Karol Herbst
2023-Aug-14 14:49 UTC
[Nouveau] [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create
We can't simply free the connector after calling drm_connector_init on it.
We need to clean up the drm side first.
It might not fix all regressions from 2b5d1c29f6c4 ("drm/nouveau/disp:
PIOR DP uses GPIO for HPD, not PMGR AUX interrupts"), but at least it
fixes a memory corruption in error handling related to that commit.
Link: https://lore.kernel.org/lkml/20230806213107.GFZNARG6moWpFuSJ9W at
fat_crate.local/
Fixes: 95983aea8003 ("drm/nouveau/disp: add connector class")
Signed-off-by: Karol Herbst <kherbst at redhat.com>
---
drivers/gpu/drm/nouveau/nouveau_connector.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c
b/drivers/gpu/drm/nouveau/nouveau_connector.c
index a2e0033e8a260..622f6eb9a8bfd 100644
--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
+++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
@@ -1408,8 +1408,7 @@ nouveau_connector_create(struct drm_device *dev,
ret = nvif_conn_ctor(&disp->disp, nv_connector->base.name,
nv_connector->index,
&nv_connector->conn);
if (ret) {
- kfree(nv_connector);
- return ERR_PTR(ret);
+ goto drm_conn_err;
}
ret = nvif_conn_event_ctor(&nv_connector->conn,
"kmsHotplug",
@@ -1426,8 +1425,7 @@ nouveau_connector_create(struct drm_device *dev,
if (ret) {
nvif_event_dtor(&nv_connector->hpd);
nvif_conn_dtor(&nv_connector->conn);
- kfree(nv_connector);
- return ERR_PTR(ret);
+ goto drm_conn_err;
}
}
}
@@ -1475,4 +1473,9 @@ nouveau_connector_create(struct drm_device *dev,
drm_connector_register(connector);
return connector;
+
+drm_conn_err:
+ drm_connector_cleanup(connector);
+ kfree(nv_connector);
+ return ERR_PTR(ret);
}
--
2.41.0
Borislav Petkov
2023-Aug-16 09:30 UTC
[Nouveau] [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create
On Mon, Aug 14, 2023 at 04:49:32PM +0200, Karol Herbst wrote:> We can't simply free the connector after calling drm_connector_init on it. > We need to clean up the drm side first. > > It might not fix all regressions from 2b5d1c29f6c4 ("drm/nouveau/disp: > PIOR DP uses GPIO for HPD, not PMGR AUX interrupts"), but at least it > fixes a memory corruption in error handling related to that commit. > > Link: https://lore.kernel.org/lkml/20230806213107.GFZNARG6moWpFuSJ9W at fat_crate.local/ > Fixes: 95983aea8003 ("drm/nouveau/disp: add connector class") > Signed-off-by: Karol Herbst <kherbst at redhat.com> > --- > drivers/gpu/drm/nouveau/nouveau_connector.c | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-)This one ontop of -rc5 doesn't help, unfortunately. Thx. -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette
Lyude Paul
2023-Aug-16 20:47 UTC
[Nouveau] [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create
Reviewed-by: Lyude Paul <lyude at redhat.com> On Mon, 2023-08-14 at 16:49 +0200, Karol Herbst wrote:> We can't simply free the connector after calling drm_connector_init on it. > We need to clean up the drm side first. > > It might not fix all regressions from 2b5d1c29f6c4 ("drm/nouveau/disp: > PIOR DP uses GPIO for HPD, not PMGR AUX interrupts"), but at least it > fixes a memory corruption in error handling related to that commit. > > Link: https://lore.kernel.org/lkml/20230806213107.GFZNARG6moWpFuSJ9W at fat_crate.local/ > Fixes: 95983aea8003 ("drm/nouveau/disp: add connector class") > Signed-off-by: Karol Herbst <kherbst at redhat.com> > --- > drivers/gpu/drm/nouveau/nouveau_connector.c | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > > diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c > index a2e0033e8a260..622f6eb9a8bfd 100644 > --- a/drivers/gpu/drm/nouveau/nouveau_connector.c > +++ b/drivers/gpu/drm/nouveau/nouveau_connector.c > @@ -1408,8 +1408,7 @@ nouveau_connector_create(struct drm_device *dev, > ret = nvif_conn_ctor(&disp->disp, nv_connector->base.name, nv_connector->index, > &nv_connector->conn); > if (ret) { > - kfree(nv_connector); > - return ERR_PTR(ret); > + goto drm_conn_err; > } > > ret = nvif_conn_event_ctor(&nv_connector->conn, "kmsHotplug", > @@ -1426,8 +1425,7 @@ nouveau_connector_create(struct drm_device *dev, > if (ret) { > nvif_event_dtor(&nv_connector->hpd); > nvif_conn_dtor(&nv_connector->conn); > - kfree(nv_connector); > - return ERR_PTR(ret); > + goto drm_conn_err; > } > } > } > @@ -1475,4 +1473,9 @@ nouveau_connector_create(struct drm_device *dev, > > drm_connector_register(connector); > return connector; > + > +drm_conn_err: > + drm_connector_cleanup(connector); > + kfree(nv_connector); > + return ERR_PTR(ret); > }-- Cheers, Lyude Paul (she/her) Software Engineer at Red Hat
Possibly Parallel Threads
- [PATCH] drm/nouveau/disp: fix DP capable DSM connectors
- 2b5d1c29f6c4 ("drm/nouveau/disp: PIOR DP uses GPIO for HPD, not PMGR AUX interrupts")
- 2b5d1c29f6c4 ("drm/nouveau/disp: PIOR DP uses GPIO for HPD, not PMGR AUX interrupts")
- [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create
- [PATCH] drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create