drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create

karolherbst · karolherbst · commit 1b254b791d7b · 2023-08-16T23:45:04.000+02:00
We can't simply free the connector after calling drm_connector_init on it. We need to clean up the drm side first. It might not fix all regressions from commit 2b5d1c2 ("drm/nouveau/disp: PIOR DP uses GPIO for HPD, not PMGR AUX interrupts"), but at least it fixes a memory corruption in error handling related to that commit. Link: https://lore.kernel.org/lkml/20230806213107.GFZNARG6moWpFuSJ9W@fat_crate.local/ Fixes: 95983ae ("drm/nouveau/disp: add connector class") Signed-off-by: Karol Herbst <kherbst@redhat.com> Reviewed-by: Lyude Paul <lyude@redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20230814144933.3956959-1-kherbst@redhat.com
diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c
@@ -1408,8 +1408,7 @@ nouveau_connector_create(struct drm_device *dev,
 		ret = nvif_conn_ctor(&disp->disp, nv_connector->base.name, nv_connector->index,
 				     &nv_connector->conn);
 		if (ret) {
-			kfree(nv_connector);
-			return ERR_PTR(ret);
+			goto drm_conn_err;
 		}
 
 		ret = nvif_conn_event_ctor(&nv_connector->conn, "kmsHotplug",
@@ -1426,8 +1425,7 @@ nouveau_connector_create(struct drm_device *dev,
 			if (ret) {
 				nvif_event_dtor(&nv_connector->hpd);
 				nvif_conn_dtor(&nv_connector->conn);
-				kfree(nv_connector);
-				return ERR_PTR(ret);
+				goto drm_conn_err;
 			}
 		}
 	}
@@ -1475,4 +1473,9 @@ nouveau_connector_create(struct drm_device *dev,
 
 	drm_connector_register(connector);
 	return connector;
+
+drm_conn_err:
+	drm_connector_cleanup(connector);
+	kfree(nv_connector);
+	return ERR_PTR(ret);
 }

Original file line number	Diff line number	Diff line change
`@@ -1408,8 +1408,7 @@ nouveau_connector_create(struct drm_device *dev,`
`1408`	`1408`	`ret = nvif_conn_ctor(&disp->disp, nv_connector->base.name, nv_connector->index,`
`1409`	`1409`	`&nv_connector->conn);`
`1410`	`1410`	`if (ret) {`
`1411`		`- kfree(nv_connector);`
`1412`		`- return ERR_PTR(ret);`
	`1411`	`+ goto drm_conn_err;`
`1413`	`1412`	`}`
`1414`	`1413`
`1415`	`1414`	`ret = nvif_conn_event_ctor(&nv_connector->conn, "kmsHotplug",`
`@@ -1426,8 +1425,7 @@ nouveau_connector_create(struct drm_device *dev,`
`1426`	`1425`	`if (ret) {`
`1427`	`1426`	`nvif_event_dtor(&nv_connector->hpd);`
`1428`	`1427`	`nvif_conn_dtor(&nv_connector->conn);`
`1429`		`- kfree(nv_connector);`
`1430`		`- return ERR_PTR(ret);`
	`1428`	`+ goto drm_conn_err;`
`1431`	`1429`	`}`
`1432`	`1430`	`}`
`1433`	`1431`	`}`
`@@ -1475,4 +1473,9 @@ nouveau_connector_create(struct drm_device *dev,`
`1475`	`1473`
`1476`	`1474`	`drm_connector_register(connector);`
`1477`	`1475`	`return connector;`
	`1476`	`+`
	`1477`	`+drm_conn_err:`
	`1478`	`+ drm_connector_cleanup(connector);`
	`1479`	`+ kfree(nv_connector);`
	`1480`	`+ return ERR_PTR(ret);`
`1478`	`1481`	`}`