Commit 3a13c2de authored by Matthew Auld's avatar Matthew Auld Committed by Rodrigo Vivi

drm/xe/hwmon: fix uaf on unload

It doesn't look like you can mix and match devm_ and drmmm_ for a
managed resource. For drmmm the resources are all tracked in drm with
its own list, and there is only one devm_ resource for the entire list.
If the driver itself also adds some of its own devm resources, then
those will be released first. In the case of hwmon the devm_kzalloc will
be freed before the drmmm_ action to destroy the mutex allocated within,
leading to uaf.

Since hwmon itself wants to use devm, rather use that for the mutex
destroy.

Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/766Signed-off-by: default avatarMatthew Auld <matthew.auld@intel.com>
Cc: Badal Nilawar <badal.nilawar@intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Reviewed-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
parent 5708a108
...@@ -585,6 +585,13 @@ xe_hwmon_get_preregistration_info(struct xe_device *xe) ...@@ -585,6 +585,13 @@ xe_hwmon_get_preregistration_info(struct xe_device *xe)
xe_hwmon_energy_get(hwmon, &energy); xe_hwmon_energy_get(hwmon, &energy);
} }
static void xe_hwmon_mutex_destroy(void *arg)
{
struct xe_hwmon *hwmon = arg;
mutex_destroy(&hwmon->hwmon_lock);
}
void xe_hwmon_register(struct xe_device *xe) void xe_hwmon_register(struct xe_device *xe)
{ {
struct device *dev = xe->drm.dev; struct device *dev = xe->drm.dev;
...@@ -600,7 +607,9 @@ void xe_hwmon_register(struct xe_device *xe) ...@@ -600,7 +607,9 @@ void xe_hwmon_register(struct xe_device *xe)
xe->hwmon = hwmon; xe->hwmon = hwmon;
drmm_mutex_init(&xe->drm, &hwmon->hwmon_lock); mutex_init(&hwmon->hwmon_lock);
if (devm_add_action_or_reset(dev, xe_hwmon_mutex_destroy, hwmon))
return;
/* primary GT to access device level properties */ /* primary GT to access device level properties */
hwmon->gt = xe->tiles[0].primary_gt; hwmon->gt = xe->tiles[0].primary_gt;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment