL);
> else
> - ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
> + ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
> <dc_crtc_funcs, NULL);
> if (ret) {
> DRM_ERROR("Can not initialize CRTC\n");
> - goto cleanup;
> + return ret;
> }
>
> drm_crtc_helper_add(crtc, <dc_crtc_helper_funcs);
> @@ -1698,9 +1682,8 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
> for (i = 1; i < ldev->caps.nb_layers; i++) {
> overlay = ltdc_plane_create(ddev, DRM_PLANE_TYPE_OVERLAY, i);
> if (!overlay) {
> - ret = -ENOMEM;
> DRM_ERROR("Can not create overlay plane %d\n", i);
> - goto cleanup;
> + return -ENOMEM;
> }
> if (ldev->caps.dynamic_zorder)
> drm_plane_create_zpos_property(overlay, i, 0, ldev->caps.nb_layers - 1);
> @@ -1713,10 +1696,6 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
> }
>
> return 0;
> -
> -cleanup:
> - ltdc_plane_destroy_all(ddev);
> - return ret;
> }
>
> static void ltdc_encoder_disable(struct drm_encoder *encoder)
> @@ -1776,23 +1755,19 @@ static int ltdc_encoder_init(struct drm_device *ddev, struct drm_bridge *bridge)
> struct drm_encoder *encoder;
> int ret;
>
> - encoder = devm_kzalloc(ddev->dev, sizeof(*encoder), GFP_KERNEL);
> - if (!encoder)
> - return -ENOMEM;
> + encoder = drmm_simple_encoder_alloc(ddev, struct drm_encoder, dev,
> + DRM_MODE_ENCODER_DPI);
Nit: bad alignment.
> + if (IS_ERR(encoder))
> + return PTR_ERR(encoder);
>
> encoder->possible_crtcs = CRTC_MASK;
> encoder->possible_clones = 0; /* No cloning support */
>
> - drm_simple_encoder_init(ddev, encoder, DRM_MODE_ENCODER_DPI);
> -
> drm_encoder_helper_add(encoder, <dc_encoder_helper_funcs);
>
> ret = drm_bridge_attach(encoder, bridge, NULL, 0);
> - if (ret) {
> - if (ret != -EPROBE_DEFER)
> - drm_encoder_cleanup(encoder);
> + if (ret)
> return ret;
> - }
>
> DRM_DEBUG_DRIVER("Bridge encoder:%d created\n", encoder->base.id);
>
> @@ -1962,8 +1937,7 @@ int ltdc_load(struct drm_device *ddev)
> goto err;
>
> if (panel) {
> - bridge = drm_panel_bridge_add_typed(panel,
> - DRM_MODE_CONNECTOR_DPI);
> + bridge = drmm_panel_bridge_add(ddev, panel);
> if (IS_ERR(bridge)) {
> DRM_ERROR("panel-bridge endpoint %d\n", i);
> ret = PTR_ERR(bridge);
> @@ -2045,7 +2019,7 @@ int ltdc_load(struct drm_device *ddev)
> }
> }
>
> - crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL);
> + crtc = drmm_kzalloc(ddev, sizeof(*crtc), GFP_KERNEL);
> if (!crtc) {
> DRM_ERROR("Failed to allocate crtc\n");
> ret = -ENOMEM;
> @@ -2072,8 +2046,6 @@ int ltdc_load(struct drm_device *ddev)
>
> return 0;
> err:
> - for (i = 0; i < nb_endpoints; i++)
> - drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
>
> clk_disable_unprepare(ldev->pixel_clk);
>
> @@ -2082,16 +2054,8 @@ int ltdc_load(struct drm_device *ddev)
>
> void ltdc_unload(struct drm_device *ddev)
> {
> - struct device *dev = ddev->dev;
> - int nb_endpoints, i;
> -
> DRM_DEBUG_DRIVER("\n");
>
> - nb_endpoints = of_graph_get_endpoint_count(dev->of_node);
> -
> - for (i = 0; i < nb_endpoints; i++)
> - drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
> -
> pm_runtime_disable(ddev->dev);
> }
>
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v2] drm/stm: Avoid use-after-free issues with crtc and plane
@ 2024-01-05 9:21 ` Raphael Gallais-Pou
0 siblings, 0 replies; 19+ messages in thread
From: Raphael Gallais-Pou @ 2024-01-05 9:21 UTC (permalink / raw)
To: Katya Orlova
Cc: Yannick Fertre, Alexandre Torgue, dri-devel, linux-kernel,
Philippe Cornu, Maxime Coquelin, linux-stm32, linux-arm-kernel,
lvc-project
On 11/24/23 11:04, Katya Orlova wrote:
> ltdc_load() calls functions drm_crtc_init_with_planes(),
> drm_universal_plane_init() and drm_encoder_init(). These functions
> should not be called with parameters allocated with devm_kzalloc()
> to avoid use-after-free issues [1].
>
> Use allocations managed by the DRM framework.
>
> Found by Linux Verification Center (linuxtesting.org).
>
> [1]
> https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
>
> Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
> ---
> v2: use allocations managed by the DRM as
> Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com> suggested.
> Also add a fix for encoder.
> drivers/gpu/drm/stm/drv.c | 3 +-
> drivers/gpu/drm/stm/ltdc.c | 68 +++++++++-----------------------------
> 2 files changed, 18 insertions(+), 53 deletions(-)
>
> diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
> index e8523abef27a..152bec2c0238 100644
> --- a/drivers/gpu/drm/stm/drv.c
> +++ b/drivers/gpu/drm/stm/drv.c
> @@ -25,6 +25,7 @@
> #include <drm/drm_module.h>
> #include <drm/drm_probe_helper.h>
> #include <drm/drm_vblank.h>
> +#include <drm/drm_managed.h>
>
> #include "ltdc.h"
>
> @@ -75,7 +76,7 @@ static int drv_load(struct drm_device *ddev)
>
> DRM_DEBUG("%s\n", __func__);
>
> - ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL);
> + ldev = drmm_kzalloc(ddev, sizeof(*ldev), GFP_KERNEL);
> if (!ldev)
> return -ENOMEM;
>
> diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
> index 5576fdae4962..02a7c8375f44 100644
> --- a/drivers/gpu/drm/stm/ltdc.c
> +++ b/drivers/gpu/drm/stm/ltdc.c
> @@ -36,6 +36,7 @@
> #include <drm/drm_probe_helper.h>
> #include <drm/drm_simple_kms_helper.h>
> #include <drm/drm_vblank.h>
> +#include <drm/drm_managed.h>
>
> #include <video/videomode.h>
>
> @@ -1199,7 +1200,6 @@ static void ltdc_crtc_atomic_print_state(struct drm_printer *p,
> }
>
> static const struct drm_crtc_funcs ltdc_crtc_funcs = {
> - .destroy = drm_crtc_cleanup,
> .set_config = drm_atomic_helper_set_config,
> .page_flip = drm_atomic_helper_page_flip,
> .reset = drm_atomic_helper_crtc_reset,
> @@ -1212,7 +1212,6 @@ static const struct drm_crtc_funcs ltdc_crtc_funcs = {
> };
>
> static const struct drm_crtc_funcs ltdc_crtc_with_crc_support_funcs = {
> - .destroy = drm_crtc_cleanup,
> .set_config = drm_atomic_helper_set_config,
> .page_flip = drm_atomic_helper_page_flip,
> .reset = drm_atomic_helper_crtc_reset,
> @@ -1545,7 +1544,6 @@ static void ltdc_plane_atomic_print_state(struct drm_printer *p,
> static const struct drm_plane_funcs ltdc_plane_funcs = {
> .update_plane = drm_atomic_helper_update_plane,
> .disable_plane = drm_atomic_helper_disable_plane,
> - .destroy = drm_plane_cleanup,
> .reset = drm_atomic_helper_plane_reset,
> .atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
> .atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
> @@ -1572,7 +1570,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
> const u64 *modifiers = ltdc_format_modifiers;
> u32 lofs = index * LAY_OFS;
> u32 val;
> - int ret;
>
> /* Allocate the biggest size according to supported color formats */
> formats = devm_kzalloc(dev, (ldev->caps.pix_fmt_nb +
> @@ -1613,14 +1610,10 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
> }
> }
>
> - plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL);
> - if (!plane)
> - return NULL;
> -
> - ret = drm_universal_plane_init(ddev, plane, possible_crtcs,
> - <dc_plane_funcs, formats, nb_fmt,
> - modifiers, type, NULL);
> - if (ret < 0)
> + plane = drmm_universal_plane_alloc(ddev, struct drm_plane, dev,
> + possible_crtcs, <dc_plane_funcs, formats, nb_fmt,
> + modifiers, type, NULL);
Hi Katya,
Thanks for your submission, and sorry for the delay.
