On Fri, 10 Jun 2022 at 10:30, Maxime Ripard <maxime@xxxxxxxxxx> wrote: > > Our internal structure that stores the DRM entities structure is allocated > through a device-managed kzalloc. > > This means that this will eventually be freed whenever the device is > removed. In our case, the most like source of removal is that the main > device is going to be unbound, and component_unbind_all() is being run. > > However, it occurs while the DRM device is still registered, which will > create dangling pointers, eventually resulting in use-after-free. > > Switch to a DRM-managed allocation to keep our structure until the DRM > driver doesn't need it anymore. > > Signed-off-by: Maxime Ripard <maxime@xxxxxxxxxx> Reviewed-by: Dave Stevenson <dave.stevenson@xxxxxxxxxxxxxxx> > --- > drivers/gpu/drm/vc4/vc4_dpi.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/vc4/vc4_dpi.c b/drivers/gpu/drm/vc4/vc4_dpi.c > index c88e8e397730..d1eaafb43bd1 100644 > --- a/drivers/gpu/drm/vc4/vc4_dpi.c > +++ b/drivers/gpu/drm/vc4/vc4_dpi.c > @@ -244,9 +244,10 @@ static int vc4_dpi_bind(struct device *dev, struct device *master, void *data) > struct vc4_dpi *dpi; > int ret; > > - dpi = devm_kzalloc(dev, sizeof(*dpi), GFP_KERNEL); > + dpi = drmm_kzalloc(drm, sizeof(*dpi), GFP_KERNEL); > if (!dpi) > return -ENOMEM; > + > dpi->encoder.type = VC4_ENCODER_TYPE_DPI; > dpi->pdev = pdev; > dpi->regs = vc4_ioremap_regs(pdev, 0); > -- > 2.36.1 >
