| Message ID | 20250212084912.3196-1-jose.exposito89@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm/vkms: Fix use after free and double free on init error | expand |
Am 12.02.25 um 09:49 schrieb José Expósito: > If the driver initialization fails, the vkms_exit() function might > access an uninitialized or freed default_config pointer and it might > double free it. > > Fix both possible errors by initializing default_config only when the > driver initialization succeeded. > > Reported-by: Louis Chauvet <louis.chauvet@bootlin.com> > Link: https://lore.kernel.org/all/Z5uDHcCmAwiTsGte@louis-chauvet-laptop/ > Fixes: 2df7af93fdad ("drm/vkms: Add vkms_config type") > Signed-off-by: José Expósito <jose.exposito89@gmail.com> Reviewed-by: Thomas Zimmermann <tzimmremann@suse.de> Thanks for posting this patch separately. Best regards Thomas > --- > drivers/gpu/drm/vkms/vkms_drv.c | 15 +++++++++------ > 1 file changed, 9 insertions(+), 6 deletions(-) > > diff --git a/drivers/gpu/drm/vkms/vkms_drv.c b/drivers/gpu/drm/vkms/vkms_drv.c > index 7c142bfc3bd9..b6de91134a22 100644 > --- a/drivers/gpu/drm/vkms/vkms_drv.c > +++ b/drivers/gpu/drm/vkms/vkms_drv.c > @@ -235,17 +235,19 @@ static int __init vkms_init(void) > if (!config) > return -ENOMEM; > > - default_config = config; > - > config->cursor = enable_cursor; > config->writeback = enable_writeback; > config->overlay = enable_overlay; > > ret = vkms_create(config); > - if (ret) > + if (ret) { > kfree(config); > + return ret; > + } > > - return ret; > + default_config = config; > + > + return 0; > } > > static void vkms_destroy(struct vkms_config *config) > @@ -269,9 +271,10 @@ static void vkms_destroy(struct vkms_config *config) > > static void __exit vkms_exit(void) > { > - if (default_config->dev) > - vkms_destroy(default_config); > + if (!default_config) > + return; > > + vkms_destroy(default_config); > kfree(default_config); > } >
Le 12/02/2025 à 09:53, Thomas Zimmermann a écrit : > > > Am 12.02.25 um 09:49 schrieb José Expósito: >> If the driver initialization fails, the vkms_exit() function might >> access an uninitialized or freed default_config pointer and it might >> double free it. >> >> Fix both possible errors by initializing default_config only when the >> driver initialization succeeded. >> >> Reported-by: Louis Chauvet <louis.chauvet@bootlin.com> >> Link: https://lore.kernel.org/all/Z5uDHcCmAwiTsGte@louis-chauvet-laptop/ >> Fixes: 2df7af93fdad ("drm/vkms: Add vkms_config type") >> Signed-off-by: José Expósito <jose.exposito89@gmail.com> > > Reviewed-by: Thomas Zimmermann <tzimmremann@suse.de> Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com> lore.kernel.org is broken currently, to avoid doing mistakes, I will wait for it to be working again so I can apply your patch using dim+b4. (I removed danvet.vetter@ffwl.ch from CC, the mail server rejected the mail) Thanks! Louis Chauvet > Thanks for posting this patch separately. > > Best regards > Thomas > >> --- >> drivers/gpu/drm/vkms/vkms_drv.c | 15 +++++++++------ >> 1 file changed, 9 insertions(+), 6 deletions(-) >> >> diff --git a/drivers/gpu/drm/vkms/vkms_drv.c b/drivers/gpu/drm/vkms/vkms_drv.c >> index 7c142bfc3bd9..b6de91134a22 100644 >> --- a/drivers/gpu/drm/vkms/vkms_drv.c >> +++ b/drivers/gpu/drm/vkms/vkms_drv.c >> @@ -235,17 +235,19 @@ static int __init vkms_init(void) >> if (!config) >> return -ENOMEM; >> >> - default_config = config; >> - >> config->cursor = enable_cursor; >> config->writeback = enable_writeback; >> config->overlay = enable_overlay; >> >> ret = vkms_create(config); >> - if (ret) >> + if (ret) { >> kfree(config); >> + return ret; >> + } >> >> - return ret; >> + default_config = config; >> + >> + return 0; >> } >> >> static void vkms_destroy(struct vkms_config *config) >> @@ -269,9 +271,10 @@ static void vkms_destroy(struct vkms_config *config) >> >> static void __exit vkms_exit(void) >> { >> - if (default_config->dev) >> - vkms_destroy(default_config); >> + if (!default_config) >> + return; >> >> + vkms_destroy(default_config); >> kfree(default_config); >> } >> >
