From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4438B12911B; Mon, 18 Dec 2023 12:47:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="sa/+jygK" Received: by smtp.kernel.org (Postfix) with ESMTPSA id DC2C6C433C7; Mon, 18 Dec 2023 12:47:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1702903653; bh=q04oWiIgiKhL35dlBQblPvtrPWl4X6qLIhYb7yrdBs4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sa/+jygKjs2ovPcj0PtuGLymtkwMLX6tfb/a/ar+aXNwvTnFB4Q2bioloe71bM+qj 45dSJExztvCAgxmvZFIuQHY1Iy+cZcSnNp+aq2XOpPA/cVGsloqtZJMuN8L+bseU6Z lqKpZDtIean/0tDKKWmRBH+8GJR9fJM7AUv2a32RUw3ju1OyGK+kgcXGk9/QKH13M3 plh3pjZcT0GFq8kUIJK8IgA/Dx4knGbSIs5ryKSqeLnuzQuBJAehpyM9lfr8oZ28ta ZAuCiV90DrRpO47nA9bO3V8Xb/otjIkCoR2OZnXxybtHWwpFZHRhW0TKlC4KhwcZz/ 6iO5e8y3kXFRw== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Ziqi Zhao , syzbot+4fad2e57beb6397ab2fc@syzkaller.appspotmail.com, Harshit Mogalapalli , Maxime Ripard , Sasha Levin , maarten.lankhorst@linux.intel.com, tzimmermann@suse.de, airlied@gmail.com, daniel@ffwll.ch, dri-devel@lists.freedesktop.org Subject: [PATCH AUTOSEL 4.14 3/6] drm/crtc: Fix uninit-value bug in drm_mode_setcrtc Date: Mon, 18 Dec 2023 07:47:20 -0500 Message-ID: <20231218124725.1382738-3-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231218124725.1382738-1-sashal@kernel.org> References: <20231218124725.1382738-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 4.14.333 Content-Transfer-Encoding: 8bit From: Ziqi Zhao [ Upstream commit 3823119b9c2b5f9e9b760336f75bc989b805cde6 ] The connector_set contains uninitialized values when allocated with kmalloc_array. However, in the "out" branch, the logic assumes that any element in connector_set would be equal to NULL if failed to initialize, which causes the bug reported by Syzbot. The fix is to use an extra variable to keep track of how many connectors are initialized indeed, and use that variable to decrease any refcounts in the "out" branch. Reported-by: syzbot+4fad2e57beb6397ab2fc@syzkaller.appspotmail.com Signed-off-by: Ziqi Zhao Reported-and-tested-by: syzbot+4fad2e57beb6397ab2fc@syzkaller.appspotmail.com Tested-by: Harshit Mogalapalli Link: https://lore.kernel.org/r/20230721161446.8602-1-astrajoan@yahoo.com Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin --- drivers/gpu/drm/drm_crtc.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index 5af25ce5bf7c2..5ae3adfbc5e80 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -556,8 +556,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, struct drm_mode_set set; uint32_t __user *set_connectors_ptr; struct drm_modeset_acquire_ctx ctx; - int ret; - int i; + int ret, i, num_connectors; if (!drm_core_check_feature(dev, DRIVER_MODESET)) return -EINVAL; @@ -672,6 +671,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, goto out; } + num_connectors = 0; for (i = 0; i < crtc_req->count_connectors; i++) { connector_set[i] = NULL; set_connectors_ptr = (uint32_t __user *)(unsigned long)crtc_req->set_connectors_ptr; @@ -692,6 +692,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, connector->name); connector_set[i] = connector; + num_connectors++; } } @@ -700,7 +701,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, set.y = crtc_req->y; set.mode = mode; set.connectors = connector_set; - set.num_connectors = crtc_req->count_connectors; + set.num_connectors = num_connectors; set.fb = fb; ret = __drm_mode_set_config_internal(&set, &ctx); @@ -709,7 +710,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, drm_framebuffer_put(fb); if (connector_set) { - for (i = 0; i < crtc_req->count_connectors; i++) { + for (i = 0; i < num_connectors; i++) { if (connector_set[i]) drm_connector_put(connector_set[i]); } -- 2.43.0