From nobody Mon Jun 8 06:38:15 2026 Received: from smtpout-02.galae.net (smtpout-02.galae.net [185.246.84.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4700B380FD1 for ; Mon, 1 Jun 2026 06:52:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.246.84.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780296777; cv=none; b=d0E1ZaRu4rmWhu6oLl7ljUZC0qXQjSE07LYSE1O85Knh6Ti/2PcF4ytyq9VVScreGCT0TyRAiA7PO1LnpgvR8CJtFLQIx0stVMXWqZPukQNVOmTcR8rl2cE1rbunM8W2fwfrb8H7y+VVGSYgkkpLny/A5HNASYRqA37DdnMHcDA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780296777; c=relaxed/simple; bh=yFmVN3bgLtBmalKgw37FKNLIyAtzGS90x5MIiBm1dPs=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=ER7Jd2uBu7KJvYVG/p9qb0Gkaoaq3DtyvQWn9N7RbHwPYnOSc3OrX+0ZeDKm71iIJgyYsKYWUsI3azd8T34DOkExt58PKNCKf7S5pyNtIikAZjg6Edn1DinXFVH7rRdcESxcaASjbWKoKUflaDMOjcJX/JBGgzBnTwK6XdqH1zE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=bootlin.com; spf=pass smtp.mailfrom=bootlin.com; dkim=pass (2048-bit key) header.d=bootlin.com header.i=@bootlin.com header.b=fn0X4+pP; arc=none smtp.client-ip=185.246.84.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=bootlin.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bootlin.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bootlin.com header.i=@bootlin.com header.b="fn0X4+pP" Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-02.galae.net (Postfix) with ESMTPS id BF6FD1A378F; Mon, 1 Jun 2026 06:52:51 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 9127C602AB; Mon, 1 Jun 2026 06:52:51 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 49D3910888CCD; Mon, 1 Jun 2026 08:52:48 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1780296770; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding; bh=oJLELg61HGfPf14QsgfwoLBF1BU6+4ipnY2RieFlxq4=; b=fn0X4+pP2kYtkKoHre/h/NGL2cMFVLfsG4lapEV5/5q0ZAiJ9a2jLEykk/2hrmMf55V6Zt Vvsjgp2e2S4SeK1k50sukmbs6H3tPYxKxSl1xgt8a3Q1olSCJCLxt7r7F9dtIfEBHGjWvs QYEFqi/vpPUsm56KKssTVOtPyn1Fl7nRAciX/ygL2xjkPOiPluYoPF7m7J8h5Zf16WWGIE PteqAIAXwkglfESY/zRdEsZ8j+T8So3dmr/Ejghqqv+HIdKCgN3nCduLvuq8v6fL9p37ri N5hIt+rQbnMCbJ7froQiW6Ajg6jhKe02HBK88cyc1o0N/Axah8tvhEw3/aH6AQ== From: Romain Gantois Date: Mon, 01 Jun 2026 08:52:44 +0200 Subject: [PATCH] drm/logicvc: Avoid use-after-free with devm_kzalloc() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260601-logicvc-uaf-v1-1-8c9ca5b3429c@bootlin.com> X-B4-Tracking: v=1; b=H4sIAAAAAAAC/yXMQQqAIBBA0avErBMmIxddJVqYjjURFloSRHfPa vkW/18QKTBFaIsLAiWOvPqMqizATNqPJNhmg0SpsJFKLOvIJhlxaCdIDxXWDi1aglxsgRyf363 rf8djmMns7wLu+wE1jBc+bwAAAA== X-Change-ID: 20260526-logicvc-uaf-eab103f0d0de To: Paul Kocialkowski , Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , David Airlie , Simona Vetter Cc: Thomas Petazzoni , Paul Kocialkowski , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Romain Gantois X-Mailer: b4 0.15.2 X-Last-TLS-Session-Version: TLSv1.3 The logicvc driver calls drm_universal_plane_init(), drm_crtc_init_with_planes(), and drm_encoder_alloc(). These functions should not be called with structs allocated with devm_kzalloc(), as this can lead to use-after-free bugs. In fact, a use-after-free caused by this has been observed on a v6.6 kernel. Use DRM-managed allocations instead for panel, CRTC and encoder objects. Found using KASAN. Fixes: efeeaefe9be56 ("drm: Add support for the LogiCVC display controller") Cc: stable@vger.kernel.org Signed-off-by: Romain Gantois --- drivers/gpu/drm/logicvc/logicvc_crtc.c | 17 ++--- drivers/gpu/drm/logicvc/logicvc_interface.c | 49 +++++-------- drivers/gpu/drm/logicvc/logicvc_layer.c | 105 +++++++++++++-----------= ---- 3 files changed, 75 insertions(+), 96 deletions(-) diff --git a/drivers/gpu/drm/logicvc/logicvc_crtc.c b/drivers/gpu/drm/logic= vc/logicvc_crtc.c index 43a675d03808f..3a4c347eaa648 100644 --- a/drivers/gpu/drm/logicvc/logicvc_crtc.c +++ b/drivers/gpu/drm/logicvc/logicvc_crtc.