On 12/02/25 - 15:06, Louis Chauvet wrote: > > > Le 12/02/2025 à 09:53, Thomas Zimmermann a écrit : > > > > > > Am 12.02.25 um 09:49 schrieb José Expósito: > > > If the driver initialization fails, the vkms_exit() function might > > > access an uninitialized or freed default_config pointer and it might > > > double free it. > > > > > > Fix both possible errors by initializing default_config only when the > > > driver initialization succeeded. > > > > > > Reported-by: Louis Chauvet <louis.chauvet@bootlin.com> > > > Link: https://lore.kernel.org/all/Z5uDHcCmAwiTsGte@louis-chauvet-laptop/ > > > Fixes: 2df7af93fdad ("drm/vkms: Add vkms_config type") > > > Signed-off-by: José Expósito <jose.exposito89@gmail.com> > > > > Reviewed-by: Thomas Zimmermann <tzimmremann@suse.de> > > Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com> > > lore.kernel.org is broken currently, to avoid doing mistakes, I will wait > for it to be working again so I can apply your patch using dim+b4. > > (I removed danvet.vetter@ffwl.ch from CC, the mail server rejected the mail) > > Thanks! > Louis Chauvet Hello, I tried to apply the commit, but I have a strange issue: $ dim push Enumerating objects: 13, done. Counting objects: 100% (13/13), done. Delta compression using up to 20 threads Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 1.67 KiB | 113.00 KiB/s, done. Total 7 (delta 6), reused 0 (delta 0), pack-reused 0 (from 0) remote: remote: ======================================================================== remote: remote: Equinix is shutting down its operations with us on April 30, 2025. remote: They have graciously supported us for almost 5 years, but all good remote: things come to an end. Given the time frame, it's going to be hard remote: to make a smooth transition of the cluster to somewhere else remote: ([TBD](https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/2011)). remote: Please expect in the next months some hiccups in the service and remote: probably at least a full week of downtime to transfer gitlab to a remote: different place. All help is appreciated. remote: remote: ======================================================================== remote: To gitlab.freedesktop.org:drm/misc/kernel.git ff3881cc6a58..ed15511a773d drm-misc-next -> drm-misc-next Pushing drm-misc-fixes to for-linux-next-fixes... Everything up-to-date Done. Out of merge window. Pushing drm-misc-next to for-linux-next... remote: remote: ======================================================================== remote: remote: ERROR: Internal API unreachable remote: remote: ======================================================================== remote: fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. Is this expected? Thanks, Louis Chauvet > > Thanks for posting this patch separately. > > > > Best regards > > Thomas > > > > > --- > > > drivers/gpu/drm/vkms/vkms_drv.c | 15 +++++++++------ > > > 1 file changed, 9 insertions(+), 6 deletions(-) > > > > > > diff --git a/drivers/gpu/drm/vkms/vkms_drv.c b/drivers/gpu/drm/vkms/vkms_drv.c > > > index 7c142bfc3bd9..b6de91134a22 100644 > > > --- a/drivers/gpu/drm/vkms/vkms_drv.c > > > +++ b/drivers/gpu/drm/vkms/vkms_drv.c > > > @@ -235,17 +235,19 @@ static int __init vkms_init(void) > > > if (!config) > > > return -ENOMEM; > > > - default_config = config; > > > - > > > config->cursor = enable_cursor; > > > config->writeback = enable_writeback; > > > config->overlay = enable_overlay; > > > ret = vkms_create(config); > > > - if (ret) > > > + if (ret) { > > > kfree(config); > > > + return ret; > > > + } > > > - return ret; > > > + default_config = config; > > > + > > > + return 0; > > > } > > > static void vkms_destroy(struct vkms_config *config) > > > @@ -269,9 +271,10 @@ static void vkms_destroy(struct vkms_config *config) > > > static void __exit vkms_exit(void) > > > { > > > - if (default_config->dev) > > > - vkms_destroy(default_config); > > > + if (!default_config) > > > + return; > > > + vkms_destroy(default_config); > > > kfree(default_config); > > > } > > > > -- > Louis Chauvet, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com >
