From: Paul Cercueil paul@crapouillou.net
stable inclusion from stable-v5.10.37 commit ce450934a00cf896e648fde08d0bd1426653d7a2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I94VOL CVE: CVE-2021-47063
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit 4d906839d321c2efbf3fed4bc31ffd9ff55b75c0 upstream.
If we don't call drm_connector_cleanup() manually in panel_bridge_detach(), the connector will be cleaned up with the other DRM objects in the call to drm_mode_config_cleanup(). However, since our drm_connector is devm-allocated, by the time drm_mode_config_cleanup() will be called, our connector will be long gone. Therefore, the connector must be cleaned up when the bridge is detached to avoid use-after-free conditions.
v2: Cleanup connector only if it was created
v3: Add FIXME
v4: (Use connector->dev) directly in if() block
Fixes: 13dfc0540a57 ("drm/bridge: Refactor out the panel wrapper from the lvds-encoder bridge.") Cc: stable@vger.kernel.org # 4.12+ Cc: Andrzej Hajda a.hajda@samsung.com Cc: Neil Armstrong narmstrong@baylibre.com Cc: Laurent Pinchart Laurent.pinchart@ideasonboard.com Cc: Jonas Karlman jonas@kwiboo.se Cc: Jernej Skrabec jernej.skrabec@siol.net Signed-off-by: Paul Cercueil paul@crapouillou.net Reviewed-by: Laurent Pinchart laurent.pinchart@ideasonboard.com Link: https://patchwork.freedesktop.org/patch/msgid/20210327115742.18986-2-paul@cr... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
conflicts: drivers/gpu/drm/bridge/panel.c
Signed-off-by: Guo Mengqi guomengqi3@huawei.com --- drivers/gpu/drm/bridge/panel.c | 11 +++++++++++ 1 file changed, 11 insertions(+)
diff --git a/drivers/gpu/drm/bridge/panel.c b/drivers/gpu/drm/bridge/panel.c index 7cbaba213ef6..dbeaf1257668 100644 --- a/drivers/gpu/drm/bridge/panel.c +++ b/drivers/gpu/drm/bridge/panel.c @@ -92,6 +92,17 @@ static int panel_bridge_attach(struct drm_bridge *bridge) static void panel_bridge_detach(struct drm_bridge *bridge) { struct panel_bridge *panel_bridge = drm_bridge_to_panel_bridge(bridge); + struct drm_connector *connector = &panel_bridge->connector; + + /* + * Cleanup the connector if we know it was initialized. + * + * FIXME: This wouldn't be needed if the panel_bridge structure was + * allocated with drmm_kzalloc(). This might be tricky since the + * drm_device pointer can only be retrieved when the bridge is attached. + */ + if (connector->dev) + drm_connector_cleanup(connector);
drm_panel_detach(panel_bridge->panel); }