Received: by 2002:a05:7412:da14:b0:e2:908c:2ebd with SMTP id fe20csp439263rdb;
        Fri, 6 Oct 2023 07:59:02 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHvmzog+7Ay8hQyeSTqhRT4HjKbbD1VGTaMWXv/PJjbG7lt3NWCJ89kGUpaC7gNobDWyFzr
X-Received: by 2002:aca:f1a:0:b0:3a7:55f2:552d with SMTP id 26-20020aca0f1a000000b003a755f2552dmr7443255oip.58.1696604341720;
        Fri, 06 Oct 2023 07:59:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696604341; cv=none;
        d=google.com; s=arc-20160816;
        b=t87T+YakA5KuJlyCwMkoCldT3AcjyT+6CgwPv4MMxig0D2WNbzBVjO50MNzTa6y21e
         J7Tx63KzuiM8BSWJ8kdJP0OsVmeewwGhEq7k0fmsqRR0WqOSkrYuT0jVt75K8OZZhXl8
         pj4oNe3TQjZ2qyzAOJ1GHFZoBTWPrSIKnr50lS+dZf6m1Xmot7oADa4zgkpf481OPfFi
         bgvUg296f3shxnhykIzIc1mIPZ458OjKZ3RmMZFFvA3O7K5AwGl92Bc98E6TiAFo+1Vy
         mbAXiBZ3RhQXRMXyUuz+ticeCNpmzzfPkh/7qHyof8OPx1vesMbTJQdrRm1HLtmJ26r1
         pOYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature
         :dkim-filter;
        bh=zZyzh/Wh062f7c3Pw72ZP1LjORx/TUbNNL9pBnx3IHs=;
        fh=kUW3kvenhZyfcoln10S5NKnsp3UApxk7WKOePww2aDI=;
        b=j0iFkCjn0xroWYoExGNSbPBys5EIUWff/Lqfu9CglTiL+bU1c7hxaXW2lWhMvYxZ4r
         Po8rb0SgMg0U/gOVd3GZ705lRvxuxYfVNAdJ2jEVaEFa+7wZPs/uSGOo9m2GbQMNCH2Z
         cpWIGEtyGvM6gAVfxaoeuhEUQHtRlLEDo6uKDQe5A2pExl8/fyX4EeJQAE9g9FAmdYrQ
         i/in8cbUeVrSd5jKFqSb5wZEKM+kcM+qOX1Ws4+ryglYj9Ot+hYjFWcjHTucVT1D0lon
         +zHJ0eO9DkK2tw+/bGbJOgFh1hX67ruMITZnidghL8Df0aHYeY9dbLgwSalib8qsbjMC
         xMoQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ispras.ru header.s=default header.b=dGwvyiTc;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4])
        by mx.google.com with ESMTPS id h7-20020a636c07000000b005704f061aecsi3566022pgc.279.2023.10.06.07.59.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 06 Oct 2023 07:59:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ispras.ru header.s=default header.b=dGwvyiTc;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by howler.vger.email (Postfix) with ESMTP id 8CAC48256143;
	Fri,  6 Oct 2023 07:58:57 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232677AbjJFO6s (ORCPT <rfc822;smith.dustin2017@gmail.com>
        + 99 others); Fri, 6 Oct 2023 10:58:48 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59458 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230158AbjJFO6r (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 6 Oct 2023 10:58:47 -0400
Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 46D98A6
        for <linux-kernel@vger.kernel.org>; Fri,  6 Oct 2023 07:58:46 -0700 (PDT)
Received: from localhost (unknown [176.59.162.175])
        by mail.ispras.ru (Postfix) with ESMTPSA id F2AEF40AC4FC;
        Fri,  6 Oct 2023 14:58:41 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru F2AEF40AC4FC
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru;
        s=default; t=1696604323;
        bh=zZyzh/Wh062f7c3Pw72ZP1LjORx/TUbNNL9pBnx3IHs=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=dGwvyiTcJ+S7nXsfw+yGpzN82Io1YNvYzzMhEJvDFESLdGo1JnCxBS5Ow+rnAVJHA
         Y17S495KNJrSmdRFRauK6uANBHgq1wX5el2eAzEaEqDxP05eKRQAZRZ7+wyc9g7ySH
         v2075D6sZr8eINFOwb0AgzoPzBZ3hcdkU6HLDWjw=
Date:   Fri, 6 Oct 2023 17:58:35 +0300
From:   Fedor Pchelkin <pchelkin@ispras.ru>
To:     David Airlie <airlied@gmail.com>, Daniel Vetter <daniel@ffwll.ch>,
        Dave Airlie <airlied@redhat.com>
Cc:     Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
        Maxime Ripard <mripard@kernel.org>,
        Thomas Zimmermann <tzimmermann@suse.de>,
        Daniel Stone <daniels@collabora.com>,
        dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org,
        Alexey Khoroshilov <khoroshilov@ispras.ru>,
        lvc-project@linuxtesting.org
Subject: Re: [PATCH] drm/crtc: do not release uninitialized connector
 reference
Message-ID: <3rrycldn3ssrqqyiowv3ariqigfonddps6d34zjquzar6fahtc@ozy6jqnaiq3c>
References: <20230721101600.4392-1-pchelkin@ispras.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20230721101600.4392-1-pchelkin@ispras.ru>
X-Spam-Status: No, score=2.7 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no
	version=3.4.6
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Fri, 06 Oct 2023 07:58:57 -0700 (PDT)

On 23/07/21 01:15PM, Fedor Pchelkin wrote:
> Inside drm_mode_setcrtc() connector_set is allocated using kmalloc_array()
> so its values are uninitialized. When filling this array with actual
> pointers to drm connector objects, an error caused with invalid ioctl
> request data may occur leading us to put references to already taken
> objects. However, the last elements of the array are left uninitialized
> which makes drm_connector_put() to be called with an invalid argument.
> 
> We can obviously just initialize the array with kcalloc() but the current
> fix chose a slightly different way.
> 
> The index of failing array element is known so just put references to the
> array members with lower indices.
> 
> The temporary 'connector' pointer seems to be redundant as we can directly
> fill the connector_set elements and thus avoid unnecessary NULL
> assignments and checks.
> 
> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
> 
> Fixes: b164d31f50b2 ("drm/modes: add connector reference counting. (v2)")
> Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>

I'm sorry for bothering everyone with this issue, but status of the patch
here [1] is still 'New', and I have no means to deduce whether the
subsystem maintainers didn't have time to review (it is totally
understandable as the amount of patches is enormous) or the patch was
missed somehow.

[1]: https://patchwork.kernel.org/project/dri-devel/patch/20230721101600.4392-1-pchelkin@ispras.ru/