[0/3] drm/meson: fix use-after-free driver unload issues

Message ID	20220919010940.419893-1-adrian.larumbe@collabora.com (mailing list archive)
Headers	show Return-Path: <linux-amlogic-bounces+linux-amlogic=archiver.kernel.org@lists.infradead.org> sender: alarumbe) by madras.collabora.co.uk (Postfix) with ESMTPSA id 05210660159F; Mon, 19 Sep 2022 02:09:48 +0100 (BST) From: =?utf-8?q?Adri=C3=A1n_Larumbe?= <adrian.larumbe@collabora.com> To: narmstrong@baylibre.com, khilman@baylibre.com, linux-amlogic@lists.infradead.org, dri-devel@lists.freedesktop.org Cc: adrian.larumbe@collabora.com Subject: [PATCH 0/3] drm/meson: fix use-after-free driver unload issues Date: Mon, 19 Sep 2022 02:09:37 +0100 Message-Id: <20220919010940.419893-1-adrian.larumbe@collabora.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "linux-amlogic" <linux-amlogic-bounces@lists.infradead.org> Errors-To: linux-amlogic-bounces+linux-amlogic=archiver.kernel.org@lists.infradead.org
Series	drm/meson: fix use-after-free driver unload issues \| expand [0/3] drm/meson: fix use-after-free driver unload issues [1/3] drm/meson: reorder driver deinit sequence to fix use-after-free bug [2/3] drm/meson: explicitly remove aggregate driver at module unload time [3/3] drm/meson: remove drm bridges at aggregate driver unbind time

Message ID

20220919010940.419893-1-adrian.larumbe@collabora.com (mailing list archive)

Headers

From: =?utf-8?q?Adri=C3=A1n_Larumbe?= <adrian.larumbe@collabora.com>
To: narmstrong@baylibre.com,
	khilman@baylibre.com,
	linux-amlogic@lists.infradead.org,
	dri-devel@lists.freedesktop.org
Cc: adrian.larumbe@collabora.com
Subject: [PATCH 0/3] drm/meson: fix use-after-free driver unload issues
Date: Mon, 19 Sep 2022 02:09:37 +0100
Message-Id: <20220919010940.419893-1-adrian.larumbe@collabora.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Sender: "linux-amlogic" <linux-amlogic-bounces@lists.infradead.org>
Errors-To: 
 linux-amlogic-bounces+linux-amlogic=archiver.kernel.org@lists.infradead.org

Series

drm/meson: fix use-after-free driver unload issues | expand

Message

Adrián Larumbe Sept. 19, 2022, 1:09 a.m. UTC

This patch series tries to fix some use-after-free bugs I've observed with
the help of KASAN in Amlogic's KMS DRM driver.

The first patch in the series reorders the driver deinitialisation sequence
so that devres won't deallocate things that are still expected to be around
by a later call to drm_dev_put.

The second patch adds a missing call to component_master_del inside a new
driver's remove callback.

The third patch makes sure some drm bridges added during driver
initialisation are removed at module unload time, to make sure the global
bridge list doesn't keep nodes to freed memory.

All three patches have been tested on an Odroid N2+ plus SBC.

Adrián Larumbe (3):
  drm/meson: reorder driver deinit sequence to fix use-after-free bug
  drm/meson: explicitly remove aggregate driver at module unload time
  drm/meson: remove drm bridges at aggregate driver unbind time

 drivers/gpu/drm/meson/meson_drv.c          | 14 +++++++++++++-
 drivers/gpu/drm/meson/meson_drv.h          |  7 +++++++
 drivers/gpu/drm/meson/meson_encoder_cvbs.c |  7 +++++++
 drivers/gpu/drm/meson/meson_encoder_cvbs.h |  1 +
 drivers/gpu/drm/meson/meson_encoder_hdmi.c |  7 +++++++
 drivers/gpu/drm/meson/meson_encoder_hdmi.h |  1 +
 drivers/gpu/drm/meson/meson_venc.h         | 15 +++++++++++++++
 7 files changed, 51 insertions(+), 1 deletion(-)

Comments

Neil Armstrong Sept. 23, 2022, 9:48 a.m. UTC | #1

Hi,

On Mon, 19 Sep 2022 02:09:37 +0100, Adrián Larumbe wrote:
> This patch series tries to fix some use-after-free bugs I've observed with
> the help of KASAN in Amlogic's KMS DRM driver.
> 
> The first patch in the series reorders the driver deinitialisation sequence
> so that devres won't deallocate things that are still expected to be around
> by a later call to drm_dev_put.
> 
> [...]

Thanks, Applied to https://anongit.freedesktop.org/git/drm/drm-misc.git (drm-misc-next)

[1/3] drm/meson: reorder driver deinit sequence to fix use-after-free bug
      https://cgit.freedesktop.org/drm/drm-misc/commit/?id=31c519981eb141c7ec39bfd5be25d35f02edb868
[2/3] drm/meson: explicitly remove aggregate driver at module unload time
      https://cgit.freedesktop.org/drm/drm-misc/commit/?id=8616f2a0589a80e08434212324250eb22f6a66ce
[3/3] drm/meson: remove drm bridges at aggregate driver unbind time
      https://cgit.freedesktop.org/drm/drm-misc/commit/?id=09847723c12fc2753749cec3939a02ee92dac468