There is several alignment style problems, such as the lines above.
You can use "--strict" option with checkpatch script to show you all the faulty
alignment before sending a patch.
Other than that this patch looks pretty good to me.
Regards,
Raphaël
> + if (IS_ERR(plane))
> return NULL;
>
> if (ldev->caps.ycbcr_input) {
> @@ -1643,15 +1636,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
> return plane;
> }
>
> -static void ltdc_plane_destroy_all(struct drm_device *ddev)
> -{
> - struct drm_plane *plane, *plane_temp;
> -
> - list_for_each_entry_safe(plane, plane_temp,
> - &ddev->mode_config.plane_list, head)
> - drm_plane_cleanup(plane);
> -}
> -
> static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
> {
> struct ltdc_device *ldev = ddev->dev_private;
> @@ -1677,14 +1661,14 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
>
> /* Init CRTC according to its hardware features */
> if (ldev->caps.crc)
> - ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
> + ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
> <dc_crtc_with_crc_support_funcs, NULL);
> else
> - ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
> + ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
> <dc_crtc_funcs, NULL);
> if (ret) {
> DRM_ERROR("Can not initialize CRTC\n");
> - goto cleanup;
> + return ret;
> }
>
> drm_crtc_helper_add(crtc, <dc_crtc_helper_funcs);
> @@ -1698,9 +1682,8 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
> for (i = 1; i < ldev->caps.nb_layers; i++) {
> overlay = ltdc_plane_create(ddev, DRM_PLANE_TYPE_OVERLAY, i);
> if (!overlay) {
> - ret = -ENOMEM;
> DRM_ERROR("Can not create overlay plane %d\n", i);
> - goto cleanup;
> + return -ENOMEM;
> }
> if (ldev->caps.dynamic_zorder)
> drm_plane_create_zpos_property(overlay, i, 0, ldev->caps.nb_layers - 1);
> @@ -1713,10 +1696,6 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
> }
>
> return 0;
> -
> -cleanup:
> - ltdc_plane_destroy_all(ddev);
> - return ret;
> }
>
> static void ltdc_encoder_disable(struct drm_encoder *encoder)
> @@ -1776,23 +1755,19 @@ static int ltdc_encoder_init(struct drm_device *ddev, struct drm_bridge *bridge)
> struct drm_encoder *encoder;
> int ret;
>
> - encoder = devm_kzalloc(ddev->dev, sizeof(*encoder), GFP_KERNEL);
> - if (!encoder)
> - return -ENOMEM;
> + encoder = drmm_simple_encoder_alloc(ddev, struct drm_encoder, dev,
> + DRM_MODE_ENCODER_DPI);
Nit: bad alignment.
> + if (IS_ERR(encoder))
> + return PTR_ERR(encoder);
>
> encoder->possible_crtcs = CRTC_MASK;
> encoder->possible_clones = 0; /* No cloning support */
>
> - drm_simple_encoder_init(ddev, encoder, DRM_MODE_ENCODER_DPI);
> -
> drm_encoder_helper_add(encoder, <dc_encoder_helper_funcs);
>
> ret = drm_bridge_attach(encoder, bridge, NULL, 0);
> - if (ret) {
> - if (ret != -EPROBE_DEFER)
> - drm_encoder_cleanup(encoder);
> + if (ret)
> return ret;
> - }
>
> DRM_DEBUG_DRIVER("Bridge encoder:%d created\n", encoder->base.id);
>
> @@ -1962,8 +1937,7 @@ int ltdc_load(struct drm_device *ddev)
> goto err;
>
> if (panel) {
> - bridge = drm_panel_bridge_add_typed(panel,
> - DRM_MODE_CONNECTOR_DPI);
> + bridge = drmm_panel_bridge_add(ddev, panel);
> if (IS_ERR(bridge)) {
> DRM_ERROR("panel-bridge endpoint %d\n", i);
> ret = PTR_ERR(bridge);
> @@ -2045,7 +2019,7 @@ int ltdc_load(struct drm_device *ddev)
> }
> }
>
> - crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL);
> + crtc = drmm_kzalloc(ddev, sizeof(*crtc), GFP_KERNEL);
> if (!crtc) {
> DRM_ERROR("Failed to allocate crtc\n");
> ret = -ENOMEM;
> @@ -2072,8 +2046,6 @@ int ltdc_load(struct drm_device *ddev)
>
> return 0;
> err:
> - for (i = 0; i < nb_endpoints; i++)
> - drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
>
> clk_disable_unprepare(ldev->pixel_clk);
>
> @@ -2082,16 +2054,8 @@ int ltdc_load(struct drm_device *ddev)
>
> void ltdc_unload(struct drm_device *ddev)
> {
> - struct device *dev = ddev->dev;
> - int nb_endpoints, i;
> -
> DRM_DEBUG_DRIVER("\n");
>
> - nb_endpoints = of_graph_get_endpoint_count(dev->of_node);
> -
> - for (i = 0; i < nb_endpoints; i++)
> - drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
> -
> pm_runtime_disable(ddev->dev);
> }
>
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v2] drm/stm: Avoid use-after-free issues with crtc and plane
@ 2024-01-05 9:21 ` Raphael Gallais-Pou
0 siblings, 0 replies; 19+ messages in thread
From: Raphael Gallais-Pou @ 2024-01-05 9:21 UTC (permalink / raw)
To: Katya Orlova
Cc: Yannick Fertre, Philippe Cornu, David Airlie, Daniel Vetter,
Maxime Coquelin, Alexandre Torgue, Philipp Zabel, dri-devel,
linux-stm32, linux-arm-kernel, linux-kernel, lvc-project
On 11/24/23 11:04, Katya Orlova wrote:
> ltdc_load() calls functions drm_crtc_init_with_planes(),
> drm_universal_plane_init() and drm_encoder_init(). These functions
> should not be called with parameters allocated with devm_kzalloc()
> to avoid use-after-free issues [1].
>
> Use allocations managed by the DRM framework.
>
> Found by Linux Verification Center (linuxtesting.org).
>
> [1]
> https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
>
> Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
> ---
> v2: use allocations managed by the DRM as
> Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com> suggested.
> Also add a fix for encoder.
> drivers/gpu/drm/stm/drv.c | 3 +-
> drivers/gpu/drm/stm/ltdc.c | 68 +++++++++-----------------------------
> 2 files changed, 18 insertions(+), 53 deletions(-)
>
> diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
> index e8523abef27a..152bec2c0238 100644
> --- a/drivers/gpu/drm/stm/drv.c
> +++ b/drivers/gpu/drm/stm/drv.c
> @@ -25,6 +25,7 @@
> #include <drm/drm_module.h>
> #include <drm/drm_probe_helper.h>
> #include <drm/drm_vblank.h>
> +#include <drm/drm_managed.h>
>
> #include "ltdc.h"
>
> @@ -75,7 +76,7 @@ static int drv_load(struct drm_device *ddev)
>
> DRM_DEBUG("%s\n", __func__);
>
> - ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL);
> + ldev = drmm_kzalloc(ddev, sizeof(*ldev), GFP_KERNEL);
> if (!ldev)
> return -ENOMEM;
>
> diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
> index 5576fdae4962..02a7c8375f44 100644
> --- a/drivers/gpu/drm/stm/ltdc.c
> +++ b/drivers/gpu/drm/stm/ltdc.c
> @@ -36,6 +36,7 @@
> #include <drm/drm_probe_helper.h>
> #include <drm/drm_simple_kms_helper.h>
> #include <drm/drm_vblank.h>
> +#include <drm/drm_managed.h>
>
> #include <video/videomode.h>
>
> @@ -1199,7 +1200,6 @@ static void ltdc_crtc_atomic_print_state(struct drm_printer *p,
> }
>
> static const struct drm_crtc_funcs ltdc_crtc_funcs = {
> - .destroy = drm_crtc_cleanup,
> .set_config = drm_atomic_helper_set_config,
> .page_flip = drm_atomic_helper_page_flip,
> .reset = drm_atomic_helper_crtc_reset,
> @@ -1212,7 +1212,6 @@ static const struct drm_crtc_funcs ltdc_crtc_funcs = {
> };
>
> static const struct drm_crtc_funcs ltdc_crtc_with_crc_support_funcs = {
> - .destroy = drm_crtc_cleanup,
> .set_config = drm_atomic_helper_set_config,
> .page_flip = drm_atomic_helper_page_flip,
> .reset = drm_atomic_helper_crtc_reset,
> @@ -1545,7 +1544,6 @@ static void ltdc_plane_atomic_print_state(struct drm_printer *p,
> static const struct drm_plane_funcs ltdc_plane_funcs = {
> .update_plane = drm_atomic_helper_update_plane,
> .disable_plane = drm_atomic_helper_disable_plane,
> - .destroy = drm_plane_cleanup,
> .reset = drm_atomic_helper_plane_reset,
> .atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
> .atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
> @@ -1572,7 +1570,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
> const u64 *modifiers = ltdc_format_modifiers;
> u32 lofs = index * LAY_OFS;
> u32 val;
> - int ret;
>
> /* Allocate the biggest size according to supported color formats */
> formats = devm_kzalloc(dev, (ldev->caps.pix_fmt_nb +
> @@ -1613,14 +1610,10 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
> }
> }
>
> - plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL);
> - if (!plane)
> - return NULL;
> -
> - ret = drm_universal_plane_init(ddev, plane, possible_crtcs,
> - <dc_plane_funcs, formats, nb_fmt,
> - modifiers, type, NULL);
> - if (ret < 0)
> + plane = drmm_universal_plane_alloc(ddev, struct drm_plane, dev,
> + possible_crtcs, <dc_plane_funcs, formats, nb_fmt,
> + modifiers, type, NULL);
Hi Katya,
Thanks for your submission, and sorry for the delay.