On Thu, Feb 13, 2025 at 04:11:20PM +0100, Louis Chauvet wrote: > On 12/02/25 - 15:06, Louis Chauvet wrote: > > > > > > Le 12/02/2025 à 09:53, Thomas Zimmermann a écrit : > > > > > > > > > Am 12.02.25 um 09:49 schrieb José Expósito: > > > > If the driver initialization fails, the vkms_exit() function might > > > > access an uninitialized or freed default_config pointer and it might > > > > double free it. > > > > > > > > Fix both possible errors by initializing default_config only when the > > > > driver initialization succeeded. > > > > > > > > Reported-by: Louis Chauvet <louis.chauvet@bootlin.com> > > > > Link: https://lore.kernel.org/all/Z5uDHcCmAwiTsGte@louis-chauvet-laptop/ > > > > Fixes: 2df7af93fdad ("drm/vkms: Add vkms_config type") > > > > Signed-off-by: José Expósito <jose.exposito89@gmail.com> > > > > > > Reviewed-by: Thomas Zimmermann <tzimmremann@suse.de> > > > > Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com> > > > > lore.kernel.org is broken currently, to avoid doing mistakes, I will wait > > for it to be working again so I can apply your patch using dim+b4. > > > > (I removed danvet.vetter@ffwl.ch from CC, the mail server rejected the mail) > > > > Thanks! > > Louis Chauvet > > Hello, > > I tried to apply the commit, but I have a strange issue: > > $ dim push > Enumerating objects: 13, done. > Counting objects: 100% (13/13), done. > Delta compression using up to 20 threads > Compressing objects: 100% (7/7), done. > Writing objects: 100% (7/7), 1.67 KiB | 113.00 KiB/s, done. > Total 7 (delta 6), reused 0 (delta 0), pack-reused 0 (from 0) > remote: > remote: ======================================================================== > remote: > remote: Equinix is shutting down its operations with us on April 30, 2025. > remote: They have graciously supported us for almost 5 years, but all good > remote: things come to an end. Given the time frame, it's going to be hard > remote: to make a smooth transition of the cluster to somewhere else > remote: ([TBD](https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/2011)). > remote: Please expect in the next months some hiccups in the service and > remote: probably at least a full week of downtime to transfer gitlab to a > remote: different place. All help is appreciated. > remote: > remote: ======================================================================== > remote: > To gitlab.freedesktop.org:drm/misc/kernel.git > ff3881cc6a58..ed15511a773d drm-misc-next -> drm-misc-next > Pushing drm-misc-fixes to for-linux-next-fixes... Everything up-to-date > Done. > Out of merge window. Pushing drm-misc-next to for-linux-next... > remote: > remote: ======================================================================== > remote: > remote: ERROR: Internal API unreachable > > remote: > remote: ======================================================================== > remote: > fatal: Could not read from remote repository. > > Please make sure you have the correct access rights > and the repository exists. > > Is this expected? I guess you managed to fix the issue. I git pull-ed this morning and the patch was applied. Jose > Thanks, > Louis Chauvet > > > > Thanks for posting this patch separately. > > > > > > Best regards > > > Thomas > > > > > > > --- > > > > drivers/gpu/drm/vkms/vkms_drv.c | 15 +++++++++------ > > > > 1 file changed, 9 insertions(+), 6 deletions(-) > > > > > > > > diff --git a/drivers/gpu/drm/vkms/vkms_drv.c b/drivers/gpu/drm/vkms/vkms_drv.c > > > > index 7c142bfc3bd9..b6de91134a22 100644 > > > > --- a/drivers/gpu/drm/vkms/vkms_drv.c > > > > +++ b/drivers/gpu/drm/vkms/vkms_drv.c > > > > @@ -235,17 +235,19 @@ static int __init vkms_init(void) > > > > if (!config) > > > > return -ENOMEM; > > > > - default_config = config; > > > > - > > > > config->cursor = enable_cursor; > > > > config->writeback = enable_writeback; > > > > config->overlay = enable_overlay; > > > > ret = vkms_create(config); > > > > - if (ret) > > > > + if (ret) { > > > > kfree(config); > > > > + return ret; > > > > + } > > > > - return ret; > > > > + default_config = config; > > > > + > > > > + return 0; > > > > } > > > > static void vkms_destroy(struct vkms_config *config) > > > > @@ -269,9 +271,10 @@ static void vkms_destroy(struct vkms_config *config) > > > > static void __exit vkms_exit(void) > > > > { > > > > - if (default_config->dev) > > > > - vkms_destroy(default_config); > > > > + if (!default_config) > > > > + return; > > > > + vkms_destroy(default_config); > > > > kfree(default_config); > > > > } > > > > > > > -- > > Louis Chauvet, Bootlin > > Embedded Linux and Kernel engineering > > https://bootlin.com > >
Le 14/02/2025 à 16:44, José Expósito a écrit : > On Thu, Feb 13, 2025 at 04:11:20PM +0100, Louis Chauvet wrote: >> On 12/02/25 - 15:06, Louis Chauvet wrote: >>> >>> >>> Le 12/02/2025 à 09:53, Thomas Zimmermann a écrit : >>>> >>>> >>>> Am 12.02.25 um 09:49 schrieb José Expósito: >>>>> If the driver initialization fails, the vkms_exit() function might >>>>> access an uninitialized or freed default_config pointer and it might >>>>> double free it. >>>>> >>>>> Fix both possible errors by initializing default_config only when the >>>>> driver initialization succeeded. >>>>> >>>>> Reported-by: Louis Chauvet <louis.chauvet@bootlin.com> >>>>> Link: https://lore.kernel.org/all/Z5uDHcCmAwiTsGte@louis-chauvet-laptop/ >>>>> Fixes: 2df7af93fdad ("drm/vkms: Add vkms_config type") >>>>> Signed-off-by: José Expósito <jose.exposito89@gmail.com> >>>> >>>> Reviewed-by: Thomas Zimmermann <tzimmremann@suse.de> >>> >>> Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com> >>> >>> lore.kernel.org is broken currently, to avoid doing mistakes, I will wait >>> for it to be working again so I can apply your patch using dim+b4. >>> >>> (I removed danvet.vetter@ffwl.ch from CC, the mail server rejected the mail) >>> >>> Thanks! >>> Louis Chauvet >> >> Hello, >> >> I tried to apply the commit, but I have a strange issue: >> >> $ dim push >> Enumerating objects: 13, done. >> Counting objects: 100% (13/13), done. >> Delta compression using up to 20 threads >> Compressing objects: 100% (7/7), done. >> Writing objects: 100% (7/7), 1.67 KiB | 113.00 KiB/s, done. >> Total 7 (delta 6), reused 0 (delta 0), pack-reused 0 (from 0) >> remote: >> remote: ======================================================================== >> remote: >> remote: Equinix is shutting down its operations with us on April 30, 2025. >> remote: They have graciously supported us for almost 5 years, but all good >> remote: things come to an end. Given the time frame, it's going to be hard >> remote: to make a smooth transition of the cluster to somewhere else >> remote: ([TBD](https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/2011)). >> remote: Please expect in the next months some hiccups in the service and >> remote: probably at least a full week of downtime to transfer gitlab to a >> remote: different place. All help is appreciated. >> remote: >> remote: ======================================================================== >> remote: >> To gitlab.freedesktop.org:drm/misc/kernel.git >> ff3881cc6a58..ed15511a773d drm-misc-next -> drm-misc-next >> Pushing drm-misc-fixes to for-linux-next-fixes... Everything up-to-date >> Done. >> Out of merge window. Pushing drm-misc-next to for-linux-next... >> remote: >> remote: ======================================================================== >> remote: >> remote: ERROR: Internal API unreachable >> >> remote: >> remote: ======================================================================== >> remote: >> fatal: Could not read from remote repository. >> >> Please make sure you have the correct access rights >> and the repository exists. >> >> Is this expected? > > I guess you managed to fix the issue. I git pull-ed this morning and > the patch was applied. It is applied to drm-misc/drm-misc-next, but not on drm-misc/for-linux-next. I don't know if this is important and how to fix the issue if yes. Louis Chauvet > Jose > >> Thanks, >> Louis Chauvet >> >>>> Thanks for posting this patch separately. >>>> >>>> Best regards >>>> Thomas >>>> >>>>> --- >>>>> drivers/gpu/drm/vkms/vkms_drv.c | 15 +++++++++------ >>>>> 1 file changed, 9 insertions(+), 6 deletions(-) >>>>> >>>>> diff --git a/drivers/gpu/drm/vkms/vkms_drv.c b/drivers/gpu/drm/vkms/vkms_drv.c >>>>> index 7c142bfc3bd9..b6de91134a22 100644 >>>>> --- a/drivers/gpu/drm/vkms/vkms_drv.c >>>>> +++ b/drivers/gpu/drm/vkms/vkms_drv.c >>>>> @@ -235,17 +235,19 @@ static int __init vkms_init(void) >>>>> if (!config) >>>>> return -ENOMEM; >>>>> - default_config = config; >>>>> - >>>>> config->cursor = enable_cursor; >>>>> config->writeback = enable_writeback; >>>>> config->overlay = enable_overlay; >>>>> ret = vkms_create(config); >>>>> - if (ret) >>>>> + if (ret) { >>>>> kfree(config); >>>>> + return ret; >>>>> + } >>>>> - return ret; >>>>> + default_config = config; >>>>> + >>>>> + return 0; >>>>> } >>>>> static void vkms_destroy(struct vkms_config *config) >>>>> @@ -269,9 +271,10 @@ static void vkms_destroy(struct vkms_config *config) >>>>> static void __exit vkms_exit(void) >>>>> { >>>>> - if (default_config->dev) >>>>> - vkms_destroy(default_config); >>>>> + if (!default_config) >>>>> + return; >>>>> + vkms_destroy(default_config); >>>>> kfree(default_config); >>>>> } >>>> >>> >>> -- >>> Louis Chauvet, Bootlin >>> Embedded Linux and Kernel engineering >>> https://bootlin.com >>>
diff --git a/drivers/gpu/drm/vkms/vkms_drv.c b/drivers/gpu/drm/vkms/vkms_drv.c index 7c142bfc3bd9..b6de91134a22 100644 --- a/drivers/gpu/drm/vkms/vkms_drv.c +++ b/drivers/gpu/drm/vkms/vkms_drv.c @@ -235,17 +235,19 @@ static int __init vkms_init(void) if (!config) return -ENOMEM; - default_config = config; - config->cursor = enable_cursor; config->writeback = enable_writeback; config->overlay = enable_overlay; ret = vkms_create(config); - if (ret) + if (ret) { kfree(config); + return ret; + } - return ret; + default_config = config; + + return 0; } static void vkms_destroy(struct vkms_config *config) @@ -269,9 +271,10 @@ static void vkms_destroy(struct vkms_config *config) static void __exit vkms_exit(void) { - if (default_config->dev) - vkms_destroy(default_config); + if (!default_config) + return; + vkms_destroy(default_config); kfree(default_config); }
If the driver initialization fails, the vkms_exit() function might access an uninitialized or freed default_config pointer and it might double free it. Fix both possible errors by initializing default_config only when the driver initialization succeeded. Reported-by: Louis Chauvet <louis.chauvet@bootlin.com> Link: https://lore.kernel.org/all/Z5uDHcCmAwiTsGte@louis-chauvet-laptop/ Fixes: 2df7af93fdad ("drm/vkms: Add vkms_config type") Signed-off-by: José Expósito <jose.exposito89@gmail.com> --- drivers/gpu/drm/vkms/vkms_drv.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-)