Received: by 2002:a05:7412:a9a3:b0:f9:327e:43ab with SMTP id o35csp84939rdh; Mon, 18 Dec 2023 05:13:08 -0800 (PST) X-Google-Smtp-Source: AGHT+IG5/FvCvbqsI+viUMyXcFZXlbvjVXG2wKxfYsr+tKKfss0xM7eK6Fs/A9U8Y7CBbPc2p0r+ X-Received: by 2002:a05:6e02:170b:b0:35f:aeb1:c6a0 with SMTP id u11-20020a056e02170b00b0035faeb1c6a0mr2360472ill.8.1702905188037; Mon, 18 Dec 2023 05:13:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702905188; cv=none; d=google.com; s=arc-20160816; b=wSf1MBhyVI7pPptert5ZPiwrbU+Bh9LeSxEtvorOxyMpW446HfjklUfDkWNj1hekmp UdC0RP2Y3ixx85j0TO8opHhMILfYIuF0qqiTcQONBE1JpZaKxNG5k9ODZ3gELyAxu3QV qxPr++qW2i9AebkrdAWNbqCSrL7yXgjUFliqo5jKA08Qh1Q/Bfy8ssQ49hu+St0N3dvT oib8hG11wO9g9PeOQYGEisskzJDjv51a/frhVC/SBKbucuuUqVcspqNoaAiFvbEiU4iF u78mNf9TXVFG02/McIUAIxKGaHnmPFjmVHQrQKDl1rLT5FY4FbsXRGvv9TmImHC9W1zM 28mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=XSaHDSqKgCNW3NkuG64MWSLsA04MkJjBWYYys7Qqn8E=; fh=fDPX/mmbKcwgHLKn7FAZdA/4tPwc9gCX/mKPUSoomsc=; b=SB7cuAumiOOI7/UFq0YmBhm+4GQsmEMmiwkEFtS5FWkEIJX85M4AyPNTejVudvvlx5 8hGRLVckTl0GnPxnmguO8eLuX9pObE7UmzlsdV7TC518uq0KWs1DD+8vSVyTay+Uhbmd Ss2YCaUTIcMkF3AlLS/oEqDwDNmTLgKGm1vXmFsN1KAP/ydiW08ofmQHnaMFG5VpfUFt rVmj0JX8V/Bvw2Rwhnrgc5YxAlhkdgnbnbFyhky3ETlnjzvQCzmyP6knMlZgryJ0N94u RRIg7FoR467F3eiDFOKNgOBmj0jHpV+1BBmn0lyTz4FvX8FZjTFX6lnAnzJjToz1+ANZ NCCQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="sa/+jygK"; spf=pass (google.com: domain of linux-kernel+bounces-3673-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-3673-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id cc10-20020a056a02074a00b005b999968b87si2599421pgb.580.2023.12.18.05.13.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Dec 2023 05:13:08 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-3673-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="sa/+jygK"; spf=pass (google.com: domain of linux-kernel+bounces-3673-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-3673-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 6366D287BD6 for ; Mon, 18 Dec 2023 13:04:38 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 29D411396EE; Mon, 18 Dec 2023 12:47:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="sa/+jygK" X-Original-To: linux-kernel@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4438B12911B; Mon, 18 Dec 2023 12:47:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DC2C6C433C7; Mon, 18 Dec 2023 12:47:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1702903653; bh=q04oWiIgiKhL35dlBQblPvtrPWl4X6qLIhYb7yrdBs4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sa/+jygKjs2ovPcj0PtuGLymtkwMLX6tfb/a/ar+aXNwvTnFB4Q2bioloe71bM+qj 45dSJExztvCAgxmvZFIuQHY1Iy+cZcSnNp+aq2XOpPA/cVGsloqtZJMuN8L+bseU6Z lqKpZDtIean/0tDKKWmRBH+8GJR9fJM7AUv2a32RUw3ju1OyGK+kgcXGk9/QKH13M3 plh3pjZcT0GFq8kUIJK8IgA/Dx4knGbSIs5ryKSqeLnuzQuBJAehpyM9lfr8oZ28ta ZAuCiV90DrRpO47nA9bO3V8Xb/otjIkCoR2OZnXxybtHWwpFZHRhW0TKlC4KhwcZz/ 6iO5e8y3kXFRw== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Ziqi Zhao , syzbot+4fad2e57beb6397ab2fc@syzkaller.appspotmail.com, Harshit Mogalapalli , Maxime Ripard , Sasha Levin , maarten.lankhorst@linux.intel.com, tzimmermann@suse.de, airlied@gmail.com, daniel@ffwll.ch, dri-devel@lists.freedesktop.org Subject: [PATCH AUTOSEL 4.14 3/6] drm/crtc: Fix uninit-value bug in drm_mode_setcrtc Date: Mon, 18 Dec 2023 07:47:20 -0500 Message-ID: <20231218124725.1382738-3-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231218124725.1382738-1-sashal@kernel.org> References: <20231218124725.1382738-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 4.14.333 Content-Transfer-Encoding: 8bit From: Ziqi Zhao [ Upstream commit 3823119b9c2b5f9e9b760336f75bc989b805cde6 ] The connector_set contains uninitialized values when allocated with kmalloc_array. However, in the "out" branch, the logic assumes that any element in connector_set would be equal to NULL if failed to initialize, which causes the bug reported by Syzbot. The fix is to use an extra variable to keep track of how many connectors are initialized indeed, and use that variable to decrease any refcounts in the "out" branch. Reported-by: syzbot+4fad2e57beb6397ab2fc@syzkaller.appspotmail.com Signed-off-by: Ziqi Zhao Reported-and-tested-by: syzbot+4fad2e57beb6397ab2fc@syzkaller.appspotmail.com Tested-by: Harshit Mogalapalli Link: https://lore.kernel.org/r/20230721161446.8602-1-astrajoan@yahoo.com Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin --- drivers/gpu/drm/drm_crtc.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index 5af25ce5bf7c2..5ae3adfbc5e80 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -556,8 +556,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, struct drm_mode_set set; uint32_t __user *set_connectors_ptr; struct drm_modeset_acquire_ctx ctx; - int ret; - int i; + int ret, i, num_connectors; if (!drm_core_check_feature(dev, DRIVER_MODESET)) return -EINVAL; @@ -672,6 +671,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, goto out; } + num_connectors = 0; for (i = 0; i < crtc_req->count_connectors; i++) { connector_set[i] = NULL; set_connectors_ptr = (uint32_t __user *)(unsigned long)crtc_req->set_connectors_ptr; @@ -692,6 +692,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, connector->name); connector_set[i] = connector; + num_connectors++; } } @@ -700,7 +701,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, set.y = crtc_req->y; set.mode = mode; set.connectors = connector_set; - set.num_connectors = crtc_req->count_connectors; + set.num_connectors = num_connectors; set.fb = fb; ret = __drm_mode_set_config_internal(&set, &ctx); @@ -709,7 +710,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, drm_framebuffer_put(fb); if (connector_set) { - for (i = 0; i < crtc_req->count_connectors; i++) { + for (i = 0; i < num_connectors; i++) { if (connector_set[i]) drm_connector_put(connector_set[i]); } -- 2.43.0