This is a note to let you know that I've just added the patch titled
drm/vc4: tests: Fix UAF in the mock helpers
to the 6.5-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
drm-vc4-tests-fix-uaf-in-the-mock-helpers.patch
and it can be found in the queue-6.5 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 26097f19b9122606c4c248bc174242707057ebd9
Author: Maxime Ripard <mripard@xxxxxxxxxx>
Date: Tue Oct 24 12:56:40 2023 +0200
drm/vc4: tests: Fix UAF in the mock helpers
[ Upstream commit cdcd6aef9db5797995d4153ea19fdf56d189f0e4 ]
The VC4 mock helpers allocate the CRTC, encoders and connectors using a
call to kunit_kzalloc(), but the DRM device they are attache to survives
for longer than the test itself which leads to use-after-frees reported
by KASAN.
Switch to drmm_kzalloc to tie the lifetime of these objects to the main
DRM device.
Fixes: f759f5b53f1c ("drm/vc4: tests: Introduce a mocking infrastructure")
Reported-by: Linux Kernel Functional Testing <lkft@xxxxxxxxxx>
Closes: https://lore.kernel.org/all/CA+G9fYvJA2HGqzR9LGgq63v0SKaUejHAE6f7+z9cwWN-ourJ_g@xxxxxxxxxxxxxx/
Tested-by: Anders Roxell <anders.roxell@xxxxxxxxxx>
Reviewed-by: Maíra Canal <mcanal@xxxxxxxxxx>
Signed-off-by: Maxime Ripard <mripard@xxxxxxxxxx>
Link: https://patchwork.freedesktop.org/patch/msgid/20231024105640.352752-1-mripard@xxxxxxxxxx
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/drivers/gpu/drm/vc4/tests/vc4_mock_crtc.c b/drivers/gpu/drm/vc4/tests/vc4_mock_crtc.c
index 5d12d7beef0eb..ade3309ae042f 100644
--- a/drivers/gpu/drm/vc4/tests/vc4_mock_crtc.c
+++ b/drivers/gpu/drm/vc4/tests/vc4_mock_crtc.c
@@ -26,7 +26,7 @@ struct vc4_dummy_crtc *vc4_mock_pv(struct kunit *test,
struct vc4_crtc *vc4_crtc;
int ret;
- dummy_crtc = kunit_kzalloc(test, sizeof(*dummy_crtc), GFP_KERNEL);
+ dummy_crtc = drmm_kzalloc(drm, sizeof(*dummy_crtc), GFP_KERNEL);
KUNIT_ASSERT_NOT_NULL(test, dummy_crtc);
vc4_crtc = &dummy_crtc->crtc;
diff --git a/drivers/gpu/drm/vc4/tests/vc4_mock_output.c b/drivers/gpu/drm/vc4/tests/vc4_mock_output.c
index 6e11fcc9ef45e..e70d7c3076acf 100644
--- a/drivers/gpu/drm/vc4/tests/vc4_mock_output.c
+++ b/drivers/gpu/drm/vc4/tests/vc4_mock_output.c
@@ -32,7 +32,7 @@ struct vc4_dummy_output *vc4_dummy_output(struct kunit *test,
struct drm_encoder *enc;
int ret;
- dummy_output = kunit_kzalloc(test, sizeof(*dummy_output), GFP_KERNEL);
+ dummy_output = drmm_kzalloc(drm, sizeof(*dummy_output), GFP_KERNEL);
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, dummy_output);
dummy_output->encoder.type = vc4_encoder_type;
