[v1] drm/amd/display: Have risk for memory exhaustion
Commit Message
In dcn*_clock_source_create when dcn*_clk_src_construct fails allocated
clk_src needs release. A local attack could use this to cause memory
exhaustion.
Signed-off-by: LongJun Tang <tanglongjun@kylinos.cn>
---
drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c | 1 +
drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c | 1 +
drivers/gpu/drm/amd/display/dc/dcn302/dcn302_resource.c | 1 +
drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c | 1 +
drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c | 1 +
drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c | 1 +
drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c | 1 +
drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c | 1 +
8 files changed, 8 insertions(+)
Comments
On Fri, Nov 4, 2022 at 10:06 AM LongJun Tang <tanglongjun@kylinos.cn> wrote:
>
> In dcn*_clock_source_create when dcn*_clk_src_construct fails allocated
> clk_src needs release. A local attack could use this to cause memory
> exhaustion.
>
> Signed-off-by: LongJun Tang <tanglongjun@kylinos.cn>
Applied. Thanks!
Alex
> ---
> drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c | 1 +
> drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c | 1 +
> drivers/gpu/drm/amd/display/dc/dcn302/dcn302_resource.c | 1 +
> drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c | 1 +
> drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c | 1 +
> drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c | 1 +
> drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c | 1 +
> drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c | 1 +
> 8 files changed, 8 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c
> index 020f512e9690..9b7e786bd4a2 100644
> --- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c
> +++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c
> @@ -1323,6 +1323,7 @@ static struct clock_source *dcn30_clock_source_create(
> return &clk_src->base;
> }
>
> + kfree(clk_src);
> BREAK_TO_DEBUGGER();
> return NULL;
> }
> diff --git a/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c b/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c
> index f04595b750ab..7c1225046544 100644
> --- a/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c
> +++ b/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c
> @@ -1288,6 +1288,7 @@ static struct clock_source *dcn301_clock_source_create(
> return &clk_src->base;
> }
>
> + kfree(clk_src);
> BREAK_TO_DEBUGGER();
> return NULL;
> }
> diff --git a/drivers/gpu/drm/amd/display/dc/dcn302/dcn302_resource.c b/drivers/gpu/drm/amd/display/dc/dcn302/dcn302_resource.c
> index b925b6ddde5a..73ae1146dad5 100644
> --- a/drivers/gpu/drm/amd/display/dc/dcn302/dcn302_resource.c
> +++ b/drivers/gpu/drm/amd/display/dc/dcn302/dcn302_resource.c
> @@ -458,6 +458,7 @@ static struct clock_source *dcn302_clock_source_create(struct dc_context *ctx, s
> return &clk_src->base;
> }
>
> + kfree(clk_src);
> BREAK_TO_DEBUGGER();
> return NULL;
> }
> diff --git a/drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c b/drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c
> index 527d5c902878..0ea97eeec5a6 100644
> --- a/drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c
> +++ b/drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c
> @@ -425,6 +425,7 @@ static struct clock_source *dcn303_clock_source_create(struct dc_context *ctx, s
> return &clk_src->base;
> }
>
> + kfree(clk_src);
> BREAK_TO_DEBUGGER();
> return NULL;
> }
> diff --git a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c
> index fddc21a5a04c..b02aa8874efb 100644
> --- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c
> +++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c
> @@ -1625,6 +1625,7 @@ static struct clock_source *dcn31_clock_source_create(
> return &clk_src->base;
> }
>
> + kfree(clk_src);
> BREAK_TO_DEBUGGER();
> return NULL;
> }
> diff --git a/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c b/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c
> index 58746c437554..b2ff29e5f93c 100644
> --- a/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c
> +++ b/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c
> @@ -1623,6 +1623,7 @@ static struct clock_source *dcn31_clock_source_create(
> return &clk_src->base;
> }
>
> + kfree(clk_src);
> BREAK_TO_DEBUGGER();
> return NULL;
> }
> diff --git a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c
> index a88dd7b3d1c1..71730b6666b0 100644
> --- a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c
> +++ b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c
> @@ -829,6 +829,7 @@ static struct clock_source *dcn32_clock_source_create(
> return &clk_src->base;
> }
>
> + kfree(clk_src);
> BREAK_TO_DEBUGGER();
> return NULL;
> }
> diff --git a/drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c b/drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c
> index 61087f2385a9..d3980fc243c9 100644
> --- a/drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c
> +++ b/drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c
> @@ -828,6 +828,7 @@ static struct clock_source *dcn321_clock_source_create(
> return &clk_src->base;
> }
>
> + kfree(clk_src);
> BREAK_TO_DEBUGGER();
> return NULL;
> }
> --
> 2.17.1
>
>
> No virus found
> Checked by Hillstone Network AntiVirus
@@ -1323,6 +1323,7 @@ static struct clock_source *dcn30_clock_source_create(
return &clk_src->base;
}
+ kfree(clk_src);
BREAK_TO_DEBUGGER();
return NULL;
}
@@ -1288,6 +1288,7 @@ static struct clock_source *dcn301_clock_source_create(
return &clk_src->base;
}
+ kfree(clk_src);
BREAK_TO_DEBUGGER();
return NULL;
}
@@ -458,6 +458,7 @@ static struct clock_source *dcn302_clock_source_create(struct dc_context *ctx, s
return &clk_src->base;
}
+ kfree(clk_src);
BREAK_TO_DEBUGGER();
return NULL;
}
@@ -425,6 +425,7 @@ static struct clock_source *dcn303_clock_source_create(struct dc_context *ctx, s
return &clk_src->base;
}
+ kfree(clk_src);
BREAK_TO_DEBUGGER();
return NULL;
}
@@ -1625,6 +1625,7 @@ static struct clock_source *dcn31_clock_source_create(
return &clk_src->base;
}
+ kfree(clk_src);
BREAK_TO_DEBUGGER();
return NULL;
}
@@ -1623,6 +1623,7 @@ static struct clock_source *dcn31_clock_source_create(
return &clk_src->base;
}
+ kfree(clk_src);
BREAK_TO_DEBUGGER();
return NULL;
}
@@ -829,6 +829,7 @@ static struct clock_source *dcn32_clock_source_create(
return &clk_src->base;
}
+ kfree(clk_src);
BREAK_TO_DEBUGGER();
return NULL;
}
@@ -828,6 +828,7 @@ static struct clock_source *dcn321_clock_source_create(
return &clk_src->base;
}
+ kfree(clk_src);
BREAK_TO_DEBUGGER();
return NULL;
}