There is several alignment style problems, such as the lines above.
You can use "--strict" option with checkpatch script to show you all the faulty
alignment before sending a patch.
Other than that this patch looks pretty good to me.
Regards,
Raphaël
> + if (IS_ERR(plane))
> return NULL;
>
> if (ldev->caps.ycbcr_input) {
> @@ -1643,15 +1636,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
> return plane;
> }
>
> -static void ltdc_plane_destroy_all(struct drm_device *ddev)
> -{
> - struct drm_plane *plane, *plane_temp;
> -
> - list_for_each_entry_safe(plane, plane_temp,
> - &ddev->mode_config.plane_list, head)
> - drm_plane_cleanup(plane);
> -}
> -
> static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
> {
> struct ltdc_device *ldev = ddev->dev_private;
> @@ -1677,14 +1661,14 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
>
> /* Init CRTC according to its hardware features */
> if (ldev->caps.crc)
> - ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
> + ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
> <dc_crtc_with_crc_support_funcs, NULL);
> else
> - ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
> + ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
> <dc_crtc_funcs, NULL);
> if (ret) {
> DRM_ERROR("Can not initialize CRTC\n");
> - goto cleanup;
> + return ret;
> }
>
> drm_crtc_helper_add(crtc, <dc_crtc_helper_funcs);
> @@ -1698,9 +1682,8 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
> for (i = 1; i < ldev->caps.nb_layers; i++) {
> overlay = ltdc_plane_create(ddev, DRM_PLANE_TYPE_OVERLAY, i);
> if (!overlay) {
> - ret = -ENOMEM;
> DRM_ERROR("Can not create overlay plane %d\n", i);
> - goto cleanup;
> + return -ENOMEM;
> }
> if (ldev->caps.dynamic_zorder)
> drm_plane_create_zpos_property(overlay, i, 0, ldev->caps.nb_layers - 1);
> @@ -1713,10 +1696,6 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
> }
>
> return 0;
> -
> -cleanup:
> - ltdc_plane_destroy_all(ddev);
> - return ret;
> }
>
> static void ltdc_encoder_disable(struct drm_encoder *encoder)
> @@ -1776,23 +1755,19 @@ static int ltdc_encoder_init(struct drm_device *ddev, struct drm_bridge *bridge)
> struct drm_encoder *encoder;
> int ret;
>
> - encoder = devm_kzalloc(ddev->dev, sizeof(*encoder), GFP_KERNEL);
> - if (!encoder)
> - return -ENOMEM;
> + encoder = drmm_simple_encoder_alloc(ddev, struct drm_encoder, dev,
> + DRM_MODE_ENCODER_DPI);
Nit: bad alignment.
> + if (IS_ERR(encoder))
> + return PTR_ERR(encoder);
>
> encoder->possible_crtcs = CRTC_MASK;
> encoder->possible_clones = 0; /* No cloning support */
>
> - drm_simple_encoder_init(ddev, encoder, DRM_MODE_ENCODER_DPI);
> -
> drm_encoder_helper_add(encoder, <dc_encoder_helper_funcs);
>
> ret = drm_bridge_attach(encoder, bridge, NULL, 0);
> - if (ret) {
> - if (ret != -EPROBE_DEFER)
> - drm_encoder_cleanup(encoder);
> + if (ret)
> return ret;
> - }
>
> DRM_DEBUG_DRIVER("Bridge encoder:%d created\n", encoder->base.id);
>
> @@ -1962,8 +1937,7 @@ int ltdc_load(struct drm_device *ddev)
> goto err;
>
> if (panel) {
> - bridge = drm_panel_bridge_add_typed(panel,
> - DRM_MODE_CONNECTOR_DPI);
> + bridge = drmm_panel_bridge_add(ddev, panel);
> if (IS_ERR(bridge)) {
> DRM_ERROR("panel-bridge endpoint %d\n", i);
> ret = PTR_ERR(bridge);
> @@ -2045,7 +2019,7 @@ int ltdc_load(struct drm_device *ddev)
> }
> }
>
> - crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL);
> + crtc = drmm_kzalloc(ddev, sizeof(*crtc), GFP_KERNEL);
> if (!crtc) {
> DRM_ERROR("Failed to allocate crtc\n");
> ret = -ENOMEM;
> @@ -2072,8 +2046,6 @@ int ltdc_load(struct drm_device *ddev)
>
> return 0;
> err:
> - for (i = 0; i < nb_endpoints; i++)
> - drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
>
> clk_disable_unprepare(ldev->pixel_clk);
>
> @@ -2082,16 +2054,8 @@ int ltdc_load(struct drm_device *ddev)
>
> void ltdc_unload(struct drm_device *ddev)
> {
> - struct device *dev = ddev->dev;
> - int nb_endpoints, i;
> -
> DRM_DEBUG_DRIVER("\n");
>
> - nb_endpoints = of_graph_get_endpoint_count(dev->of_node);
> -
> - for (i = 0; i < nb_endpoints; i++)
> - drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
> -
> pm_runtime_disable(ddev->dev);
> }
>
^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH v3] drm/stm: Avoid use-after-free issues with crtc and plane
2024-01-05 9:21 ` Raphael Gallais-Pou
(?)
@ 2024-01-22 11:11 ` Katya Orlova
-1 siblings, 0 replies; 19+ messages in thread
From: Katya Orlova @ 2024-01-22 11:11 UTC (permalink / raw)
To: Raphael Gallais-Pou
Cc: Katya Orlova, Yannick Fertre, Philippe Cornu, David Airlie,
Daniel Vetter, Maxime Coquelin, Alexandre Torgue, Philipp Zabel,
dri-devel, linux-stm32, linux-arm-kernel, linux-kernel,
lvc-project
ltdc_load() calls functions drm_crtc_init_with_planes(),
drm_universal_plane_init() and drm_encoder_init(). These functions
should not be called with parameters allocated with devm_kzalloc()
to avoid use-after-free issues [1].
Use allocations managed by the DRM framework.
Found by Linux Verification Center (linuxtesting.org).
[1]
https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
---
v3: style problems
v2: use allocations managed by the DRM as
Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com> suggested.
Also add a fix for encoder.
