On Fri, 10 Jun 2022 at 10:30, Maxime Ripard <maxime@xxxxxxxxxx> wrote: > > Our internal structure that stores the DRM entities structure is allocated > through a device-managed kzalloc. > > This means that this will eventually be freed whenever the device is > removed. In our case, the most like source of removal is that the main > device is going to be unbound, and component_unbind_all() is being run. > > However, it occurs while the DRM device is still registered, which will > create dangling pointers, eventually resulting in use-after-free. > > Switch to a DRM-managed allocation to keep our structure until the DRM > driver doesn't need it anymore. > > Signed-off-by: Maxime Ripard <maxime@xxxxxxxxxx> Reviewed-by: Dave Stevenson <dave.stevenson@xxxxxxxxxxxxxxx> > --- > drivers/gpu/drm/vc4/vc4_crtc.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/vc4/vc4_crtc.c b/drivers/gpu/drm/vc4/vc4_crtc.c > index 1f7e987e68aa..c74fa3d07561 100644 > --- a/drivers/gpu/drm/vc4/vc4_crtc.c > +++ b/drivers/gpu/drm/vc4/vc4_crtc.c > @@ -1178,7 +1178,7 @@ static int vc4_crtc_bind(struct device *dev, struct device *master, void *data) > struct drm_crtc *crtc; > int ret; > > - vc4_crtc = devm_kzalloc(dev, sizeof(*vc4_crtc), GFP_KERNEL); > + vc4_crtc = drmm_kzalloc(drm, sizeof(*vc4_crtc), GFP_KERNEL); > if (!vc4_crtc) > return -ENOMEM; > crtc = &vc4_crtc->base; > -- > 2.36.1 >
