From: Fedor Pchelkin <pchelkin@ispras.ru> To: David Airlie <airlied@gmail.com>, Daniel Vetter <daniel@ffwll.ch>, Dave Airlie <airlied@redhat.com> Cc: Fedor Pchelkin <pchelkin@ispras.ru>, Maarten Lankhorst <maarten.lankhorst@linux.intel.com>, Maxime Ripard <mripard@kernel.org>, Thomas Zimmermann <tzimmermann@suse.de>, Daniel Stone <daniels@collabora.com>, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Alexey Khoroshilov <khoroshilov@ispras.ru>, lvc-project@linuxtesting.org Subject: [PATCH] drm/crtc: do not release uninitialized connector reference Date: Fri, 21 Jul 2023 13:15:59 +0300 [thread overview] Message-ID: <20230721101600.4392-1-pchelkin@ispras.ru> (raw) Inside drm_mode_setcrtc() connector_set is allocated using kmalloc_array() so its values are uninitialized. When filling this array with actual pointers to drm connector objects, an error caused with invalid ioctl request data may occur leading us to put references to already taken objects. However, the last elements of the array are left uninitialized which makes drm_connector_put() to be called with an invalid argument. We can obviously just initialize the array with kcalloc() but the current fix chose a slightly different way. The index of failing array element is known so just put references to the array members with lower indices. The temporary 'connector' pointer seems to be redundant as we can directly fill the connector_set elements and thus avoid unnecessary NULL assignments and checks. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: b164d31f50b2 ("drm/modes: add connector reference counting. (v2)") Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> --- drivers/gpu/drm/drm_crtc.c | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index df9bf3c9206e..2a29c3cf12de 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -709,7 +709,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, struct drm_mode_crtc *crtc_req = data; struct drm_crtc *crtc; struct drm_plane *plane; - struct drm_connector **connector_set = NULL, *connector; + struct drm_connector **connector_set = NULL; struct drm_framebuffer *fb = NULL; struct drm_display_mode *mode = NULL; struct drm_mode_set set; @@ -852,25 +852,22 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, } for (i = 0; i < crtc_req->count_connectors; i++) { - connector_set[i] = NULL; set_connectors_ptr = (uint32_t __user *)(unsigned long)crtc_req->set_connectors_ptr; if (get_user(out_id, &set_connectors_ptr[i])) { ret = -EFAULT; goto out; } - connector = drm_connector_lookup(dev, file_priv, out_id); - if (!connector) { + connector_set[i] = drm_connector_lookup(dev, file_priv, out_id); + if (!connector_set[i]) { DRM_DEBUG_KMS("Connector id %d unknown\n", out_id); ret = -ENOENT; goto out; } DRM_DEBUG_KMS("[CONNECTOR:%d:%s]\n", - connector->base.id, - connector->name); - - connector_set[i] = connector; + connector_set[i]->base.id, + connector_set[i]->name); } } @@ -891,12 +888,9 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, if (fb) drm_framebuffer_put(fb); - if (connector_set) { - for (i = 0; i < crtc_req->count_connectors; i++) { - if (connector_set[i]) - drm_connector_put(connector_set[i]); - } - } + if (connector_set) + while (--i >= 0) + drm_connector_put(connector_set[i]); kfree(connector_set); drm_mode_destroy(dev, mode); -- 2.41.0
WARNING: multiple messages have this Message-ID (diff)
From: Fedor Pchelkin <pchelkin@ispras.ru> To: David Airlie <airlied@gmail.com>, Daniel Vetter <daniel@ffwll.ch>, Dave Airlie <airlied@redhat.com> Cc: Daniel Stone <daniels@collabora.com>, Fedor Pchelkin <pchelkin@ispras.ru>, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Maxime Ripard <mripard@kernel.org>, Thomas Zimmermann <tzimmermann@suse.de>, Alexey Khoroshilov <khoroshilov@ispras.ru>, lvc-project@linuxtesting.org Subject: [PATCH] drm/crtc: do not release uninitialized connector reference Date: Fri, 21 Jul 2023 13:15:59 +0300 [thread overview] Message-ID: <20230721101600.4392-1-pchelkin@ispras.ru> (raw) Inside drm_mode_setcrtc() connector_set is allocated using kmalloc_array() so its values are uninitialized. When filling this array with actual pointers to drm connector objects, an error caused with invalid ioctl request data may occur leading us to put references to already taken objects. However, the last elements of the array are left uninitialized which makes drm_connector_put() to be called with an invalid argument. We can obviously just initialize the array with kcalloc() but the current fix chose a slightly different way. The index of failing array element is known so just put references to the array members with lower indices. The temporary 'connector' pointer seems to be redundant as we can directly fill the connector_set elements and thus avoid unnecessary NULL assignments and checks. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: b164d31f50b2 ("drm/modes: add connector reference counting. (v2)") Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> --- drivers/gpu/drm/drm_crtc.c | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index df9bf3c9206e..2a29c3cf12de 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -709,7 +709,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, struct drm_mode_crtc *crtc_req = data; struct drm_crtc *crtc; struct drm_plane *plane; - struct drm_connector **connector_set = NULL, *connector; + struct drm_connector **connector_set = NULL; struct drm_framebuffer *fb = NULL; struct drm_display_mode *mode = NULL; struct drm_mode_set set; @@ -852,25 +852,22 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, } for (i = 0; i < crtc_req->count_connectors; i++) { - connector_set[i] = NULL; set_connectors_ptr = (uint32_t __user *)(unsigned long)crtc_req->set_connectors_ptr; if (get_user(out_id, &set_connectors_ptr[i])) { ret = -EFAULT; goto out; } - connector = drm_connector_lookup(dev, file_priv, out_id); - if (!connector) { + connector_set[i] = drm_connector_lookup(dev, file_priv, out_id); + if (!connector_set[i]) { DRM_DEBUG_KMS("Connector id %d unknown\n", out_id); ret = -ENOENT; goto out; } DRM_DEBUG_KMS("[CONNECTOR:%d:%s]\n", - connector->base.id, - connector->name); - - connector_set[i] = connector; + connector_set[i]->base.id, + connector_set[i]->name); } } @@ -891,12 +888,9 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, if (fb) drm_framebuffer_put(fb); - if (connector_set) { - for (i = 0; i < crtc_req->count_connectors; i++) { - if (connector_set[i]) - drm_connector_put(connector_set[i]); - } - } + if (connector_set) + while (--i >= 0) + drm_connector_put(connector_set[i]); kfree(connector_set); drm_mode_destroy(dev, mode); -- 2.41.0
next reply other threads:[~2023-07-21 10:24 UTC|newest] Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-07-21 10:15 Fedor Pchelkin [this message] 2023-07-21 10:15 ` [PATCH] drm/crtc: do not release uninitialized connector reference Fedor Pchelkin 2023-10-06 14:58 ` Fedor Pchelkin 2023-10-06 14:58 ` Fedor Pchelkin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20230721101600.4392-1-pchelkin@ispras.ru \ --to=pchelkin@ispras.ru \ --cc=airlied@gmail.com \ --cc=airlied@redhat.com \ --cc=daniel@ffwll.ch \ --cc=daniels@collabora.com \ --cc=dri-devel@lists.freedesktop.org \ --cc=khoroshilov@ispras.ru \ --cc=linux-kernel@vger.kernel.org \ --cc=lvc-project@linuxtesting.org \ --cc=maarten.lankhorst@linux.intel.com \ --cc=mripard@kernel.org \ --cc=tzimmermann@suse.de \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.