drivers/gpu/drm/stm/drv.c | 3 +-
drivers/gpu/drm/stm/ltdc.c | 69 +++++++++-----------------------------
2 files changed, 18 insertions(+), 54 deletions(-)
diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
index e8523abef27a..152bec2c0238 100644
--- a/drivers/gpu/drm/stm/drv.c
+++ b/drivers/gpu/drm/stm/drv.c
@@ -25,6 +25,7 @@
#include <drm/drm_module.h>
#include <drm/drm_probe_helper.h>
#include <drm/drm_vblank.h>
+#include <drm/drm_managed.h>
#include "ltdc.h"
@@ -75,7 +76,7 @@ static int drv_load(struct drm_device *ddev)
DRM_DEBUG("%s\n", __func__);
- ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL);
+ ldev = drmm_kzalloc(ddev, sizeof(*ldev), GFP_KERNEL);
if (!ldev)
return -ENOMEM;
diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
index 5576fdae4962..e050b519ad38 100644
--- a/drivers/gpu/drm/stm/ltdc.c
+++ b/drivers/gpu/drm/stm/ltdc.c
@@ -36,6 +36,7 @@
#include <drm/drm_probe_helper.h>
#include <drm/drm_simple_kms_helper.h>
#include <drm/drm_vblank.h>
+#include <drm/drm_managed.h>
#include <video/videomode.h>
@@ -1199,7 +1200,6 @@ static void ltdc_crtc_atomic_print_state(struct drm_printer *p,
}
static const struct drm_crtc_funcs ltdc_crtc_funcs = {
- .destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1212,7 +1212,6 @@ static const struct drm_crtc_funcs ltdc_crtc_funcs = {
};
static const struct drm_crtc_funcs ltdc_crtc_with_crc_support_funcs = {
- .destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1545,7 +1544,6 @@ static void ltdc_plane_atomic_print_state(struct drm_printer *p,
static const struct drm_plane_funcs ltdc_plane_funcs = {
.update_plane = drm_atomic_helper_update_plane,
.disable_plane = drm_atomic_helper_disable_plane,
- .destroy = drm_plane_cleanup,
.reset = drm_atomic_helper_plane_reset,
.atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
.atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
@@ -1572,7 +1570,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
const u64 *modifiers = ltdc_format_modifiers;
u32 lofs = index * LAY_OFS;
u32 val;
- int ret;
/* Allocate the biggest size according to supported color formats */
formats = devm_kzalloc(dev, (ldev->caps.pix_fmt_nb +
@@ -1613,14 +1610,10 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
}
}
- plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL);
- if (!plane)
- return NULL;
-
- ret = drm_universal_plane_init(ddev, plane, possible_crtcs,
- <dc_plane_funcs, formats, nb_fmt,
- modifiers, type, NULL);
- if (ret < 0)
+ plane = drmm_universal_plane_alloc(ddev, struct drm_plane, dev,
+ possible_crtcs, <dc_plane_funcs, formats,
+ nb_fmt, modifiers, type, NULL);
+ if (IS_ERR(plane))
return NULL;
if (ldev->caps.ycbcr_input) {
@@ -1643,15 +1636,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
return plane;
}
-static void ltdc_plane_destroy_all(struct drm_device *ddev)
-{
- struct drm_plane *plane, *plane_temp;
-
- list_for_each_entry_safe(plane, plane_temp,
- &ddev->mode_config.plane_list, head)
- drm_plane_cleanup(plane);
-}
-
static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
{
struct ltdc_device *ldev = ddev->dev_private;
@@ -1677,14 +1661,14 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
/* Init CRTC according to its hardware features */
if (ldev->caps.crc)
- ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
+ ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
<dc_crtc_with_crc_support_funcs, NULL);
else
- ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
+ ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
<dc_crtc_funcs, NULL);
if (ret) {
DRM_ERROR("Can not initialize CRTC\n");
- goto cleanup;
+ return ret;
}
drm_crtc_helper_add(crtc, <dc_crtc_helper_funcs);
@@ -1698,9 +1682,8 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
for (i = 1; i < ldev->caps.nb_layers; i++) {
overlay = ltdc_plane_create(ddev, DRM_PLANE_TYPE_OVERLAY, i);
if (!overlay) {
- ret = -ENOMEM;
DRM_ERROR("Can not create overlay plane %d\n", i);
- goto cleanup;
+ return -ENOMEM;
}
if (ldev->caps.dynamic_zorder)
drm_plane_create_zpos_property(overlay, i, 0, ldev->caps.nb_layers - 1);
@@ -1713,10 +1696,6 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
}
return 0;
-
-cleanup:
- ltdc_plane_destroy_all(ddev);
- return ret;
}
static void ltdc_encoder_disable(struct drm_encoder *encoder)
@@ -1776,23 +1755,19 @@ static int ltdc_encoder_init(struct drm_device *ddev, struct drm_bridge *bridge)
struct drm_encoder *encoder;
int ret;
- encoder = devm_kzalloc(ddev->dev, sizeof(*encoder), GFP_KERNEL);
- if (!encoder)
- return -ENOMEM;
+ encoder = drmm_simple_encoder_alloc(ddev, struct drm_encoder, dev,
+ DRM_MODE_ENCODER_DPI);
+ if (IS_ERR(encoder))
+ return PTR_ERR(encoder);
encoder->possible_crtcs = CRTC_MASK;
encoder->possible_clones = 0; /* No cloning support */
- drm_simple_encoder_init(ddev, encoder, DRM_MODE_ENCODER_DPI);
-
drm_encoder_helper_add(encoder, <dc_encoder_helper_funcs);
ret = drm_bridge_attach(encoder, bridge, NULL, 0);
- if (ret) {
- if (ret != -EPROBE_DEFER)
- drm_encoder_cleanup(encoder);
+ if (ret)
return ret;
- }
DRM_DEBUG_DRIVER("Bridge encoder:%d created\n", encoder->base.id);
@@ -1962,8 +1937,7 @@ int ltdc_load(struct drm_device *ddev)
goto err;
if (panel) {
- bridge = drm_panel_bridge_add_typed(panel,
- DRM_MODE_CONNECTOR_DPI);
+ bridge = drmm_panel_bridge_add(ddev, panel);
if (IS_ERR(bridge)) {
DRM_ERROR("panel-bridge endpoint %d\n", i);
ret = PTR_ERR(bridge);
@@ -2045,7 +2019,7 @@ int ltdc_load(struct drm_device *ddev)
}
}
- crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL);
+ crtc = drmm_kzalloc(ddev, sizeof(*crtc), GFP_KERNEL);
if (!crtc) {
DRM_ERROR("Failed to allocate crtc\n");
ret = -ENOMEM;
@@ -2072,9 +2046,6 @@ int ltdc_load(struct drm_device *ddev)
return 0;
err:
- for (i = 0; i < nb_endpoints; i++)
- drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
-
clk_disable_unprepare(ldev->pixel_clk);
return ret;
@@ -2082,16 +2053,8 @@ int ltdc_load(struct drm_device *ddev)
void ltdc_unload(struct drm_device *ddev)
{
- struct device *dev = ddev->dev;
- int nb_endpoints, i;
-
DRM_DEBUG_DRIVER("\n");
- nb_endpoints = of_graph_get_endpoint_count(dev->of_node);
-
- for (i = 0; i < nb_endpoints; i++)
- drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
-
pm_runtime_disable(ddev->dev);
}
--
2.30.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH v3] drm/stm: Avoid use-after-free issues with crtc and plane
@ 2024-01-22 11:11 ` Katya Orlova
0 siblings, 0 replies; 19+ messages in thread
From: Katya Orlova @ 2024-01-22 11:11 UTC (permalink / raw)
To: Raphael Gallais-Pou
Cc: Katya Orlova, Yannick Fertre, Philippe Cornu, David Airlie,
Daniel Vetter, Maxime Coquelin, Alexandre Torgue, Philipp Zabel,
dri-devel, linux-stm32, linux-arm-kernel, linux-kernel,
lvc-project
ltdc_load() calls functions drm_crtc_init_with_planes(),
drm_universal_plane_init() and drm_encoder_init(). These functions
should not be called with parameters allocated with devm_kzalloc()
to avoid use-after-free issues [1].
Use allocations managed by the DRM framework.
Found by Linux Verification Center (linuxtesting.org).
[1]
https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
---
v3: style problems
v2: use allocations managed by the DRM as
Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com> suggested.
Also add a fix for encoder.
