From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Ziqi Zhao <astrajoan@yahoo.com>,
syzbot+4fad2e57beb6397ab2fc@syzkaller.appspotmail.com,
Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>,
Maxime Ripard <mripard@kernel.org>,
Sasha Levin <sashal@kernel.org>,
maarten.lankhorst@linux.intel.com, tzimmermann@suse.de,
airlied@gmail.com, daniel@ffwll.ch,
dri-devel@lists.freedesktop.org
Subject: [PATCH AUTOSEL 4.14 3/6] drm/crtc: Fix uninit-value bug in drm_mode_setcrtc
Date: Mon, 18 Dec 2023 07:47:20 -0500 [thread overview]
Message-ID: <20231218124725.1382738-3-sashal@kernel.org> (raw)
In-Reply-To: <20231218124725.1382738-1-sashal@kernel.org>
From: Ziqi Zhao <astrajoan@yahoo.com>
[ Upstream commit 3823119b9c2b5f9e9b760336f75bc989b805cde6 ]
The connector_set contains uninitialized values when allocated with
kmalloc_array. However, in the "out" branch, the logic assumes that any
element in connector_set would be equal to NULL if failed to
initialize, which causes the bug reported by Syzbot. The fix is to use
an extra variable to keep track of how many connectors are initialized
indeed, and use that variable to decrease any refcounts in the "out"
branch.
Reported-by: syzbot+4fad2e57beb6397ab2fc@syzkaller.appspotmail.com
Signed-off-by: Ziqi Zhao <astrajoan@yahoo.com>
Reported-and-tested-by: syzbot+4fad2e57beb6397ab2fc@syzkaller.appspotmail.com
Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Link: https://lore.kernel.org/r/20230721161446.8602-1-astrajoan@yahoo.com
Signed-off-by: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_crtc.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index 5af25ce5bf7c2..5ae3adfbc5e80 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -556,8 +556,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
struct drm_mode_set set;
uint32_t __user *set_connectors_ptr;
struct drm_modeset_acquire_ctx ctx;
- int ret;
- int i;
+ int ret, i, num_connectors;
if (!drm_core_check_feature(dev, DRIVER_MODESET))
return -EINVAL;
@@ -672,6 +671,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
goto out;
}
+ num_connectors = 0;
for (i = 0; i < crtc_req->count_connectors; i++) {
connector_set[i] = NULL;
set_connectors_ptr = (uint32_t __user *)(unsigned long)crtc_req->set_connectors_ptr;
@@ -692,6 +692,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
connector->name);
connector_set[i] = connector;
+ num_connectors++;
}
}
@@ -700,7 +701,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
set.y = crtc_req->y;
set.mode = mode;
set.connectors = connector_set;
- set.num_connectors = crtc_req->count_connectors;
+ set.num_connectors = num_connectors;
set.fb = fb;
ret = __drm_mode_set_config_internal(&set, &ctx);
@@ -709,7 +710,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
drm_framebuffer_put(fb);
if (connector_set) {
- for (i = 0; i < crtc_req->count_connectors; i++) {
+ for (i = 0; i < num_connectors; i++) {
if (connector_set[i])
drm_connector_put(connector_set[i]);
}
--
2.43.0
next prev parent reply other threads:[~2023-12-18 12:47 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-18 12:47 [PATCH AUTOSEL 4.14 1/6] clk: rockchip: rk3128: Fix HCLK_OTG gate register Sasha Levin
2023-12-18 12:47 ` [PATCH AUTOSEL 4.14 2/6] jbd2: correct the printing of write_flags in jbd2_write_superblock() Sasha Levin
2023-12-18 12:47 ` Sasha Levin [this message]
2023-12-19 8:44 ` [PATCH AUTOSEL 4.14 3/6] drm/crtc: Fix uninit-value bug in drm_mode_setcrtc Jani Nikula
2024-01-15 3:24 ` Sasha Levin
2024-01-16 10:46 ` End of 4.14 autosel? " Pavel Machek
2023-12-18 12:47 ` [PATCH AUTOSEL 4.14 4/6] tracing: Have large events show up as '[LINE TOO BIG]' instead of nothing Sasha Levin
2023-12-18 12:47 ` [PATCH AUTOSEL 4.14 5/6] tracing: Add size check when printing trace_marker output Sasha Levin
2023-12-18 12:47 ` [PATCH AUTOSEL 4.14 6/6] ring-buffer: Do not record in NMI if the arch does not support cmpxchg in NMI Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231218124725.1382738-3-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=airlied@gmail.com \
--cc=astrajoan@yahoo.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=harshit.m.mogalapalli@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+4fad2e57beb6397ab2fc@syzkaller.appspotmail.com \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox