From: "José Expósito" <jose.exposito89@gmail.com>
To: Thomas Zimmermann <tzimmermann@suse.de>
Cc: louis.chauvet@bootlin.com, hamohammed.sa@gmail.com,
simona@ffwll.ch, melissa.srw@gmail.com,
maarten.lankhorst@linux.intel.com, mripard@kernel.org,
airlied@gmail.com, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 01/15] drm/vkms: Fix use after free and double free on init error
Date: Wed, 12 Feb 2025 09:52:35 +0100 [thread overview]
Message-ID: <Z6xhU328loIH_5lQ@fedora> (raw)
In-Reply-To: <428f88f2-1f30-4018-8113-1c4716288789@suse.de>
Hi Thomas,
On Tue, Feb 11, 2025 at 03:33:55PM +0100, Thomas Zimmermann wrote:
> Hi
>
> Am 11.02.25 um 12:08 schrieb José Expósito:
> > If the driver initialization fails, the vkms_exit() function might
> > access an uninitialized or freed default_config pointer and it might
> > double free it.
> >
> > Fix both possible errors by initializing default_config only when the
> > driver initialization succeeded.
>
> Could you send this patch separately, so that it can go into drm-misc-fixes
> quickly?
Sure, I just sent it as a separate patch.
Thanks,
Jose
> Best regards
> Thomas
>
> >
> > Reported-by: Louis Chauvet <louis.chauvet@bootlin.com>
> > Link: https://lore.kernel.org/all/Z5uDHcCmAwiTsGte@louis-chauvet-laptop/
> > Fixes: 2df7af93fdad ("drm/vkms: Add vkms_config type")
> > Signed-off-by: José Expósito <jose.exposito89@gmail.com>
> > ---
> > drivers/gpu/drm/vkms/vkms_drv.c | 15 +++++++++------
> > 1 file changed, 9 insertions(+), 6 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/vkms/vkms_drv.c b/drivers/gpu/drm/vkms/vkms_drv.c
> > index 7c142bfc3bd9..b6de91134a22 100644
> > --- a/drivers/gpu/drm/vkms/vkms_drv.c
> > +++ b/drivers/gpu/drm/vkms/vkms_drv.c
> > @@ -235,17 +235,19 @@ static int __init vkms_init(void)
> > if (!config)
> > return -ENOMEM;
> > - default_config = config;
> > -
> > config->cursor = enable_cursor;
> > config->writeback = enable_writeback;
> > config->overlay = enable_overlay;
> > ret = vkms_create(config);
> > - if (ret)
> > + if (ret) {
> > kfree(config);
> > + return ret;
> > + }
> > - return ret;
> > + default_config = config;
> > +
> > + return 0;
> > }
> > static void vkms_destroy(struct vkms_config *config)
> > @@ -269,9 +271,10 @@ static void vkms_destroy(struct vkms_config *config)
> > static void __exit vkms_exit(void)
> > {
> > - if (default_config->dev)
> > - vkms_destroy(default_config);
> > + if (!default_config)
> > + return;
> > + vkms_destroy(default_config);
> > kfree(default_config);
> > }
>
> --
> --
> Thomas Zimmermann
> Graphics Driver Developer
> SUSE Software Solutions Germany GmbH
> Frankenstrasse 146, 90461 Nuernberg, Germany
> GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
> HRB 36809 (AG Nuernberg)
>
next prev parent reply other threads:[~2025-02-12 8:52 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-11 11:08 [PATCH v2 00/15] drm/vkms: Allow to configure device José Expósito
2025-02-11 11:08 ` [PATCH v2 01/15] drm/vkms: Fix use after free and double free on init error José Expósito
2025-02-11 14:33 ` Thomas Zimmermann
2025-02-12 8:52 ` José Expósito [this message]
2025-02-11 11:08 ` [PATCH v2 02/15] drm/vkms: Extract vkms_connector header José Expósito
2025-02-11 11:09 ` [PATCH v2 03/15] drm/vkms: Create vkms_connector struct José Expósito
2025-02-11 11:09 ` [PATCH v2 04/15] drm/vkms: Add KUnit test scaffolding José Expósito
2025-02-13 13:59 ` Louis Chauvet
2025-02-11 11:09 ` [PATCH v2 05/15] drm/vkms: Extract vkms_config header José Expósito
2025-02-13 13:59 ` Louis Chauvet
2025-02-13 15:36 ` José Expósito
2025-02-14 17:03 ` Louis Chauvet
2025-02-11 11:09 ` [PATCH v2 06/15] drm/vkms: Move default_config creation to its own function José Expósito
2025-02-13 13:59 ` Louis Chauvet
2025-02-11 11:09 ` [PATCH v2 07/15] drm/vkms: Set device name from vkms_config José Expósito
2025-02-11 11:09 ` [PATCH v2 08/15] drm/vkms: Add a validation function for VKMS configuration José Expósito
2025-02-13 13:59 ` Louis Chauvet
2025-02-14 15:53 ` José Expósito
2025-02-14 18:20 ` Louis Chauvet
2025-02-11 11:09 ` [PATCH v2 09/15] drm/vkms: Allow to configure multiple planes José Expósito
2025-02-13 13:59 ` Louis Chauvet
2025-02-11 11:09 ` [PATCH v2 10/15] drm/vkms: Allow to configure multiple CRTCs José Expósito
2025-02-13 13:59 ` Louis Chauvet
2025-02-11 11:09 ` [PATCH v2 11/15] drm/vkms: Allow to attach planes and CRTCs José Expósito
2025-02-11 11:09 ` [PATCH v2 12/15] drm/vkms: Allow to configure multiple encoders José Expósito
2025-02-13 13:59 ` Louis Chauvet
2025-02-11 11:09 ` [PATCH v2 13/15] drm/vkms: Allow to attach encoders and CRTCs José Expósito
2025-02-13 13:59 ` Louis Chauvet
2025-02-11 11:09 ` [PATCH v2 14/15] drm/vkms: Allow to configure multiple connectors José Expósito
2025-02-13 13:59 ` Louis Chauvet
2025-02-11 11:09 ` [PATCH v2 15/15] drm/vkms: Allow to attach connectors and encoders José Expósito
2025-02-13 13:59 ` Louis Chauvet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z6xhU328loIH_5lQ@fedora \
--to=jose.exposito89@gmail.com \
--cc=airlied@gmail.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=hamohammed.sa@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=louis.chauvet@bootlin.com \
--cc=maarten.lankhorst@linux.intel.com \
--cc=melissa.srw@gmail.com \
--cc=mripard@kernel.org \
--cc=simona@ffwll.ch \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.