thr3ads.net - Nouveau - [Nouveau] [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector

If this information is useful, please help other people find it:
Share via:

Karol Herbst

2023-Aug-14 14:49 UTC

[Nouveau] [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

We can't simply free the connector after calling drm_connector_init on it.
We need to clean up the drm side first.

It might not fix all regressions from 2b5d1c29f6c4 ("drm/nouveau/disp:
PIOR DP uses GPIO for HPD, not PMGR AUX interrupts"), but at least it
fixes a memory corruption in error handling related to that commit.

Link: https://lore.kernel.org/lkml/20230806213107.GFZNARG6moWpFuSJ9W at
fat_crate.local/
Fixes: 95983aea8003 ("drm/nouveau/disp: add connector class")
Signed-off-by: Karol Herbst <kherbst at redhat.com>
---
 drivers/gpu/drm/nouveau/nouveau_connector.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c
b/drivers/gpu/drm/nouveau/nouveau_connector.c
index a2e0033e8a260..622f6eb9a8bfd 100644
--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
+++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
@@ -1408,8 +1408,7 @@ nouveau_connector_create(struct drm_device *dev,
 		ret = nvif_conn_ctor(&disp->disp, nv_connector->base.name,
nv_connector->index,
 				     &nv_connector->conn);
 		if (ret) {
-			kfree(nv_connector);
-			return ERR_PTR(ret);
+			goto drm_conn_err;
 		}
 
 		ret = nvif_conn_event_ctor(&nv_connector->conn,
"kmsHotplug",
@@ -1426,8 +1425,7 @@ nouveau_connector_create(struct drm_device *dev,
 			if (ret) {
 				nvif_event_dtor(&nv_connector->hpd);
 				nvif_conn_dtor(&nv_connector->conn);
-				kfree(nv_connector);
-				return ERR_PTR(ret);
+				goto drm_conn_err;
 			}
 		}
 	}
@@ -1475,4 +1473,9 @@ nouveau_connector_create(struct drm_device *dev,
 
 	drm_connector_register(connector);
 	return connector;
+
+drm_conn_err:
+	drm_connector_cleanup(connector);
+	kfree(nv_connector);
+	return ERR_PTR(ret);
 }
-- 
2.41.0

Borislav Petkov

2023-Aug-16 09:30 UTC

head link

[Nouveau] [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

On Mon, Aug 14, 2023 at 04:49:32PM +0200, Karol Herbst
wrote:> We can't simply free the connector after calling drm_connector_init on
it.
> We need to clean up the drm side first.
> 
> It might not fix all regressions from 2b5d1c29f6c4 ("drm/nouveau/disp:
> PIOR DP uses GPIO for HPD, not PMGR AUX interrupts"), but at least it
> fixes a memory corruption in error handling related to that commit.
> 
> Link: https://lore.kernel.org/lkml/20230806213107.GFZNARG6moWpFuSJ9W at
fat_crate.local/
> Fixes: 95983aea8003 ("drm/nouveau/disp: add connector class")
> Signed-off-by: Karol Herbst <kherbst at redhat.com>
> ---
>  drivers/gpu/drm/nouveau/nouveau_connector.c | 11 +++++++----
>  1 file changed, 7 insertions(+), 4 deletions(-)
This one ontop of -rc5 doesn't help, unfortunately.

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Lyude Paul

2023-Aug-16 20:47 UTC

head link

[Nouveau] [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

Reviewed-by: Lyude Paul <lyude at redhat.com>

On Mon, 2023-08-14 at 16:49 +0200, Karol Herbst wrote:> We can't simply free the connector after calling drm_connector_init on
it.
> We need to clean up the drm side first.
> 
> It might not fix all regressions from 2b5d1c29f6c4 ("drm/nouveau/disp:
> PIOR DP uses GPIO for HPD, not PMGR AUX interrupts"), but at least it
> fixes a memory corruption in error handling related to that commit.
> 
> Link: https://lore.kernel.org/lkml/20230806213107.GFZNARG6moWpFuSJ9W at
fat_crate.local/
> Fixes: 95983aea8003 ("drm/nouveau/disp: add connector class")
> Signed-off-by: Karol Herbst <kherbst at redhat.com>
> ---
>  drivers/gpu/drm/nouveau/nouveau_connector.c | 11 +++++++----
>  1 file changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c
b/drivers/gpu/drm/nouveau/nouveau_connector.c
> index a2e0033e8a260..622f6eb9a8bfd 100644
> --- a/drivers/gpu/drm/nouveau/nouveau_connector.c
> +++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
> @@ -1408,8 +1408,7 @@ nouveau_connector_create(struct drm_device *dev,
>  		ret = nvif_conn_ctor(&disp->disp, nv_connector->base.name,
nv_connector->index,
>  				     &nv_connector->conn);
>  		if (ret) {
> -			kfree(nv_connector);
> -			return ERR_PTR(ret);
> +			goto drm_conn_err;
>  		}
>  
>  		ret = nvif_conn_event_ctor(&nv_connector->conn,
"kmsHotplug",
> @@ -1426,8 +1425,7 @@ nouveau_connector_create(struct drm_device *dev,
>  			if (ret) {
>  				nvif_event_dtor(&nv_connector->hpd);
>  				nvif_conn_dtor(&nv_connector->conn);
> -				kfree(nv_connector);
> -				return ERR_PTR(ret);
> +				goto drm_conn_err;
>  			}
>  		}
>  	}
> @@ -1475,4 +1473,9 @@ nouveau_connector_create(struct drm_device *dev,
>  
>  	drm_connector_register(connector);
>  	return connector;
> +
> +drm_conn_err:
> +	drm_connector_cleanup(connector);
> +	kfree(nv_connector);
> +	return ERR_PTR(ret);
>  }
-- 
Cheers,
 Lyude Paul (she/her)
 Software Engineer at Red Hat

Nouveau - Aug 2023 - [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Nouveau] [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Nouveau] [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

[Nouveau] [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create