linux-kernel - Re: [PATCH 3/6] soc: qcom: pmic_glink_altmode: fix drm bridge use-after-free

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Tue, 20 Feb 2024 11:55:57 +0100
From: Markus Elfring <Markus.Elfring@....de>
To: Johan Hovold <johan+linaro@...nel.org>, freedreno@...ts.freedesktop.org,
 dri-devel@...ts.freedesktop.org, linux-phy@...ts.infradead.org,
 linux-arm-msm@...r.kernel.org, kernel-janitors@...r.kernel.org,
 Andrzej Hajda <andrzej.hajda@...el.com>,
 Bjorn Andersson <andersson@...nel.org>, Daniel Vetter <daniel@...ll.ch>,
 David Airlie <airlied@...il.com>,
 Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
 Maxime Ripard <mripard@...nel.org>,
 Neil Armstrong <neil.armstrong@...aro.org>, Robert Foss <rfoss@...nel.org>,
 Thomas Zimmermann <tzimmermann@...e.de>, Vinod Koul <vkoul@...nel.org>
Cc: LKML <linux-kernel@...r.kernel.org>,
 Abhinav Kumar <quic_abhinavk@...cinc.com>,
 Dmitry Baryshkov <dmitry.baryshkov@...aro.org>,
 Jernej Skrabec <jernej.skrabec@...il.com>, Jonas Karlman <jonas@...boo.se>,
 Kishon Vijay Abraham I <kishon@...nel.org>,
 Konrad Dybcio <konrad.dybcio@...aro.org>,
 Kuogee Hsieh <quic_khsieh@...cinc.com>,
 Laurent Pinchart <Laurent.pinchart@...asonboard.com>,
 Rob Clark <robdclark@...il.com>, stable@...r.kernel.org
Subject: Re: [PATCH 3/6] soc: qcom: pmic_glink_altmode: fix drm bridge
 use-after-free

…
> Specifically, the dp-hpd bridge is currently registered before all
> resources have been acquired which means that it can also be
> deregistered on probe deferrals.
>
> In the meantime there is a race window where the new aux bridge driver
> (or PHY driver previously) may have looked up the dp-hpd bridge and
> stored a (non-reference-counted) pointer to the bridge which is about to
> be deallocated.
…
> +++ b/drivers/soc/qcom/pmic_glink_altmode.c
…
> @@ -454,7 +454,7 @@ static int pmic_glink_altmode_probe(struct auxiliary_device *adev,
>  		alt_port->index = port;
>  		INIT_WORK(&alt_port->work, pmic_glink_altmode_worker);
>
> -		alt_port->bridge = drm_dp_hpd_bridge_register(dev, to_of_node(fwnode));
> +		alt_port->bridge = devm_drm_dp_hpd_bridge_alloc(dev, to_of_node(fwnode));
>  		if (IS_ERR(alt_port->bridge)) {
>  			fwnode_handle_put(fwnode);
>  			return PTR_ERR(alt_port->bridge);
…

The function call “fwnode_handle_put(fwnode)” is used in multiple if branches.
https://elixir.bootlin.com/linux/v6.8-rc5/source/drivers/soc/qcom/pmic_glink_altmode.c#L435

I suggest to add a jump target so that a bit of exception handling
can be better reused at the end of this function implementation.

Regards,
Markus