The logicvc driver calls drm_universal_plane_init(),
drm_crtc_init_with_planes(), and drm_encoder_alloc(). These functions
should not be called with structs allocated with devm_kzalloc(), as this
can lead to use-after-free bugs. In fact, a use-after-free caused by this
has been observed on a v6.6 kernel.
Use DRM-managed allocations instead for panel, CRTC and encoder objects.
Found using KASAN.
Fixes: efeeaefe9be56 ("drm: Add support for the LogiCVC display controller")
Cc: [email protected]
Signed-off-by: Romain Gantois <[email protected]>
---
drivers/gpu/drm/logicvc/logicvc_crtc.c | 17 ++---
drivers/gpu/drm/logicvc/logicvc_interface.c | 49 +++++--------
drivers/gpu/drm/logicvc/logicvc_layer.c | 105 +++++++++++++---------------
3 files changed, 75 insertions(+), 96 deletions(-)
diff --git a/drivers/gpu/drm/logicvc/logicvc_crtc.c
b/drivers/gpu/drm/logicvc/logicvc_crtc.c
index 43a675d03808f..3a4c347eaa648 100644
--- a/drivers/gpu/drm/logicvc/logicvc_crtc.c
+++ b/drivers/gpu/drm/logicvc/logicvc_crtc.c
@@ -13,6 +13,7 @@
#include <drm/drm_crtc.h>
#include <drm/drm_drv.h>
#include <drm/drm_gem_dma_helper.h>
+#include <drm/drm_managed.h>
#include <drm/drm_print.h>
#include <drm/drm_vblank.h>
@@ -214,7 +215,6 @@ static void logicvc_crtc_disable_vblank(struct drm_crtc
*drm_crtc)
static const struct drm_crtc_funcs logicvc_crtc_funcs = {
.reset = drm_atomic_helper_crtc_reset,
- .destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.atomic_duplicate_state = drm_atomic_helper_crtc_duplicate_state,
@@ -250,11 +250,6 @@ int logicvc_crtc_init(struct logicvc_drm *logicvc)
struct device_node *of_node = dev->of_node;
struct logicvc_crtc *crtc;
struct logicvc_layer *layer_primary;
- int ret;
-
- crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL);
- if (!crtc)
- return -ENOMEM;
layer_primary = logicvc_layer_get_primary(logicvc);
if (!layer_primary) {
@@ -262,12 +257,12 @@ int logicvc_crtc_init(struct logicvc_drm *logicvc)
return -EINVAL;
}
- ret = drm_crtc_init_with_planes(drm_dev, &crtc->drm_crtc,
- &layer_primary->drm_plane, NULL,
- &logicvc_crtc_funcs, NULL);
- if (ret) {
+ crtc = drmm_crtc_alloc_with_planes(drm_dev, struct logicvc_crtc,
+ drm_crtc, &layer_primary->drm_plane,
+ NULL, &logicvc_crtc_funcs, NULL);
+ if (IS_ERR(crtc)) {
drm_err(drm_dev, "Failed to initialize CRTC\n");
- return ret;
+ return PTR_ERR(crtc);
}
drm_crtc_helper_add(&crtc->drm_crtc, &logicvc_crtc_helper_funcs);
diff --git a/drivers/gpu/drm/logicvc/logicvc_interface.c
b/drivers/gpu/drm/logicvc/logicvc_interface.c
index 689049d395c0d..0d037f37b950f 100644
--- a/drivers/gpu/drm/logicvc/logicvc_interface.c
+++ b/drivers/gpu/drm/logicvc/logicvc_interface.c
@@ -12,6 +12,7 @@
#include <drm/drm_drv.h>
#include <drm/drm_encoder.h>
#include <drm/drm_gem_dma_helper.h>
+#include <drm/drm_managed.h>
#include <drm/drm_modeset_helper_vtables.h>
#include <drm/drm_of.h>
#include <drm/drm_panel.h>
@@ -60,10 +61,6 @@ static const struct drm_encoder_helper_funcs
logicvc_encoder_helper_funcs = {
.disable = logicvc_encoder_disable,
};
-static const struct drm_encoder_funcs logicvc_encoder_funcs = {
