Commit f8f13951 authored Nov 23, 2023 by Maxime Ripard Committed by Zheng Zengkai Nov 23, 2023

drm/vc4: tests: Fix UAF in the mock helpers

stable inclusion
from stable-v6.6.2
commit e733f3e9dc7c5b4210a0cc5bfb3347f6ca9fa747
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I8IW7G

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e733f3e9dc7c5b4210a0cc5bfb3347f6ca9fa747



--------------------------------

[ Upstream commit cdcd6aef9db5797995d4153ea19fdf56d189f0e4 ]

The VC4 mock helpers allocate the CRTC, encoders and connectors using a
call to kunit_kzalloc(), but the DRM device they are attache to survives
for longer than the test itself which leads to use-after-frees reported
by KASAN.

Switch to drmm_kzalloc to tie the lifetime of these objects to the main
DRM device.

Fixes: f759f5b5 ("drm/vc4: tests: Introduce a mocking infrastructure")
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
Closes: https://lore.kernel.org/all/CA+G9fYvJA2HGqzR9LGgq63v0SKaUejHAE6f7+z9cwWN-ourJ_g@mail.gmail.com/


Tested-by: Anders Roxell <anders.roxell@linaro.org>
Reviewed-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Maxime Ripard <mripard@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20231024105640.352752-1-mripard@kernel.org


Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>

parent 3d5bb3a2

drivers/gpu/drm/vc4/tests/vc4_mock_crtc.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -26,7 +26,7 @@ struct vc4_dummy_crtc vc4_mock_pv(struct kunit test,
		struct vc4_crtc *vc4_crtc;
		int ret;

		dummy_crtc = kunit_kzalloc(test, sizeof(*dummy_crtc), GFP_KERNEL);
		dummy_crtc = drmm_kzalloc(drm, sizeof(*dummy_crtc), GFP_KERNEL);
		KUNIT_ASSERT_NOT_NULL(test, dummy_crtc);

		vc4_crtc = &dummy_crtc->crtc;

drivers/gpu/drm/vc4/tests/vc4_mock_output.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -32,7 +32,7 @@ struct vc4_dummy_output vc4_dummy_output(struct kunit test,
		struct drm_encoder *enc;
		int ret;

		dummy_output = kunit_kzalloc(test, sizeof(*dummy_output), GFP_KERNEL);
		dummy_output = drmm_kzalloc(drm, sizeof(*dummy_output), GFP_KERNEL);
		KUNIT_ASSERT_NOT_ERR_OR_NULL(test, dummy_output);
		dummy_output->encoder.type = vc4_encoder_type;