[PATCH 1/2] drm/imx: fix use after free
Russell King - ARM Linux admin
linux at armlinux.org.uk
Thu Jun 11 13:01:45 UTC 2020
On Thu, Jun 11, 2020 at 02:43:31PM +0200, Marco Felsch wrote:
> From: Philipp Zabel <p.zabel at pengutronix.de>
>
> Component driver structures allocated with devm_kmalloc() in bind() are
> freed automatically after unbind(). Since the contained drm structures
> are accessed afterwards in drm_mode_config_cleanup(), move the
> allocation into probe() to extend the driver structure's lifetime to the
> lifetime of the device. This should eventually be changed to use drm
> resource managed allocations with lifetime of the drm device.
You need to be extremely careful doing this. If the allocation is
in the probe function, it's lifetime is not just until unbind, but
potentitally to the _next_ bind, unbind, bind, unbind. In other
words, it's lifetime is from the point that the component is probed
to the point that it is later removed.
If the driver relies on initialisation of that structure, then that
must be _very_ carefully handled - any state in that structure will
remain.
So, you need to think long and hard about changes like this, and do
a thorough review of the lifetime of every structure member.
--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTC for 0.8m (est. 1762m) line in suburbia: sync at 13.1Mbps down 503kbps up
More information about the dri-devel
mailing list