drivers/gpu/drm/stm/drv.c | 3 +-
drivers/gpu/drm/stm/ltdc.c | 69 +++++++++-----------------------------
2 files changed, 18 insertions(+), 54 deletions(-)
diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
index e8523abef27a..152bec2c0238 100644
--- a/drivers/gpu/drm/stm/drv.c
+++ b/drivers/gpu/drm/stm/drv.c
@@ -25,6 +25,7 @@
#include <drm/drm_module.h>
#include <drm/drm_probe_helper.h>
#include <drm/drm_vblank.h>
+#include <drm/drm_managed.h>
#include "ltdc.h"
@@ -75,7 +76,7 @@ static int drv_load(struct drm_device *ddev)
DRM_DEBUG("%s\n", __func__);
- ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL);
+ ldev = drmm_kzalloc(ddev, sizeof(*ldev), GFP_KERNEL);
if (!ldev)
return -ENOMEM;
diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
index 5576fdae4962..e050b519ad38 100644
--- a/drivers/gpu/drm/stm/ltdc.c
+++ b/drivers/gpu/drm/stm/ltdc.c
@@ -36,6 +36,7 @@
#include <drm/drm_probe_helper.h>
#include <drm/drm_simple_kms_helper.h>
#include <drm/drm_vblank.h>
+#include <drm/drm_managed.h>
#include <video/videomode.h>
@@ -1199,7 +1200,6 @@ static void ltdc_crtc_atomic_print_state(struct drm_printer *p,
}
static const struct drm_crtc_funcs ltdc_crtc_funcs = {
- .destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1212,7 +1212,6 @@ static const struct drm_crtc_funcs ltdc_crtc_funcs = {
};
static const struct drm_crtc_funcs ltdc_crtc_with_crc_support_funcs = {
- .destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1545,7 +1544,6 @@ static void ltdc_plane_atomic_print_state(struct drm_printer *p,
static const struct drm_plane_funcs ltdc_plane_funcs = {
.update_plane = drm_atomic_helper_update_plane,
.disable_plane = drm_atomic_helper_disable_plane,
- .destroy = drm_plane_cleanup,
.reset = drm_atomic_helper_plane_reset,
.atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
.atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
@@ -1572,7 +1570,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
const u64 *modifiers = ltdc_format_modifiers;
u32 lofs = index * LAY_OFS;
u32 val;
- int ret;
/* Allocate the biggest size according to supported color formats */
formats = devm_kzalloc(dev, (ldev->caps.pix_fmt_nb +
@@ -1613,14 +1610,10 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
}
}
- plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL);
- if (!plane)
- return NULL;
-
- ret = drm_universal_plane_init(ddev, plane, possible_crtcs,
- <dc_plane_funcs, formats, nb_fmt,
- modifiers, type, NULL);
- if (ret < 0)
+ plane = drmm_universal_plane_alloc(ddev, struct drm_plane, dev,
+ possible_crtcs, <dc_plane_funcs, formats,
+ nb_fmt, modifiers, type, NULL);
+ if (IS_ERR(plane))
return NULL;
if (ldev->caps.ycbcr_input) {
@@ -1643,15 +1636,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
return plane;
}
-static void ltdc_plane_destroy_all(struct drm_device *ddev)
-{
- struct drm_plane *plane, *plane_temp;
-
- list_for_each_entry_safe(plane, plane_temp,
- &ddev->mode_config.plane_list, head)
- drm_plane_cleanup(plane);
-}
-
static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
{
struct ltdc_device *ldev = ddev->dev_private;
@@ -1677,14 +1661,14 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
/* Init CRTC according to its hardware features */
if (ldev->caps.crc)
- ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
+ ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
<dc_crtc_with_crc_support_funcs, NULL);
else
- ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
+ ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
<dc_crtc_funcs, NULL);
if (ret) {
DRM_ERROR("Can not initialize CRTC\n");
- goto cleanup;
+ return ret;
}
drm_crtc_helper_add(crtc, <dc_crtc_helper_funcs);
@@ -1698,9 +1682,8 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
for (i = 1; i < ldev->caps.nb_layers; i++) {
overlay = ltdc_plane_create(ddev, DRM_PLANE_TYPE_OVERLAY, i);
if (!overlay) {
- ret = -ENOMEM;
DRM_ERROR("Can not create overlay plane %d\n", i);
- goto cleanup;
+ return -ENOMEM;
}
if (ldev->caps.dynamic_zorder)
drm_plane_create_zpos_property(overlay, i, 0, ldev->caps.nb_layers - 1);
@@ -1713,10 +1696,6 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
}
return 0;
-
-cleanup:
- ltdc_plane_destroy_all(ddev);
- return ret;
}
static void ltdc_encoder_disable(struct drm_encoder *encoder)
@@ -1776,23 +1755,19 @@ static int ltdc_encoder_init(struct drm_device *ddev, struct drm_bridge *bridge)
struct drm_encoder *encoder;
int ret;
- encoder = devm_kzalloc(ddev->dev, sizeof(*encoder), GFP_KERNEL);
- if (!encoder)
- return -ENOMEM;
+ encoder = drmm_simple_encoder_alloc(ddev, struct drm_encoder, dev,
+ DRM_MODE_ENCODER_DPI);
+ if (IS_ERR(encoder))
+ return PTR_ERR(encoder);
encoder->possible_crtcs = CRTC_MASK;
encoder->possible_clones = 0; /* No cloning support */
- drm_simple_encoder_init(ddev, encoder, DRM_MODE_ENCODER_DPI);
-
drm_encoder_helper_add(encoder, <dc_encoder_helper_funcs);
ret = drm_bridge_attach(encoder, bridge, NULL, 0);
- if (ret) {
- if (ret != -EPROBE_DEFER)
- drm_encoder_cleanup(encoder);
+ if (ret)
return ret;
- }
DRM_DEBUG_DRIVER("Bridge encoder:%d created\n", encoder->base.id);
@@ -1962,8 +1937,7 @@ int ltdc_load(struct drm_device *ddev)
goto err;
if (panel) {
- bridge = drm_panel_bridge_add_typed(panel,
- DRM_MODE_CONNECTOR_DPI);
+ bridge = drmm_panel_bridge_add(ddev, panel);
if (IS_ERR(bridge)) {
DRM_ERROR("panel-bridge endpoint %d\n", i);
ret = PTR_ERR(bridge);
@@ -2045,7 +2019,7 @@ int ltdc_load(struct drm_device *ddev)
}
}
- crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL);
+ crtc = drmm_kzalloc(ddev, sizeof(*crtc), GFP_KERNEL);
if (!crtc) {
DRM_ERROR("Failed to allocate crtc\n");
ret = -ENOMEM;
@@ -2072,9 +2046,6 @@ int ltdc_load(struct drm_device *ddev)
return 0;
err:
- for (i = 0; i < nb_endpoints; i++)
- drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
-
clk_disable_unprepare(ldev->pixel_clk);
return ret;
@@ -2082,16 +2053,8 @@ int ltdc_load(struct drm_device *ddev)
void ltdc_unload(struct drm_device *ddev)
{
- struct device *dev = ddev->dev;
- int nb_endpoints, i;
-
DRM_DEBUG_DRIVER("\n");
- nb_endpoints = of_graph_get_endpoint_count(dev->of_node);
-
- for (i = 0; i < nb_endpoints; i++)
- drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
-
pm_runtime_disable(ddev->dev);
}
--
2.30.2
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH v3] drm/stm: Avoid use-after-free issues with crtc and plane
@ 2024-01-22 11:11 ` Katya Orlova
0 siblings, 0 replies; 19+ messages in thread
From: Katya Orlova @ 2024-01-22 11:11 UTC (permalink / raw)
To: Raphael Gallais-Pou
Cc: Daniel Vetter, Yannick Fertre, Alexandre Torgue, dri-devel,
linux-kernel, Philippe Cornu, Maxime Coquelin, Katya Orlova,
David Airlie, linux-stm32, linux-arm-kernel, lvc-project
ltdc_load() calls functions drm_crtc_init_with_planes(),
drm_universal_plane_init() and drm_encoder_init(). These functions
should not be called with parameters allocated with devm_kzalloc()
to avoid use-after-free issues [1].
Use allocations managed by the DRM framework.
Found by Linux Verification Center (linuxtesting.org).
[1]
https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
---
v3: style problems
v2: use allocations managed by the DRM as
Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com> suggested.
Also add a fix for encoder.