- .destroy = drm_encoder_cleanup,
-};
-
static int logicvc_connector_get_modes(struct drm_connector *drm_connector)
{
struct logicvc_interface *interface =
@@ -84,7 +81,6 @@ static const struct drm_connector_helper_funcs
logicvc_connector_helper_funcs =
static const struct drm_connector_funcs logicvc_connector_funcs = {
.reset = drm_atomic_helper_connector_reset,
.fill_modes = drm_helper_probe_single_connector_modes,
- .destroy = drm_connector_cleanup,
.atomic_duplicate_state = drm_atomic_helper_connector_duplicate_state,
.atomic_destroy_state = drm_atomic_helper_connector_destroy_state,
};
@@ -147,36 +143,35 @@ int logicvc_interface_init(struct logicvc_drm *logicvc)
int encoder_type = logicvc_interface_encoder_type(logicvc);
int connector_type = logicvc_interface_connector_type(logicvc);
bool native_connector = logicvc_interface_native_connector(logicvc);
+ struct drm_bridge *bridge;
+ struct drm_panel *panel;
int ret;
- interface = devm_kzalloc(dev, sizeof(*interface), GFP_KERNEL);
- if (!interface) {
- ret = -ENOMEM;
- goto error_early;
- }
-
- ret = drm_of_find_panel_or_bridge(of_node, 0, 0, &interface->drm_panel,
- &interface->drm_bridge);
+ ret = drm_of_find_panel_or_bridge(of_node, 0, 0, &panel,
+ &bridge);
if (ret == -EPROBE_DEFER)
- goto error_early;
+ return ret;
- ret = drm_encoder_init(drm_dev, &interface->drm_encoder,
- &logicvc_encoder_funcs, encoder_type, NULL);
- if (ret) {
+ interface = drmm_encoder_alloc(drm_dev, struct logicvc_interface,
drm_encoder,
+ NULL, encoder_type, NULL);
+ if (IS_ERR(interface)) {
drm_err(drm_dev, "Failed to initialize encoder\n");
- goto error_early;
+ return PTR_ERR(interface);
}
+ interface->drm_panel = panel;
+ interface->drm_bridge = bridge;
+
drm_encoder_helper_add(&interface->drm_encoder,
&logicvc_encoder_helper_funcs);
if (native_connector || interface->drm_panel) {
- ret = drm_connector_init(drm_dev, &interface->drm_connector,
- &logicvc_connector_funcs,
- connector_type);
+ ret = drmm_connector_init(drm_dev, &interface->drm_connector,
+ &logicvc_connector_funcs,
+ connector_type, NULL);
if (ret) {
drm_err(drm_dev, "Failed to initialize connector\n");
- goto error_encoder;
+ return ret;
}
drm_connector_helper_add(&interface->drm_connector,
@@ -187,7 +182,7 @@ int logicvc_interface_init(struct logicvc_drm *logicvc)
if (ret) {
drm_err(drm_dev,
"Failed to attach connector to encoder\n");
- goto error_encoder;
+ return ret;
}
}
@@ -197,17 +192,11 @@ int logicvc_interface_init(struct logicvc_drm *logicvc)
if (ret) {
drm_err(drm_dev,
"Failed to attach bridge to encoder\n");
- goto error_encoder;
+ return ret;
}
}
logicvc->interface = interface;
return 0;
-
-error_encoder:
- drm_encoder_cleanup(&interface->drm_encoder);
-
-error_early:
- return ret;
}
diff --git a/drivers/gpu/drm/logicvc/logicvc_layer.c
b/drivers/gpu/drm/logicvc/logicvc_layer.c
index eab4d773f92b6..de1f4a8a61557 100644
--- a/drivers/gpu/drm/logicvc/logicvc_layer.c
+++ b/drivers/gpu/drm/logicvc/logicvc_layer.c
@@ -13,6 +13,7 @@
#include <drm/drm_fb_dma_helper.h>
#include <drm/drm_fourcc.h>
