| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <01315373-4c02-539b-9586-d764053bd8ba@collabora.com>
Date: Mon, 28 Nov 2022 14:09:19 +0100
From: AngeloGioacchino Del Regno
<angelogioacchino.delregno@...labora.com>
To: Nícolas F. R. A. Prado
<nfraprado@...labora.com>
Cc: Chun-Kuang Hu <chunkuang.hu@...nel.org>, kernel@...labora.com,
"Nancy . Lin" <nancy.lin@...iatek.com>, CK Hu <ck.hu@...iatek.com>,
Daniel Kurtz <djkurtz@...omium.org>,
Daniel Vetter <daniel@...ll.ch>,
David Airlie <airlied@...il.com>,
Mao Huang <littlecvr@...omium.org>,
Matthias Brugger <matthias.bgg@...il.com>,
Philipp Zabel <p.zabel@...gutronix.de>,
YT Shen <yt.shen@...iatek.com>,
dri-devel@...ts.freedesktop.org,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
linux-mediatek@...ts.infradead.org
Subject: Re: [PATCH v2] drm/mediatek: Clean dangling pointer on bind error
path
Il 25/11/22 17:34, Nícolas F. R. A. Prado ha scritto:
> On Wed, Nov 23, 2022 at 10:15:25AM +0100, AngeloGioacchino Del Regno wrote:
>> Il 22/11/22 15:39, Nícolas F. R. A. Prado ha scritto:
>>> mtk_drm_bind() can fail, in which case drm_dev_put() is called,
>>> destroying the drm_device object. However a pointer to it was still
>>> being held in the private object, and that pointer would be passed along
>>> to DRM in mtk_drm_sys_prepare() if a suspend were triggered at that
>>> point, resulting in a panic. Clean the pointer when destroying the
>>> object in the error path to prevent this from happening.
>>>
>>> Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
>>> Signed-off-by: Nícolas F. R. A. Prado <nfraprado@...labora.com>
>>>
>>> ---
>>>
>>> Changes in v2:
>>> - Added Fixes tag
>>>
>>> drivers/gpu/drm/mediatek/mtk_drm_drv.c | 1 +
>>> 1 file changed, 1 insertion(+)
>>>
>>> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
>>> index 39a42dc8fb85..a21ff1b3258c 100644
>>> --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
>>> +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
>>> @@ -514,6 +514,7 @@ static int mtk_drm_bind(struct device *dev)
>>> err_deinit:
>>> mtk_drm_kms_deinit(drm);
>>> err_free:
>>> + private->drm = NULL;
>>
>> Sorry for not noticing that in v1, but I've rechecked this function and, while this
>> commit does indeed actually solve the described issue, I think it's incomplete.
>>
>> A few lines before, we have a loop that sets
>>
>> private->all_drm_private[i]->drm = drm;
>
> Actually that line only exists with [1] applied, but that commit hasn't been
> merged as of yet. I debated whether it would be better to send this fix as is,
> or ask Nancy Lin to add the tweaked fix you mention below to that series, but
> sending this fix as is seemed better since it can be backported to older kernel
> versions.
>
> So assuming this commit gets merged first, Nancy should make that tweak you
> mentioned below to ensure all the pointers are zeroed out, which is why I've
> added Nancy to CC. (As a side note, given that only the mmsys with drm_master =
> true would ever call the drm suspend helper, even this patch as is is enough to
> avoid the panic even with that series applied, still we should zero out all
> pointers for good measure)
>
> [1] https://lore.kernel.org/linux-mediatek/20221107072413.16178-6-nancy.lin@mediatek.com/
>
Sorry about that, you're right - the proposed fix is for the commit you
linked, I got confused somehow.
This means that you get my
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@...labora.com>
Cheers!
Powered by blists - more mailing lists