drivers/gpu/drm/stm/drv.c | 3 +-
drivers/gpu/drm/stm/ltdc.c | 69 +++++++++-----------------------------
2 files changed, 18 insertions(+), 54 deletions(-)
diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
index e8523abef27a..152bec2c0238 100644
--- a/drivers/gpu/drm/stm/drv.c
+++ b/drivers/gpu/drm/stm/drv.c
@@ -25,6 +25,7 @@
#include <drm/drm_module.h>
#include <drm/drm_probe_helper.h>
#include <drm/drm_vblank.h>
+#include <drm/drm_managed.h>
#include "ltdc.h"
@@ -75,7 +76,7 @@ static int drv_load(struct drm_device *ddev)
DRM_DEBUG("%s\n", __func__);
- ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL);
+ ldev = drmm_kzalloc(ddev, sizeof(*ldev), GFP_KERNEL);
if (!ldev)
return -ENOMEM;
diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
index 5576fdae4962..e050b519ad38 100644
--- a/drivers/gpu/drm/stm/ltdc.c
+++ b/drivers/gpu/drm/stm/ltdc.c
@@ -36,6 +36,7 @@
#include <drm/drm_probe_helper.h>
#include <drm/drm_simple_kms_helper.h>
#include <drm/drm_vblank.h>
+#include <drm/drm_managed.h>
#include <video/videomode.h>
@@ -1199,7 +1200,6 @@ static void ltdc_crtc_atomic_print_state(struct drm_printer *p,
}
static const struct drm_crtc_funcs ltdc_crtc_funcs = {
- .destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1212,7 +1212,6 @@ static const struct drm_crtc_funcs ltdc_crtc_funcs = {
};
static const struct drm_crtc_funcs ltdc_crtc_with_crc_support_funcs = {
- .destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1545,7 +1544,6 @@ static void ltdc_plane_atomic_print_state(struct drm_printer *p,
static const struct drm_plane_funcs ltdc_plane_funcs = {
.update_plane = drm_atomic_helper_update_plane,
.disable_plane = drm_atomic_helper_disable_plane,
- .destroy = drm_plane_cleanup,
.reset = drm_atomic_helper_plane_reset,
.atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
.atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
@@ -1572,7 +1570,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
const u64 *modifiers = ltdc_format_modifiers;
u32 lofs = index * LAY_OFS;
u32 val;
- int ret;
/* Allocate the biggest size according to supported color formats */
formats = devm_kzalloc(dev, (ldev->caps.pix_fmt_nb +
@@ -1613,14 +1610,10 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
}
}
- plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL);
- if (!plane)
- return NULL;
-
- ret = drm_universal_plane_init(ddev, plane, possible_crtcs,
- <dc_plane_funcs, formats, nb_fmt,
- modifiers, type, NULL);
- if (ret < 0)
+ plane = drmm_universal_plane_alloc(ddev, struct drm_plane, dev,
+ possible_crtcs, <dc_plane_funcs, formats,
+ nb_fmt, modifiers, type, NULL);
+ if (IS_ERR(plane))
return NULL;
if (ldev->caps.ycbcr_input) {
@@ -1643,15 +1636,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
return plane;
}
-static void ltdc_plane_destroy_all(struct drm_device *ddev)
-{
- struct drm_plane *plane, *plane_temp;
-
- list_for_each_entry_safe(plane, plane_temp,
- &ddev->mode_config.plane_list, head)
- drm_plane_cleanup(plane);
-}
-
static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
{
struct ltdc_device *ldev = ddev->dev_private;
@@ -1677,14 +1661,14 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
/* Init CRTC according to its hardware features */
if (ldev->caps.crc)
- ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
+ ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
<dc_crtc_with_crc_support_funcs, NULL);
else
- ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
+ ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
<dc_crtc_funcs, NULL);
if (ret) {
DRM_ERROR("Can not initialize CRTC\n");
- goto cleanup;
+ return ret;
}
drm_crtc_helper_add(crtc, <dc_crtc_helper_funcs);
@@ -1698,9 +1682,8 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
for (i = 1; i < ldev->caps.nb_layers; i++) {
overlay = ltdc_plane_create(ddev, DRM_PLANE_TYPE_OVERLAY, i);
if (!overlay) {
- ret = -ENOMEM;
DRM_ERROR("Can not create overlay plane %d\n", i);
- goto cleanup;
+ return -ENOMEM;
}
if (ldev->caps.dynamic_zorder)
drm_plane_create_zpos_property(overlay, i, 0, ldev->caps.nb_layers - 1);
@@ -1713,10 +1696,6 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
}
return 0;
-
-cleanup:
- ltdc_plane_destroy_all(ddev);
- return ret;
}
static void ltdc_encoder_disable(struct drm_encoder *encoder)
@@ -1776,23 +1755,19 @@ static int ltdc_encoder_init(struct drm_device *ddev, struct drm_bridge *bridge)
struct drm_encoder *encoder;
int ret;
- encoder = devm_kzalloc(ddev->dev, sizeof(*encoder), GFP_KERNEL);
- if (!encoder)
- return -ENOMEM;
+ encoder = drmm_simple_encoder_alloc(ddev, struct drm_encoder, dev,
+ DRM_MODE_ENCODER_DPI);
+ if (IS_ERR(encoder))
+ return PTR_ERR(encoder);
encoder->possible_crtcs = CRTC_MASK;
encoder->possible_clones = 0; /* No cloning support */
- drm_simple_encoder_init(ddev, encoder, DRM_MODE_ENCODER_DPI);
-
drm_encoder_helper_add(encoder, <dc_encoder_helper_funcs);
ret = drm_bridge_attach(encoder, bridge, NULL, 0);
- if (ret) {
- if (ret != -EPROBE_DEFER)
- drm_encoder_cleanup(encoder);
+ if (ret)
return ret;
- }
DRM_DEBUG_DRIVER("Bridge encoder:%d created\n", encoder->base.id);
@@ -1962,8 +1937,7 @@ int ltdc_load(struct drm_device *ddev)
goto err;
if (panel) {
- bridge = drm_panel_bridge_add_typed(panel,
- DRM_MODE_CONNECTOR_DPI);
+ bridge = drmm_panel_bridge_add(ddev, panel);
if (IS_ERR(bridge)) {
DRM_ERROR("panel-bridge endpoint %d\n", i);
ret = PTR_ERR(bridge);
@@ -2045,7 +2019,7 @@ int ltdc_load(struct drm_device *ddev)
}
}
- crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL);
+ crtc = drmm_kzalloc(ddev, sizeof(*crtc), GFP_KERNEL);
if (!crtc) {
DRM_ERROR("Failed to allocate crtc\n");
ret = -ENOMEM;
@@ -2072,9 +2046,6 @@ int ltdc_load(struct drm_device *ddev)
return 0;
err:
- for (i = 0; i < nb_endpoints; i++)
- drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
-
clk_disable_unprepare(ldev->pixel_clk);
return ret;
@@ -2082,16 +2053,8 @@ int ltdc_load(struct drm_device *ddev)
void ltdc_unload(struct drm_device *ddev)
{
- struct device *dev = ddev->dev;
- int nb_endpoints, i;
-
DRM_DEBUG_DRIVER("\n");
- nb_endpoints = of_graph_get_endpoint_count(dev->of_node);
-
- for (i = 0; i < nb_endpoints; i++)
- drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
-
pm_runtime_disable(ddev->dev);
}
--
2.30.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH v4] drm/stm: Avoid use-after-free issues with crtc and plane
2024-01-22 11:11 ` Katya Orlova
@ 2024-02-16 12:50 ` Katya Orlova
-1 siblings, 0 replies; 19+ messages in thread
From: Katya Orlova @ 2024-02-16 12:50 UTC (permalink / raw)
To: Raphael Gallais-Pou
Cc: Katya Orlova, Yannick Fertre, Philippe Cornu, David Airlie,
Daniel Vetter, Maxime Coquelin, Alexandre Torgue, Philipp Zabel,
dri-devel, linux-stm32, linux-arm-kernel, linux-kernel,
lvc-project
ltdc_load() calls functions drm_crtc_init_with_planes(),
drm_universal_plane_init() and drm_encoder_init(). These functions
should not be called with parameters allocated with devm_kzalloc()
to avoid use-after-free issues [1].
Use allocations managed by the DRM framework.
Found by Linux Verification Center (linuxtesting.org).
[1]
https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
---
v4: rebase on the drm-misc
v3: style problems
v2: use allocations managed by the DRM as
Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com> suggested.
Also add a fix for encoder.
