[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3rrycldn3ssrqqyiowv3ariqigfonddps6d34zjquzar6fahtc@ozy6jqnaiq3c>
Date: Fri, 6 Oct 2023 17:58:35 +0300
From: Fedor Pchelkin <pchelkin@...ras.ru>
To: David Airlie <airlied@...il.com>, Daniel Vetter <daniel@...ll.ch>,
Dave Airlie <airlied@...hat.com>
Cc: Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
Maxime Ripard <mripard@...nel.org>,
Thomas Zimmermann <tzimmermann@...e.de>,
Daniel Stone <daniels@...labora.com>,
dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
Alexey Khoroshilov <khoroshilov@...ras.ru>,
lvc-project@...uxtesting.org
Subject: Re: [PATCH] drm/crtc: do not release uninitialized connector
reference
On 23/07/21 01:15PM, Fedor Pchelkin wrote:
> Inside drm_mode_setcrtc() connector_set is allocated using kmalloc_array()
> so its values are uninitialized. When filling this array with actual
> pointers to drm connector objects, an error caused with invalid ioctl
> request data may occur leading us to put references to already taken
> objects. However, the last elements of the array are left uninitialized
> which makes drm_connector_put() to be called with an invalid argument.
>
> We can obviously just initialize the array with kcalloc() but the current
> fix chose a slightly different way.
>
> The index of failing array element is known so just put references to the
> array members with lower indices.
>
> The temporary 'connector' pointer seems to be redundant as we can directly
> fill the connector_set elements and thus avoid unnecessary NULL
> assignments and checks.
>
> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
>
> Fixes: b164d31f50b2 ("drm/modes: add connector reference counting. (v2)")
> Signed-off-by: Fedor Pchelkin <pchelkin@...ras.ru>
I'm sorry for bothering everyone with this issue, but status of the patch
here [1] is still 'New', and I have no means to deduce whether the
subsystem maintainers didn't have time to review (it is totally
understandable as the amount of patches is enormous) or the patch was
missed somehow.
[1]: https://patchwork.kernel.org/project/dri-devel/patch/20230721101600.4392-1-pchelkin@ispras.ru/
Powered by blists - more mailing lists