drm/xe/hwmon: fix uaf on unload · tjh.dev/kernel@3a13c2d

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

drm/xe/hwmon: fix uaf on unload

It doesn't look like you can mix and match devm_ and drmmm_ for a
managed resource. For drmmm the resources are all tracked in drm with
its own list, and there is only one devm_ resource for the entire list.
If the driver itself also adds some of its own devm resources, then
those will be released first. In the case of hwmon the devm_kzalloc will
be freed before the drmmm_ action to destroy the mutex allocated within,
leading to uaf.

Since hwmon itself wants to use devm, rather use that for the mutex
destroy.

Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/766
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Badal Nilawar <badal.nilawar@intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>

authored by

Matthew Auld and committed by

Rodrigo Vivi 2 years ago 3a13c2de 5708a108

+10 -1

1 changed file

expand all

drivers

gpu

drm

xe_hwmon.c

+10 -1

drivers/gpu/drm/xe/xe_hwmon.c

··· 585 585 xe_hwmon_energy_get(hwmon, &energy); 586 586 } 587 587 588 + static void xe_hwmon_mutex_destroy(void *arg) 589 + { 590 + struct xe_hwmon *hwmon = arg; 591 + 592 + mutex_destroy(&hwmon->hwmon_lock); 593 + } 594 + 588 595 void xe_hwmon_register(struct xe_device *xe) 589 596 { 590 597 struct device *dev = xe->drm.dev; ··· 607 600 608 601 xe->hwmon = hwmon; 609 602 610 - drmm_mutex_init(&xe->drm, &hwmon->hwmon_lock); 603 + mutex_init(&hwmon->hwmon_lock); 604 + if (devm_add_action_or_reset(dev, xe_hwmon_mutex_destroy, hwmon)) 605 + return; 611 606 612 607 /* primary GT to access device level properties */ 613 608 hwmon->gt = xe->tiles[0].primary_gt;