On Tue, Dec 19, 2023 at 10:44:02AM +0200, Jani Nikula wrote:
On Mon, 18 Dec 2023, Sasha Levin sashal@kernel.org wrote:
From: Ziqi Zhao astrajoan@yahoo.com
[ Upstream commit 3823119b9c2b5f9e9b760336f75bc989b805cde6 ]
The connector_set contains uninitialized values when allocated with kmalloc_array. However, in the "out" branch, the logic assumes that any element in connector_set would be equal to NULL if failed to initialize, which causes the bug reported by Syzbot. The fix is to use an extra variable to keep track of how many connectors are initialized indeed, and use that variable to decrease any refcounts in the "out" branch.
Reported-by: syzbot+4fad2e57beb6397ab2fc@syzkaller.appspotmail.com Signed-off-by: Ziqi Zhao astrajoan@yahoo.com Reported-and-tested-by: syzbot+4fad2e57beb6397ab2fc@syzkaller.appspotmail.com Tested-by: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com Link: https://lore.kernel.org/r/20230721161446.8602-1-astrajoan@yahoo.com Signed-off-by: Maxime Ripard mripard@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org
This commit fixes an uninitialized value, but introduces a new one. Please backport 6e455f5dcdd1 ("drm/crtc: fix uninitialized variable use") from v6.7-rc6 to go with it.
I'll take 6e455f5dcdd1 too, thanks!