Re: [PATCH] drm/logicvc: Avoid use-after-free with devm_kzalloc()

[Romain Gantois]

Hi Maxime,

On Monday, 1 June 2026 09:11:21 CEST Maxime Ripard wrote:
> Hi,
> 
> On Mon, Jun 01, 2026 at 08:52:44AM +0200, Romain Gantois wrote:
> > The logicvc driver calls drm_universal_plane_init(),
> > drm_crtc_init_with_planes(), and drm_encoder_alloc(). These functions
> > should not be called with structs allocated with devm_kzalloc(), as this
> > can lead to use-after-free bugs. In fact, a use-after-free caused by this
> > has been observed on a v6.6 kernel.
> > 
> > Use DRM-managed allocations instead for panel, CRTC and encoder objects.
> > 
> > Found using KASAN.
> > 
> > Fixes: efeeaefe9be56 ("drm: Add support for the LogiCVC display
> > controller") Cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Romain Gantois <romain.gantois@xxxxxxxxxxx>
> 
> You're only partially fixing the issue. You also need to protect any
> device resource (register mapping, clocks, etc) are no longer accessed
> after the device has been removed, and this is typically done using
> drm_dev_enter/exit.

Sorry there's something which I don't quite understand: is this a new issue 
which is specifically introduced by my changes in this series, or a different 
issue in this driver which isn't handled by my series?

IIUC all I'm doing here is just letting the drmm code handle cleaning up the 
plane, crtc, etc. objects instead of doing it "by hand" with devm_kzalloc. Why 
does this make it necessary to add additional protection of driver resources?

Thanks,

-- 
Romain Gantois, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Attachment: signature.asc
Description: This is a digitally signed message part.