drivers/gpu/drm/stm/drv.c | 3 +-
drivers/gpu/drm/stm/ltdc.c | 73 ++++++++++----------------------------
2 files changed, 20 insertions(+), 56 deletions(-)
diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
index e8523abef27a..152bec2c0238 100644
--- a/drivers/gpu/drm/stm/drv.c
+++ b/drivers/gpu/drm/stm/drv.c
@@ -25,6 +25,7 @@
#include <drm/drm_module.h>
#include <drm/drm_probe_helper.h>
#include <drm/drm_vblank.h>
+#include <drm/drm_managed.h>
#include "ltdc.h"
@@ -75,7 +76,7 @@ static int drv_load(struct drm_device *ddev)
DRM_DEBUG("%s\n", __func__);
- ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL);
+ ldev = drmm_kzalloc(ddev, sizeof(*ldev), GFP_KERNEL);
if (!ldev)
return -ENOMEM;
diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
index 5576fdae4962..eeaabb4e10d3 100644
--- a/drivers/gpu/drm/stm/ltdc.c
+++ b/drivers/gpu/drm/stm/ltdc.c
@@ -36,6 +36,7 @@
#include <drm/drm_probe_helper.h>
#include <drm/drm_simple_kms_helper.h>
#include <drm/drm_vblank.h>
+#include <drm/drm_managed.h>
#include <video/videomode.h>
@@ -1199,7 +1200,6 @@ static void ltdc_crtc_atomic_print_state(struct drm_printer *p,
}
static const struct drm_crtc_funcs ltdc_crtc_funcs = {
- .destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1212,7 +1212,6 @@ static const struct drm_crtc_funcs ltdc_crtc_funcs = {
};
static const struct drm_crtc_funcs ltdc_crtc_with_crc_support_funcs = {
- .destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1545,7 +1544,6 @@ static void ltdc_plane_atomic_print_state(struct drm_printer *p,
static const struct drm_plane_funcs ltdc_plane_funcs = {
.update_plane = drm_atomic_helper_update_plane,
.disable_plane = drm_atomic_helper_disable_plane,
- .destroy = drm_plane_cleanup,
.reset = drm_atomic_helper_plane_reset,
.atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
.atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
@@ -1572,7 +1570,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
const u64 *modifiers = ltdc_format_modifiers;
u32 lofs = index * LAY_OFS;
u32 val;
- int ret;
/* Allocate the biggest size according to supported color formats */
formats = devm_kzalloc(dev, (ldev->caps.pix_fmt_nb +
@@ -1613,14 +1610,10 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
}
}
- plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL);
- if (!plane)
- return NULL;
-
- ret = drm_universal_plane_init(ddev, plane, possible_crtcs,
- <dc_plane_funcs, formats, nb_fmt,
- modifiers, type, NULL);
- if (ret < 0)
+ plane = drmm_universal_plane_alloc(ddev, struct drm_plane, dev,
+ possible_crtcs, <dc_plane_funcs, formats,
+ nb_fmt, modifiers, type, NULL);
+ if (IS_ERR(plane))
return NULL;
if (ldev->caps.ycbcr_input) {
@@ -1643,15 +1636,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
return plane;
}
-static void ltdc_plane_destroy_all(struct drm_device *ddev)
-{
- struct drm_plane *plane, *plane_temp;
-
- list_for_each_entry_safe(plane, plane_temp,
- &ddev->mode_config.plane_list, head)
- drm_plane_cleanup(plane);
-}
-
static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
{
struct ltdc_device *ldev = ddev->dev_private;
@@ -1677,14 +1661,14 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
/* Init CRTC according to its hardware features */
if (ldev->caps.crc)
- ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
- <dc_crtc_with_crc_support_funcs, NULL);
+ ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
+ <dc_crtc_with_crc_support_funcs, NULL);
else
- ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
- <dc_crtc_funcs, NULL);
+ ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
+ <dc_crtc_funcs, NULL);
if (ret) {
DRM_ERROR("Can not initialize CRTC\n");
- goto cleanup;
+ return ret;
}
drm_crtc_helper_add(crtc, <dc_crtc_helper_funcs);
@@ -1698,9 +1682,8 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
for (i = 1; i < ldev->caps.nb_layers; i++) {
overlay = ltdc_plane_create(ddev, DRM_PLANE_TYPE_OVERLAY, i);
if (!overlay) {
- ret = -ENOMEM;
DRM_ERROR("Can not create overlay plane %d\n", i);
- goto cleanup;
+ return -ENOMEM;
}
if (ldev->caps.dynamic_zorder)
drm_plane_create_zpos_property(overlay, i, 0, ldev->caps.nb_layers - 1);
@@ -1713,10 +1696,6 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
}
return 0;
-
-cleanup:
- ltdc_plane_destroy_all(ddev);
- return ret;
}
static void ltdc_encoder_disable(struct drm_encoder *encoder)
@@ -1776,23 +1755,19 @@ static int ltdc_encoder_init(struct drm_device *ddev, struct drm_bridge *bridge)
struct drm_encoder *encoder;
int ret;
- encoder = devm_kzalloc(ddev->dev, sizeof(*encoder), GFP_KERNEL);
- if (!encoder)
- return -ENOMEM;
+ encoder = drmm_simple_encoder_alloc(ddev, struct drm_encoder, dev,
+ DRM_MODE_ENCODER_DPI);
+ if (IS_ERR(encoder))
+ return PTR_ERR(encoder);
encoder->possible_crtcs = CRTC_MASK;
encoder->possible_clones = 0; /* No cloning support */
- drm_simple_encoder_init(ddev, encoder, DRM_MODE_ENCODER_DPI);
-
drm_encoder_helper_add(encoder, <dc_encoder_helper_funcs);
ret = drm_bridge_attach(encoder, bridge, NULL, 0);
- if (ret) {
- if (ret != -EPROBE_DEFER)
- drm_encoder_cleanup(encoder);
+ if (ret)
return ret;
- }
DRM_DEBUG_DRIVER("Bridge encoder:%d created\n", encoder->base.id);
@@ -1962,8 +1937,7 @@ int ltdc_load(struct drm_device *ddev)
goto err;
if (panel) {
- bridge = drm_panel_bridge_add_typed(panel,
- DRM_MODE_CONNECTOR_DPI);
+ bridge = drmm_panel_bridge_add(ddev, panel);
if (IS_ERR(bridge)) {
DRM_ERROR("panel-bridge endpoint %d\n", i);
ret = PTR_ERR(bridge);
@@ -2045,7 +2019,7 @@ int ltdc_load(struct drm_device *ddev)
}
}
- crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL);
+ crtc = drmm_kzalloc(ddev, sizeof(*crtc), GFP_KERNEL);
if (!crtc) {
DRM_ERROR("Failed to allocate crtc\n");
ret = -ENOMEM;
@@ -2072,9 +2046,6 @@ int ltdc_load(struct drm_device *ddev)
return 0;
err:
- for (i = 0; i < nb_endpoints; i++)
- drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
-
clk_disable_unprepare(ldev->pixel_clk);
return ret;
@@ -2082,16 +2053,8 @@ int ltdc_load(struct drm_device *ddev)
void ltdc_unload(struct drm_device *ddev)
{
- struct device *dev = ddev->dev;
- int nb_endpoints, i;
-
DRM_DEBUG_DRIVER("\n");
- nb_endpoints = of_graph_get_endpoint_count(dev->of_node);
-
- for (i = 0; i < nb_endpoints; i++)
- drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
-
pm_runtime_disable(ddev->dev);
}
--
2.30.2
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH v4] drm/stm: Avoid use-after-free issues with crtc and plane
@ 2024-02-16 12:50 ` Katya Orlova
0 siblings, 0 replies; 19+ messages in thread
From: Katya Orlova @ 2024-02-16 12:50 UTC (permalink / raw)
To: Raphael Gallais-Pou
Cc: Katya Orlova, Yannick Fertre, Philippe Cornu, David Airlie,
Daniel Vetter, Maxime Coquelin, Alexandre Torgue, Philipp Zabel,
dri-devel, linux-stm32, linux-arm-kernel, linux-kernel,
lvc-project
ltdc_load() calls functions drm_crtc_init_with_planes(),
drm_universal_plane_init() and drm_encoder_init(). These functions
should not be called with parameters allocated with devm_kzalloc()
to avoid use-after-free issues [1].
Use allocations managed by the DRM framework.
Found by Linux Verification Center (linuxtesting.org).
[1]
https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
---
v4: rebase on the drm-misc
v3: style problems
v2: use allocations managed by the DRM as
Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com> suggested.
Also add a fix for encoder.
