Since the encoders have been devm-allocated, they will be freed way before drm_mode_config_cleanup() is called. To avoid use-after-free conditions, we then must ensure that drm_encoder_cleanup() is called before the encoders are freed.
Fixes: c369cb27c267 ("drm/ingenic: Support multiple panels/bridges") Cc: stable@vger.kernel.org # 5.8+ Signed-off-by: Paul Cercueil paul@crapouillou.net --- drivers/gpu/drm/ingenic/ingenic-drm-drv.c | 10 ++++++++++ 1 file changed, 10 insertions(+)
diff --git a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c index 368bfef8b340..d23a3292a0e0 100644 --- a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c +++ b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c @@ -803,6 +803,11 @@ static void __maybe_unused ingenic_drm_release_rmem(void *d) of_reserved_mem_device_release(d); }
+static void ingenic_drm_encoder_cleanup(void *encoder) +{ + drm_encoder_cleanup(encoder); +} + static int ingenic_drm_bind(struct device *dev, bool has_components) { struct platform_device *pdev = to_platform_device(dev); @@ -1011,6 +1016,11 @@ static int ingenic_drm_bind(struct device *dev, bool has_components) return ret; }
+ ret = devm_add_action_or_reset(dev, ingenic_drm_encoder_cleanup, + encoder); + if (ret) + return ret; + ret = drm_bridge_attach(encoder, bridge, NULL, 0); if (ret) { dev_err(dev, "Unable to attach bridge\n");
Hi Paul,
Thank you for the patch.
On Sun, Jan 17, 2021 at 11:26:45AM +0000, Paul Cercueil wrote:
Since the encoders have been devm-allocated, they will be freed way before drm_mode_config_cleanup() is called. To avoid use-after-free conditions, we then must ensure that drm_encoder_cleanup() is called before the encoders are freed.
How about allocating the encoder with drmm_encoder_alloc() instead ?
Fixes: c369cb27c267 ("drm/ingenic: Support multiple panels/bridges") Cc: stable@vger.kernel.org # 5.8+ Signed-off-by: Paul Cercueil paul@crapouillou.net
drivers/gpu/drm/ingenic/ingenic-drm-drv.c | 10 ++++++++++ 1 file changed, 10 insertions(+)
diff --git a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c index 368bfef8b340..d23a3292a0e0 100644 --- a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c +++ b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c @@ -803,6 +803,11 @@ static void __maybe_unused ingenic_drm_release_rmem(void *d) of_reserved_mem_device_release(d); } +static void ingenic_drm_encoder_cleanup(void *encoder) +{
- drm_encoder_cleanup(encoder);
+}
static int ingenic_drm_bind(struct device *dev, bool has_components) { struct platform_device *pdev = to_platform_device(dev); @@ -1011,6 +1016,11 @@ static int ingenic_drm_bind(struct device *dev, bool has_components) return ret; }
ret = devm_add_action_or_reset(dev, ingenic_drm_encoder_cleanup,encoder);if (ret)return ret;- ret = drm_bridge_attach(encoder, bridge, NULL, 0); if (ret) { dev_err(dev, "Unable to attach bridge\n");
Hi Laurent,
Le lun. 18 janv. 2021 à 11:43, Laurent Pinchart laurent.pinchart@ideasonboard.com a écrit :
Hi Paul,
Thank you for the patch.
On Sun, Jan 17, 2021 at 11:26:45AM +0000, Paul Cercueil wrote:
Since the encoders have been devm-allocated, they will be freed way before drm_mode_config_cleanup() is called. To avoid use-after-free conditions, we then must ensure that drm_encoder_cleanup() is called before the encoders are freed.
How about allocating the encoder with drmm_encoder_alloc() instead ?
That would work, but it is not yet in drm-misc-fixes :(
-Paul
Fixes: c369cb27c267 ("drm/ingenic: Support multiple panels/bridges") Cc: stable@vger.kernel.org # 5.8+ Signed-off-by: Paul Cercueil paul@crapouillou.net
drivers/gpu/drm/ingenic/ingenic-drm-drv.c | 10 ++++++++++ 1 file changed, 10 insertions(+)
diff --git a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c index 368bfef8b340..d23a3292a0e0 100644 --- a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c +++ b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c @@ -803,6 +803,11 @@ static void __maybe_unused ingenic_drm_release_rmem(void *d) of_reserved_mem_device_release(d); }
+static void ingenic_drm_encoder_cleanup(void *encoder) +{
- drm_encoder_cleanup(encoder);
+}
static int ingenic_drm_bind(struct device *dev, bool has_components) { struct platform_device *pdev = to_platform_device(dev); @@ -1011,6 +1016,11 @@ static int ingenic_drm_bind(struct device *dev, bool has_components) return ret; }
ret = devm_add_action_or_reset(dev, ingenic_drm_encoder_cleanup,encoder);if (ret)return ret;- ret = drm_bridge_attach(encoder, bridge, NULL, 0); if (ret) { dev_err(dev, "Unable to attach bridge\n");
-- Regards,
Laurent Pinchart
On Mon, Jan 18, 2021 at 11:37:49AM +0000, Paul Cercueil wrote:
Hi Laurent,
Le lun. 18 janv. 2021 à 11:43, Laurent Pinchart laurent.pinchart@ideasonboard.com a écrit :
Hi Paul,
Thank you for the patch.
On Sun, Jan 17, 2021 at 11:26:45AM +0000, Paul Cercueil wrote:
Since the encoders have been devm-allocated, they will be freed way before drm_mode_config_cleanup() is called. To avoid use-after-free conditions, we then must ensure that drm_encoder_cleanup() is called before the encoders are freed.
How about allocating the encoder with drmm_encoder_alloc() instead ?
That would work, but it is not yet in drm-misc-fixes :(
Well I think then we should only fix this in drm-misc-next. Adding more broken usage of devm_ isn't really a good idea.
If you want this in -fixes, then I think hand-roll it. But devm_ for drm objects really is the wrong fix. -Daniel
-Paul
Fixes: c369cb27c267 ("drm/ingenic: Support multiple panels/bridges") Cc: stable@vger.kernel.org # 5.8+ Signed-off-by: Paul Cercueil paul@crapouillou.net
drivers/gpu/drm/ingenic/ingenic-drm-drv.c | 10 ++++++++++ 1 file changed, 10 insertions(+)
diff --git a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c index 368bfef8b340..d23a3292a0e0 100644 --- a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c +++ b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c @@ -803,6 +803,11 @@ static void __maybe_unused ingenic_drm_release_rmem(void *d) of_reserved_mem_device_release(d); }
+static void ingenic_drm_encoder_cleanup(void *encoder) +{
- drm_encoder_cleanup(encoder);
+}
static int ingenic_drm_bind(struct device *dev, bool has_components) { struct platform_device *pdev = to_platform_device(dev); @@ -1011,6 +1016,11 @@ static int ingenic_drm_bind(struct device *dev, bool has_components) return ret; }
ret = devm_add_action_or_reset(dev, ingenic_drm_encoder_cleanup,encoder);if (ret)return ret;- ret = drm_bridge_attach(encoder, bridge, NULL, 0); if (ret) { dev_err(dev, "Unable to attach bridge\n");
-- Regards,
Laurent Pinchart
linux-stable-mirror@lists.linaro.org
-
Daniel Vetter -
Laurent Pinchart -
Paul Cercueil