possible use-after-free in amdgpu_dm

Tom St Denis tom.stdenis at amd.com
Tue Oct 17 17:25:36 UTC 2017

On 17/10/17 01:23 PM, Tom St Denis wrote:
> On 17/10/17 01:18 PM, Christian König wrote:
>> Am 17.10.2017 um 16:10 schrieb Tom St Denis:
>>> In this block of code:
>>> void amdgpu_dm_connector_funcs_reset(struct drm_connector *connector)
>>> {
>>>     struct dm_connector_state *state =
>>>         to_dm_connector_state(connector->state);
>>>     kfree(state);
>>>     state = kzalloc(sizeof(*state), GFP_KERNEL);
>>> The value of state is never compared with NULL and moreso the value 
>>> of connector->state is never written to if NULL. Wouldn't this mean 
>>> the pointer points to freed memory?
>> Why should we compare the value of state to NULL? What's done here is 
>> just to get the size of the type state points to.
>> Not sure if that is really covered by the C standard, but in practice 
>> it works fine even when state is NULL.
> Hi Christian,
> Oh sorry no the issue isn't with the sizeof (that's perfectly fine since 
> the standard says the pointer won't be dereferenced).
> The issue is later on in the function there's this statement:
>          connector->state = &state->base;
> Where "base" is first item in the struct so it's effectively just 
> "connector->state = &state".
> This means that the value of "connector->state" is stale since the 
> pointer was kfree'ed right (if the alloc fails) which could lead to a 
> use-after-free error (I don't know where this function lies in the rest 
> of the code paths but it seems wrong either way).

Sorry I think I might be explaining this poorly.

In the case the alloc succeeds the pointer is updated and everything is 

IF the alloc fails the pointer (connector->state) is not updated and the 
value points to freed memory.


More information about the amd-gfx mailing list