drivers/gpu/drm/stm/drv.c | 3 +-
drivers/gpu/drm/stm/ltdc.c | 73 ++++++++++----------------------------
2 files changed, 20 insertions(+), 56 deletions(-)
diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
index e8523abef27a..152bec2c0238 100644
--- a/drivers/gpu/drm/stm/drv.c
+++ b/drivers/gpu/drm/stm/drv.c
@@ -25,6 +25,7 @@
#include <drm/drm_module.h>
#include <drm/drm_probe_helper.h>
#include <drm/drm_vblank.h>
+#include <drm/drm_managed.h>
#include "ltdc.h"
@@ -75,7 +76,7 @@ static int drv_load(struct drm_device *ddev)
DRM_DEBUG("%s\n", __func__);
- ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL);
+ ldev = drmm_kzalloc(ddev, sizeof(*ldev), GFP_KERNEL);
if (!ldev)
return -ENOMEM;
diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
index 5576fdae4962..eeaabb4e10d3 100644
--- a/drivers/gpu/drm/stm/ltdc.c
+++ b/drivers/gpu/drm/stm/ltdc.c
@@ -36,6 +36,7 @@
#include <drm/drm_probe_helper.h>
#include <drm/drm_simple_kms_helper.h>
#include <drm/drm_vblank.h>
+#include <drm/drm_managed.h>
#include <video/videomode.h>
@@ -1199,7 +1200,6 @@ static void ltdc_crtc_atomic_print_state(struct drm_printer *p,
}
static const struct drm_crtc_funcs ltdc_crtc_funcs = {
- .destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1212,7 +1212,6 @@ static const struct drm_crtc_funcs ltdc_crtc_funcs = {
};
static const struct drm_crtc_funcs ltdc_crtc_with_crc_support_funcs = {
- .destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1545,7 +1544,6 @@ static void ltdc_plane_atomic_print_state(struct drm_printer *p,
static const struct drm_plane_funcs ltdc_plane_funcs = {
.update_plane = drm_atomic_helper_update_plane,
.disable_plane = drm_atomic_helper_disable_plane,
- .destroy = drm_plane_cleanup,
.reset = drm_atomic_helper_plane_reset,
.atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
.atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
@@ -1572,7 +1570,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
const u64 *modifiers = ltdc_format_modifiers;
u32 lofs = index * LAY_OFS;
u32 val;
- int ret;
/* Allocate the biggest size according to supported color formats */
formats = devm_kzalloc(dev, (ldev->caps.pix_fmt_nb +
@@ -1613,14 +1610,10 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
}
}
- plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL);
- if (!plane)
- return NULL;
-
- ret = drm_universal_plane_init(ddev, plane, possible_crtcs,
- <dc_plane_funcs, formats, nb_fmt,
- modifiers, type, NULL);
- if (ret < 0)
+ plane = drmm_universal_plane_alloc(ddev, struct drm_plane, dev,
+ possible_crtcs, <dc_plane_funcs, formats,
+ nb_fmt, modifiers, type, NULL);
+ if (IS_ERR(plane))
return NULL;
if (ldev->caps.ycbcr_input) {
@@ -1643,15 +1636,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
return plane;
}
-static void ltdc_plane_destroy_all(struct drm_device *ddev)
-{
- struct drm_plane *plane, *plane_temp;
-
- list_for_each_entry_safe(plane, plane_temp,
- &ddev->mode_config.plane_list, head)
- drm_plane_cleanup(plane);
-}
-
static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
{
struct ltdc_device *ldev = ddev->dev_private;
@@ -1677,14 +1661,14 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
/* Init CRTC according to its hardware features */
if (ldev->caps.crc)
- ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
- <dc_crtc_with_crc_support_funcs, NULL);
+ ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
+ <dc_crtc_with_crc_support_funcs, NULL);
else
- ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
- <dc_crtc_funcs, NULL);
+ ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
+ <dc_crtc_funcs, NULL);
if (ret) {
DRM_ERROR("Can not initialize CRTC\n");
- goto cleanup;
+ return ret;
}
drm_crtc_helper_add(crtc, <dc_crtc_helper_funcs);
@@ -1698,9 +1682,8 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
for (i = 1; i < ldev->caps.nb_layers; i++) {
overlay = ltdc_plane_create(ddev, DRM_PLANE_TYPE_OVERLAY, i);
if (!overlay) {
- ret = -ENOMEM;
DRM_ERROR("Can not create overlay plane %d\n", i);
- goto cleanup;
+ return -ENOMEM;
}
if (ldev->caps.dynamic_zorder)
drm_plane_create_zpos_property(overlay, i, 0, ldev->caps.nb_layers - 1);
@@ -1713,10 +1696,6 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
}
return 0;
-
-cleanup:
- ltdc_plane_destroy_all(ddev);
- return ret;
}
static void ltdc_encoder_disable(struct drm_encoder *encoder)
@@ -1776,23 +1755,19 @@ static int ltdc_encoder_init(struct drm_device *ddev, struct drm_bridge *bridge)
struct drm_encoder *encoder;
int ret;
- encoder = devm_kzalloc(ddev->dev, sizeof(*encoder), GFP_KERNEL);
- if (!encoder)
- return -ENOMEM;
+ encoder = drmm_simple_encoder_alloc(ddev, struct drm_encoder, dev,
+ DRM_MODE_ENCODER_DPI);
+ if (IS_ERR(encoder))
+ return PTR_ERR(encoder);
encoder->possible_crtcs = CRTC_MASK;
encoder->possible_clones = 0; /* No cloning support */
- drm_simple_encoder_init(ddev, encoder, DRM_MODE_ENCODER_DPI);
-
drm_encoder_helper_add(encoder, <dc_encoder_helper_funcs);
ret = drm_bridge_attach(encoder, bridge, NULL, 0);
- if (ret) {
- if (ret != -EPROBE_DEFER)
- drm_encoder_cleanup(encoder);
+ if (ret)
return ret;
- }
DRM_DEBUG_DRIVER("Bridge encoder:%d created\n", encoder->base.id);
@@ -1962,8 +1937,7 @@ int ltdc_load(struct drm_device *ddev)
goto err;
if (panel) {
- bridge = drm_panel_bridge_add_typed(panel,
- DRM_MODE_CONNECTOR_DPI);
+ bridge = drmm_panel_bridge_add(ddev, panel);
if (IS_ERR(bridge)) {
DRM_ERROR("panel-bridge endpoint %d\n", i);
ret = PTR_ERR(bridge);
@@ -2045,7 +2019,7 @@ int ltdc_load(struct drm_device *ddev)
}
}
- crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL);
+ crtc = drmm_kzalloc(ddev, sizeof(*crtc), GFP_KERNEL);
if (!crtc) {
DRM_ERROR("Failed to allocate crtc\n");
ret = -ENOMEM;
@@ -2072,9 +2046,6 @@ int ltdc_load(struct drm_device *ddev)
return 0;
err:
- for (i = 0; i < nb_endpoints; i++)
- drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
-
clk_disable_unprepare(ldev->pixel_clk);
return ret;
@@ -2082,16 +2053,8 @@ int ltdc_load(struct drm_device *ddev)
void ltdc_unload(struct drm_device *ddev)
{
- struct device *dev = ddev->dev;
- int nb_endpoints, i;
-
DRM_DEBUG_DRIVER("\n");
- nb_endpoints = of_graph_get_endpoint_count(dev->of_node);
-
- for (i = 0; i < nb_endpoints; i++)
- drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
-
pm_runtime_disable(ddev->dev);
}
--
2.30.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [PATCH v4] drm/stm: Avoid use-after-free issues with crtc and plane
2024-02-16 12:50 ` Katya Orlova
@ 2024-02-26 13:50 ` Raphael Gallais-Pou
-1 siblings, 0 replies; 19+ messages in thread
From: Raphael Gallais-Pou @ 2024-02-26 13:50 UTC (permalink / raw)
To: Katya Orlova
Cc: Yannick Fertre, Philippe Cornu, David Airlie, Daniel Vetter,
Maxime Coquelin, Alexandre Torgue, Philipp Zabel, dri-devel,
linux-stm32, linux-arm-kernel, linux-kernel, lvc-project
On 2/16/24 13:50, Katya Orlova wrote:
> ltdc_load() calls functions drm_crtc_init_with_planes(),
> drm_universal_plane_init() and drm_encoder_init(). These functions
> should not be called with parameters allocated with devm_kzalloc()
> to avoid use-after-free issues [1].
>
> Use allocations managed by the DRM framework.
>
> Found by Linux Verification Center (linuxtesting.org).
>
> [1]
> https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
>
> Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
Hi Katya,
Thanks for this submission.
Acked-by: Raphaël Gallais-Pou <raphael.gallais-pou@foss.st.com>
Regards,
Raphaël
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v4] drm/stm: Avoid use-after-free issues with crtc and plane
@ 2024-02-26 13:50 ` Raphael Gallais-Pou
0 siblings, 0 replies; 19+ messages in thread
From: Raphael Gallais-Pou @ 2024-02-26 13:50 UTC (permalink / raw)
To: Katya Orlova
Cc: Yannick Fertre, Philippe Cornu, David Airlie, Daniel Vetter,
Maxime Coquelin, Alexandre Torgue, Philipp Zabel, dri-devel,
linux-stm32, linux-arm-kernel, linux-kernel, lvc-project
On 2/16/24 13:50, Katya Orlova wrote:
> ltdc_load() calls functions drm_crtc_init_with_planes(),
> drm_universal_plane_init() and drm_encoder_init(). These functions
> should not be called with parameters allocated with devm_kzalloc()
> to avoid use-after-free issues [1].
>
> Use allocations managed by the DRM framework.
>
> Found by Linux Verification Center (linuxtesting.org).
>
> [1]
> https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
>
> Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
Hi Katya,
Thanks for this submission.
Acked-by: Raphaël Gallais-Pou <raphael.gallais-pou@foss.st.com>
Regards,
Raphaël
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2024-02-26 13:52 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-10-20 10:29 [PATCH] drm/stm: Avoid use-after-free issues with crtc and plane Katya Orlova
2023-10-20 10:29 ` Katya Orlova
2023-10-20 10:29 ` Katya Orlova
2023-10-23 8:19 ` Raphael Gallais-Pou
2023-10-23 8:19 ` Raphael Gallais-Pou
2023-10-23 8:19 ` Raphael Gallais-Pou
2023-11-24 10:04 ` [PATCH v2] " Katya Orlova
2023-11-24 10:04 ` Katya Orlova
2023-11-24 10:04 ` Katya Orlova
2024-01-05 9:21 ` Raphael Gallais-Pou
2024-01-05 9:21 ` Raphael Gallais-Pou
2024-01-05 9:21 ` Raphael Gallais-Pou
2024-01-22 11:11 ` [PATCH v3] " Katya Orlova
2024-01-22 11:11 ` Katya Orlova
2024-01-22 11:11 ` Katya Orlova
2024-02-16 12:50 ` [PATCH v4] " Katya Orlova
2024-02-16 12:50 ` Katya Orlova
2024-02-26 13:50 ` Raphael Gallais-Pou
2024-02-26 13:50 ` Raphael Gallais-Pou
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.