From patchwork Mon Sep 12 15:40:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 12973760 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75ED4C6FA89 for ; Mon, 12 Sep 2022 15:41:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230384AbiILPlf (ORCPT ); Mon, 12 Sep 2022 11:41:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44532 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230379AbiILPla (ORCPT ); Mon, 12 Sep 2022 11:41:30 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6350C2DABE; Mon, 12 Sep 2022 08:41:29 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id CD1E8B80DC6; Mon, 12 Sep 2022 15:41:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id EF884C43140; Mon, 12 Sep 2022 15:41:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1662997286; bh=9CE7orcQkUcjA2k8uttjXrckagCUwwToGrdo8aBWuGI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QWQzktamSYNI5dM48LjRFqP8L5Np9Evcoq5crLoCkgyRtUoFHbo7nT6bEZ9ItPidp lze49PbVlrBUVj3HdnyJ98d2wt70bcEMD20lOFwzLruTE/ZRJfmb1rCB6PvP4b6Wre g5zYx1CwzE5d7ozHzsdQQfjDDiVzEO8yilhgOm68s+SLADm9E6cKZ5TeNDjy2rZ+yV sG9I9nna3xrBYzGYuDtD6p42DUPWYmzEqTZqbDdSQ2V9RCkox21933VTFFNVrErHpP l0TVofnMFhmVKRBKMvyYnWL68Y1BW8O30uVi9hYDAI/oPipp3Vpg2xR97HaYgVPkDz OuBIUgHmU/Vug== Received: from johan by xi.lan with local (Exim 4.94.2) (envelope-from ) id 1oXlYp-0003Mo-5V; Mon, 12 Sep 2022 17:41:23 +0200 From: Johan Hovold To: Douglas Anderson , Dmitry Baryshkov , Rob Clark Cc: Andrzej Hajda , Neil Armstrong , Robert Foss , Laurent Pinchart , Jonas Karlman , Jernej Skrabec , David Airlie , Daniel Vetter , Sean Paul , Stephen Boyd , Bjorn Andersson , Manivannan Sadhasivam , dri-devel@lists.freedesktop.org, linux-arm-msm@vger.kernel.org, freedreno@lists.freedesktop.org, linux-kernel@vger.kernel.org, Johan Hovold , stable@vger.kernel.org Subject: [PATCH 1/7] drm/msm: fix use-after-free on probe deferral Date: Mon, 12 Sep 2022 17:40:40 +0200 Message-Id: <20220912154046.12900-2-johan+linaro@kernel.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220912154046.12900-1-johan+linaro@kernel.org> References: <20220912154046.12900-1-johan+linaro@kernel.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org The bridge counter was never reset when tearing down the DRM device so that stale pointers to deallocated structures would be accessed on the next tear down (e.g. after a second late bind deferral). Given enough bridges and a few probe deferrals this could currently also lead to data beyond the bridge array being corrupted. Fixes: d28ea556267c ("drm/msm: properly add and remove internal bridges") Cc: stable@vger.kernel.org # 5.19 Signed-off-by: Johan Hovold Reviewed-by: Dmitry Baryshkov --- drivers/gpu/drm/msm/msm_drv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c index 391d86b54ded..d254fe2507ec 100644 --- a/drivers/gpu/drm/msm/msm_drv.c +++ b/drivers/gpu/drm/msm/msm_drv.c @@ -241,6 +241,7 @@ static int msm_drm_uninit(struct device *dev) for (i = 0; i < priv->num_bridges; i++) drm_bridge_remove(priv->bridges[i]); + priv->num_bridges = 0; pm_runtime_get_sync(dev); msm_irq_uninstall(ddev);