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include =20 @@ -214,7 +215,6 @@ static void logicvc_crtc_disable_vblank(struct drm_crtc= *drm_crtc) =20 static const struct drm_crtc_funcs logicvc_crtc_funcs =3D { .reset =3D drm_atomic_helper_crtc_reset, - .destroy =3D drm_crtc_cleanup, .set_config =3D drm_atomic_helper_set_config, .page_flip =3D drm_atomic_helper_page_flip, .atomic_duplicate_state =3D drm_atomic_helper_crtc_duplicate_state, @@ -250,11 +250,6 @@ int logicvc_crtc_init(struct logicvc_drm *logicvc) struct device_node *of_node =3D dev->of_node; struct logicvc_crtc *crtc; struct logicvc_layer *layer_primary; - int ret; - - crtc =3D devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL); - if (!crtc) - return -ENOMEM; =20 layer_primary =3D logicvc_layer_get_primary(logicvc); if (!layer_primary) { @@ -262,12 +257,12 @@ int logicvc_crtc_init(struct logicvc_drm *logicvc) return -EINVAL; } =20 - ret =3D drm_crtc_init_with_planes(drm_dev, &crtc->drm_crtc, - &layer_primary->drm_plane, NULL, - &logicvc_crtc_funcs, NULL); - if (ret) { + crtc =3D drmm_crtc_alloc_with_planes(drm_dev, struct logicvc_crtc, + drm_crtc, &layer_primary->drm_plane, + NULL, &logicvc_crtc_funcs, NULL); + if (IS_ERR(crtc)) { drm_err(drm_dev, "Failed to initialize CRTC\n"); - return ret; + return PTR_ERR(crtc); } =20 drm_crtc_helper_add(&crtc->drm_crtc, &logicvc_crtc_helper_funcs); diff --git a/drivers/gpu/drm/logicvc/logicvc_interface.c b/drivers/gpu/drm/= logicvc/logicvc_interface.c index 689049d395c0d..0d037f37b950f 100644 --- a/drivers/gpu/drm/logicvc/logicvc_interface.c +++ b/drivers/gpu/drm/logicvc/logicvc_interface.c @@ -12,6 +12,7 @@ #include #include #include +#include #include #include #include @@ -60,10 +61,6 @@ static const struct drm_encoder_helper_funcs logicvc_enc= oder_helper_funcs =3D { .disable =3D logicvc_encoder_disable, }; =20 -static const struct drm_encoder_funcs logicvc_encoder_funcs =3D { - .destroy =3D drm_encoder_cleanup, -}; - static int logicvc_connector_get_modes(struct drm_connector *drm_connector) { struct logicvc_interface *interface =3D @@ -84,7 +81,6 @@ static const struct drm_connector_helper_funcs logicvc_co= nnector_helper_funcs =3D static const struct drm_connector_funcs logicvc_connector_funcs =3D { .reset =3D drm_atomic_helper_connector_reset, .fill_modes =3D drm_helper_probe_single_connector_modes, - .destroy =3D drm_connector_cleanup, .atomic_duplicate_state =3D drm_atomic_helper_connector_duplicate_state, .atomic_destroy_state =3D drm_atomic_helper_connector_destroy_state, }; @@ -147,36 +143,35 @@ int logicvc_interface_init(struct logicvc_drm *logicv= c) int encoder_type =3D logicvc_interface_encoder_type(logicvc); int connector_type =3D logicvc_interface_connector_type(logicvc); bool native_connector =3D logicvc_interface_native_connector(logicvc); + struct drm_bridge *bridge; + struct drm_panel *panel; int ret; =20 - interface =3D devm_kzalloc(dev, sizeof(*interface), GFP_KERNEL); - if (!interface) { - ret =3D -ENOMEM; - goto error_early; - } - - ret =3D drm_of_find_panel_or_bridge(of_node, 0, 0, &interface->drm_panel, - &interface->drm_bridge); + ret =3D drm_of_find_panel_or_bridge(of_node, 0, 0, &panel, + &bridge); if (ret =3D=3D -EPROBE_DEFER) - goto error_early; + return ret; =20 - ret =3D drm_encoder_init(drm_dev, &interface->drm_encoder, - &logicvc_encoder_funcs, encoder_type, NULL); - if (ret) { + interface =3D drmm_encoder_alloc(drm_dev, struct logicvc_interface, drm_e= ncoder, + NULL, encoder_type, NULL); + if (IS_ERR(interface)) { drm_err(drm_dev, "Failed to initialize encoder\n"); - goto error_early; + return PTR_ERR(interface); } =20 + interface->drm_panel =3D panel; + interface->drm_bridge =3D