#include <drm/drm_framebuffer.h>
+#include <drm/drm_managed.h>
#include <drm/drm_plane.h>
#include <drm/drm_print.h>
@@ -250,7 +251,6 @@ static struct drm_plane_helper_funcs
logicvc_plane_helper_funcs = {
static const struct drm_plane_funcs logicvc_plane_funcs = {
.update_plane = drm_atomic_helper_update_plane,
.disable_plane = drm_atomic_helper_disable_plane,
- .destroy = drm_plane_cleanup,
.reset = drm_atomic_helper_plane_reset,
.atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
.atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
@@ -350,16 +350,17 @@ int logicvc_layer_buffer_find_setup(struct logicvc_drm
*logicvc,
return 0;
}
-static struct logicvc_layer_formats *logicvc_layer_formats_lookup(struct
logicvc_layer *layer)
+static struct logicvc_layer_formats *
+logicvc_layer_formats_lookup(struct logicvc_layer_config *config)
{
bool alpha;
unsigned int i = 0;
- alpha = (layer->config.alpha_mode == LOGICVC_LAYER_ALPHA_PIXEL);
+ alpha = (config->alpha_mode == LOGICVC_LAYER_ALPHA_PIXEL);
while (logicvc_layer_formats[i].formats) {
- if (logicvc_layer_formats[i].colorspace ==
layer->config.colorspace &&
- logicvc_layer_formats[i].depth == layer->config.depth &&
+ if (logicvc_layer_formats[i].colorspace == config->colorspace &&
+ logicvc_layer_formats[i].depth == config->depth &&
logicvc_layer_formats[i].alpha == alpha)
return &logicvc_layer_formats[i];
@@ -380,10 +381,9 @@ static unsigned int logicvc_layer_formats_count(struct
logicvc_layer_formats *fo
}
static int logicvc_layer_config_parse(struct logicvc_drm *logicvc,
- struct logicvc_layer *layer)
+ struct device_node *of_node,
+ struct logicvc_layer_config *config)
{
- struct device_node *of_node = layer->of_node;
- struct logicvc_layer_config *config = &layer->config;
int ret;
logicvc_of_property_parse_bool(of_node,
@@ -458,11 +458,30 @@ struct logicvc_layer *logicvc_layer_get_primary(struct
logicvc_drm *logicvc)
return logicvc_layer_get_from_type(logicvc, DRM_PLANE_TYPE_PRIMARY);
}
+static void logicvc_layer_set_config(struct logicvc_layer *layer,
+ struct logicvc_layer_config *config)
+{
+ layer->config.colorspace = config->colorspace;
+ layer->config.depth = config->depth;
+ layer->config.alpha_mode = config->alpha_mode;
+ layer->config.base_offset = config->base_offset;
+ layer->config.buffer_offset = config->buffer_offset;
+ layer->config.primary = config->primary;
+}
+
+static void logicvc_layer_fini(struct drm_device *drm_dev,
+ void *data)
+{
+ struct logicvc_layer *layer = data;
+
+ list_del(&layer->list);
+}
+
static int logicvc_layer_init(struct logicvc_drm *logicvc,
struct device_node *of_node, u32 index)
{
struct drm_device *drm_dev = &logicvc->drm_dev;
- struct device *dev = drm_dev->dev;
+ struct logicvc_layer_config config = { 0 };
struct logicvc_layer *layer = NULL;
struct logicvc_layer_formats *formats;
unsigned int formats_count;
@@ -470,28 +489,18 @@ static int logicvc_layer_init(struct logicvc_drm *logicvc,
unsigned int zpos;
int ret;
- layer = devm_kzalloc(dev, sizeof(*layer), GFP_KERNEL);
- if (!layer) {
- ret = -ENOMEM;
- goto error;
- }
-
