Re: [PATCH AUTOSEL 4.14 3/6] drm/crtc: Fix uninit-value bug in drm_mode_setcrtc

From: Sasha Levin
Date: Sun Jan 14 2024 - 22:24:58 EST


On Tue, Dec 19, 2023 at 10:44:02AM +0200, Jani Nikula wrote:
On Mon, 18 Dec 2023, Sasha Levin <sashal@xxxxxxxxxx> wrote:
From: Ziqi Zhao <astrajoan@xxxxxxxxx>

[ Upstream commit 3823119b9c2b5f9e9b760336f75bc989b805cde6 ]

The connector_set contains uninitialized values when allocated with
kmalloc_array. However, in the "out" branch, the logic assumes that any
element in connector_set would be equal to NULL if failed to
initialize, which causes the bug reported by Syzbot. The fix is to use
an extra variable to keep track of how many connectors are initialized
indeed, and use that variable to decrease any refcounts in the "out"
branch.

Reported-by: syzbot+4fad2e57beb6397ab2fc@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Ziqi Zhao <astrajoan@xxxxxxxxx>
Reported-and-tested-by: syzbot+4fad2e57beb6397ab2fc@xxxxxxxxxxxxxxxxxxxxxxxxx
Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20230721161446.8602-1-astrajoan@xxxxxxxxx
Signed-off-by: Maxime Ripard <mripard@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

This commit fixes an uninitialized value, but introduces a new
one. Please backport 6e455f5dcdd1 ("drm/crtc: fix uninitialized variable
use") from v6.7-rc6 to go with it.

I'll take 6e455f5dcdd1 too, thanks!

--
Thanks,
Sasha