Re: [PATCH] drm/logicvc: Avoid use-after-free with devm_kzalloc()

Next message: ashish yadav: "Re: [PATCH v2 1/2] dt-bindings: hwmon/pmbus: Add Infineon XDP720/XDP730"
Previous message: Mika Westerberg: "Re: [PATCH] thunderbolt: Defer DP tunnel teardown until display driver is ready"
In reply to: Romain Gantois: "[PATCH] drm/logicvc: Avoid use-after-free with devm_kzalloc()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Maxime Ripard

Date: Mon Jun 01 2026 - 03:12:38 EST

Hi,

On Mon, Jun 01, 2026 at 08:52:44AM +0200, Romain Gantois wrote:
> The logicvc driver calls drm_universal_plane_init(),
> drm_crtc_init_with_planes(), and drm_encoder_alloc(). These functions
> should not be called with structs allocated with devm_kzalloc(), as this
> can lead to use-after-free bugs. In fact, a use-after-free caused by this
> has been observed on a v6.6 kernel.
>
> Use DRM-managed allocations instead for panel, CRTC and encoder objects.
>
> Found using KASAN.
>
> Fixes: efeeaefe9be56 ("drm: Add support for the LogiCVC display controller")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Romain Gantois <romain.gantois@xxxxxxxxxxx>

You're only partially fixing the issue. You also need to protect any
device resource (register mapping, clocks, etc) are no longer accessed
after the device has been removed, and this is typically done using
drm_dev_enter/exit.

Maxime

Attachment: signature.asc
Description: PGP signature