bridge; + drm_encoder_helper_add(&interface->drm_encoder, &logicvc_encoder_helper_funcs); =20 if (native_connector || interface->drm_panel) { - ret =3D drm_connector_init(drm_dev, &interface->drm_connector, - &logicvc_connector_funcs, - connector_type); + ret =3D drmm_connector_init(drm_dev, &interface->drm_connector, + &logicvc_connector_funcs, + connector_type, NULL); if (ret) { drm_err(drm_dev, "Failed to initialize connector\n"); - goto error_encoder; + return ret; } =20 drm_connector_helper_add(&interface->drm_connector, @@ -187,7 +182,7 @@ int logicvc_interface_init(struct logicvc_drm *logicvc) if (ret) { drm_err(drm_dev, "Failed to attach connector to encoder\n"); - goto error_encoder; + return ret; } } =20 @@ -197,17 +192,11 @@ int logicvc_interface_init(struct logicvc_drm *logicv= c) if (ret) { drm_err(drm_dev, "Failed to attach bridge to encoder\n"); - goto error_encoder; + return ret; } } =20 logicvc->interface =3D interface; =20 return 0; - -error_encoder: - drm_encoder_cleanup(&interface->drm_encoder); - -error_early: - return ret; } diff --git a/drivers/gpu/drm/logicvc/logicvc_layer.c b/drivers/gpu/drm/logi= cvc/logicvc_layer.c index eab4d773f92b6..de1f4a8a61557 100644 --- a/drivers/gpu/drm/logicvc/logicvc_layer.c +++ b/drivers/gpu/drm/logicvc/logicvc_layer.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include =20 @@ -250,7 +251,6 @@ static struct drm_plane_helper_funcs logicvc_plane_help= er_funcs =3D { static const struct drm_plane_funcs logicvc_plane_funcs =3D { .update_plane =3D drm_atomic_helper_update_plane, .disable_plane =3D drm_atomic_helper_disable_plane, - .destroy =3D drm_plane_cleanup, .reset =3D drm_atomic_helper_plane_reset, .atomic_duplicate_state =3D drm_atomic_helper_plane_duplicate_state, .atomic_destroy_state =3D drm_atomic_helper_plane_destroy_state, @@ -350,16 +350,17 @@ int logicvc_layer_buffer_find_setup(struct logicvc_dr= m *logicvc, return 0; } =20 -static struct logicvc_layer_formats *logicvc_layer_formats_lookup(struct l= ogicvc_layer *layer) +static struct logicvc_layer_formats * +logicvc_layer_formats_lookup(struct logicvc_layer_config *config) { bool alpha; unsigned int i =3D 0; =20 - alpha =3D (layer->config.alpha_mode =3D=3D LOGICVC_LAYER_ALPHA_PIXEL); + alpha =3D (config->alpha_mode =3D=3D LOGICVC_LAYER_ALPHA_PIXEL); =20 while (logicvc_layer_formats[i].formats) { - if (logicvc_layer_formats[i].colorspace =3D=3D layer->config.colorspace = && - logicvc_layer_formats[i].depth =3D=3D layer->config.depth && + if (logicvc_layer_formats[i].colorspace =3D=3D config->colorspace && + logicvc_layer_formats[i].depth =3D=3D config->depth && logicvc_layer_formats[i].alpha =3D=3D alpha) return &logicvc_layer_formats[i]; =20 @@ -380,10 +381,9 @@ static unsigned int logicvc_layer_formats_count(struct= logicvc_layer_formats *fo } =20 static int logicvc_layer_config_parse(struct logicvc_drm *logicvc, - struct logicvc_layer *layer) + struct device_node *of_node, + struct logicvc_layer_config *config) { - struct device_node *of_node =3D layer->of_node; - struct logicvc_layer_config *config =3D &layer->config; int ret; =20 logicvc_of_property_parse_bool(of_node, @@ -458,11 +458,30 @@ struct logicvc_layer *logicvc_layer_get_primary(struc= t logicvc_drm *logicvc) return logicvc_layer_get_from_type(logicvc, DRM_PLANE_TYPE_PRIMARY); } =20 +static void logicvc_layer_set_config(struct logicvc_layer *layer, + struct logicvc_layer_config *config) +{ + layer->config.colorspace =3D config->colorspace; + layer->config.depth =3D config->depth; + layer->config.alpha_mode =3D config->alpha_mode; + layer->config.base_offset =3D config->base_offset; + layer->config.buffer_offset =3D config->buffer_offset; + layer->config.primary =3D config->primary; +} + +static void logicvc_layer_fini(struct drm_device *drm_dev, + void *data) +{ + struct logicvc_layer *layer =3D data; + + list_del(&layer->list); +} + static int logicvc_layer_init(struct logicvc_drm *logicvc, struct device_node *of_node, u32 index) { struct drm_device *drm_dev =3D &logicvc->drm_dev; - struct device *dev =3D drm_dev->dev; + struct logicvc_layer_config config =3D { 0 }; struct logicvc_layer *layer =3D NULL; struct logicvc_layer_formats *formats; unsigned int formats_count; @@ -470,28 +489,18 @@ static int logicvc_layer_init(struct logicvc_drm *log= icvc, unsigned int zpos; int ret; =20 - layer =3D devm_kzalloc(dev, sizeof(*layer), GFP_KERNEL); - if (!layer) { - ret =3D -ENOMEM; - goto error; - } - - layer->of_node =3D of_node; - layer->index =3D index; - - ret =3D logicvc_layer_config_parse(logicvc, layer); + ret =3D logicvc_layer_config_parse(logicvc, of_node, &config); if (ret) { drm_err(drm_dev, "Failed to parse config for layer #%d\n", index); - goto error; + return ret; } =20 - formats =3D logicvc_layer_formats_lookup(layer); + formats =3D logicvc_layer_formats_lookup(&config); if (!formats) { drm_err(drm_dev, "Failed to lookup formats for layer #%d\n", index); - ret =3D -EINVAL; - goto error; + return -EINVAL; } =20 formats_count =3D logicvc_layer_formats_count(formats); @@ -511,24 +520,27 @@ static int logicvc_layer_init(struct logicvc_drm *log= icvc, regmap_write(logicvc->regmap, LOGICVC_BACKGROUND_COLOR_REG, background); =20 - devm_kfree(dev, layer); - return 0; } =20 - if (layer->config.primary) + if (config.primary) type =3D DRM_PLANE_TYPE_PRIMARY; else type =3D DRM_PLANE_TYPE_OVERLAY; =20 - ret =3D drm_universal_plane_init(drm_dev, &layer->drm_plane, 0, - &logicvc_plane_funcs, formats->formats, - formats_count, NULL, type, NULL); - if (ret) { + layer =3D drmm_universal_plane_alloc(drm_dev, struct logicvc_layer, + drm_plane, 0, &logicvc_plane_funcs, + formats->formats, formats_count, + NULL, type, NULL); + if (IS_ERR(layer)) { drm_err(drm_dev, "Failed to initialize layer plane\n"); - return ret; + return PTR_ERR(layer); } =20 + layer->of_node =3D of_node; + layer->index =3D index; + logicvc_layer_set_config(layer, &config); + drm_plane_helper_add(&layer->drm_plane, &logicvc_plane_helper_funcs); =20 zpos =3D logicvc->config.layers_count - index - 1; @@ -545,22 +557,13 @@ static int logicvc_layer_init(struct logicvc_drm *log= icvc, =20 list_add_tail(&layer->list, &logicvc->layers_list); =20 - return 0; - -error: - if (layer) - devm_kfree(dev, layer); - - return ret; -} + ret =3D drmm_add_action_or_reset(drm_dev, logicvc_layer_fini, + layer); + if (ret) + return ret; =20 -static void logicvc_layer_fini(struct logicvc_drm *logicvc, - struct logicvc_layer *layer) -{ - struct device *dev =3D logicvc->drm_dev.dev; =20 - list_del(&layer->list); - devm_kfree(dev, layer); + return 0; } =20 void logicvc_layers_attach_crtc(struct logicvc_drm *logicvc) @@ -584,14 +587,12 @@ int logicvc_layers_init(struct logicvc_drm *logicvc) struct device_node *layer_node =3D NULL; struct device_node *layers_node; struct logicvc_layer *layer; - struct logicvc_layer *next; int ret =3D 0; =20 layers_node =3D of_get_child_by_name(of_node, "layers"); if (!layers_node) { drm_err(drm_dev, "No layers node found in the description\n"); - ret =3D -ENODEV; - goto error; + return -ENODEV; } =20 for_each_child_of_node(layers_node, layer_node) { @@ -614,17 +615,11 @@ int logicvc_layers_init(struct logicvc_drm *logicvc) ret =3D logicvc_layer_init(logicvc, layer_node, index); if (ret) { of_node_put(layers_node); - goto error; + return ret; } } =20 of_node_put(layers_node); =20 return 0; - -error: - list_for_each_entry_safe(layer, next, &logicvc->layers_list, list) - logicvc_layer_fini(logicvc, layer); - - return ret; } --- base-commit: 44e151be23deb788d9f6124de93823faf6e04e99 change-id: 20260526-logicvc-uaf-eab103f0d0de Best regards, -- =20 Romain Gantois