- layer->of_node = of_node;
- layer->index = index;
-
- ret = logicvc_layer_config_parse(logicvc, layer);
+ ret = logicvc_layer_config_parse(logicvc, of_node, &config);
if (ret) {
drm_err(drm_dev, "Failed to parse config for layer #%d\n",
index);
- goto error;
+ return ret;
}
- formats = logicvc_layer_formats_lookup(layer);
+ formats = logicvc_layer_formats_lookup(&config);
if (!formats) {
drm_err(drm_dev, "Failed to lookup formats for layer #%d\n",
index);
- ret = -EINVAL;
- goto error;
+ return -EINVAL;
}
formats_count = logicvc_layer_formats_count(formats);
@@ -511,24 +520,27 @@ static int logicvc_layer_init(struct logicvc_drm *logicvc,
regmap_write(logicvc->regmap, LOGICVC_BACKGROUND_COLOR_REG,
background);
- devm_kfree(dev, layer);
-
return 0;
}
- if (layer->config.primary)
+ if (config.primary)
type = DRM_PLANE_TYPE_PRIMARY;
else
type = DRM_PLANE_TYPE_OVERLAY;
- ret = drm_universal_plane_init(drm_dev, &layer->drm_plane, 0,
- &logicvc_plane_funcs, formats->formats,
- formats_count, NULL, type, NULL);
- if (ret) {
+ layer = drmm_universal_plane_alloc(drm_dev, struct logicvc_layer,
+ drm_plane, 0, &logicvc_plane_funcs,
+ formats->formats, formats_count,
+ NULL, type, NULL);
+ if (IS_ERR(layer)) {
drm_err(drm_dev, "Failed to initialize layer plane\n");
- return ret;
+ return PTR_ERR(layer);
}
+ layer->of_node = of_node;
+ layer->index = index;
+ logicvc_layer_set_config(layer, &config);
+
drm_plane_helper_add(&layer->drm_plane, &logicvc_plane_helper_funcs);
zpos = logicvc->config.layers_count - index - 1;
@@ -545,22 +557,13 @@ static int logicvc_layer_init(struct logicvc_drm *logicvc,
list_add_tail(&layer->list, &logicvc->layers_list);
- return 0;
-
-error:
- if (layer)
- devm_kfree(dev, layer);
-
- return ret;
-}
+ ret = drmm_add_action_or_reset(drm_dev, logicvc_layer_fini,
+ layer);
+ if (ret)
+ return ret;
-static void logicvc_layer_fini(struct logicvc_drm *logicvc,
- struct logicvc_layer *layer)
-{
- struct device *dev = logicvc->drm_dev.dev;
- list_del(&layer->list);
- devm_kfree(dev, layer);
+ return 0;
}
void logicvc_layers_attach_crtc(struct logicvc_drm *logicvc)
@@ -584,14 +587,12 @@ int logicvc_layers_init(struct logicvc_drm *logicvc)
struct device_node *layer_node = NULL;
struct device_node *layers_node;
struct logicvc_layer *layer;
- struct logicvc_layer *next;
int ret = 0;
layers_node = of_get_child_by_name(of_node, "layers");
if (!layers_node) {
drm_err(drm_dev, "No layers node found in the description\n");
- ret = -ENODEV;
- goto error;
+ return -ENODEV;
}
for_each_child_of_node(layers_node, layer_node) {
@@ -614,17 +615,11 @@ int logicvc_layers_init(struct logicvc_drm *logicvc)
ret = logicvc_layer_init(logicvc, layer_node, index);
if (ret) {
of_node_put(layers_node);
- goto error;
+ return ret;
}
}
of_node_put(layers_node);
return 0;
-
-error:
- list_for_each_entry_safe(layer, next, &logicvc->layers_list, list)
- logicvc_layer_fini(logicvc, layer);
-
- return ret;
}
---
base-commit: 44e151be23deb788d9f6124de93823faf6e04e99
change-id: 20260526-logicvc-uaf-eab103f0d0de
Best regards,
--
Romain Gantois <[email protected]>
