2019-10-25 09:39:24

by Colin King

[permalink] [raw]
Subject: [PATCH][next] drm/v3d: fix double free of bin

From: Colin Ian King <[email protected]>

Two different fixes have addressed the same memory leak of bin and
this now causes a double free of bin. While the individual memory
leak fixes are fine, both fixes together are problematic.

Addresses-Coverity: ("Double free")
Fixes: 29cd13cfd762 ("drm/v3d: Fix memory leak in v3d_submit_cl_ioctl")
Fixes: 0d352a3a8a1f (" rm/v3d: don't leak bin job if v3d_job_init fails.")
Signed-off-by: Colin Ian King <[email protected]>
---
drivers/gpu/drm/v3d/v3d_gem.c | 1 -
1 file changed, 1 deletion(-)

diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c
index 549dde83408b..37515e47b47e 100644
--- a/drivers/gpu/drm/v3d/v3d_gem.c
+++ b/drivers/gpu/drm/v3d/v3d_gem.c
@@ -568,7 +568,6 @@ v3d_submit_cl_ioctl(struct drm_device *dev, void *data,
ret = v3d_job_init(v3d, file_priv, &bin->base,
v3d_job_free, args->in_sync_bcl);
if (ret) {
- kfree(bin);
v3d_job_put(&render->base);
kfree(bin);
return ret;
--
2.20.1


2019-10-25 11:30:33

by Daniel Vetter

[permalink] [raw]
Subject: Re: [PATCH][next] drm/v3d: fix double free of bin

On Thu, Oct 24, 2019 at 11:48:01AM +0100, Colin King wrote:
> From: Colin Ian King <[email protected]>
>
> Two different fixes have addressed the same memory leak of bin and
> this now causes a double free of bin. While the individual memory
> leak fixes are fine, both fixes together are problematic.
>
> Addresses-Coverity: ("Double free")
> Fixes: 29cd13cfd762 ("drm/v3d: Fix memory leak in v3d_submit_cl_ioctl")
> Fixes: 0d352a3a8a1f (" rm/v3d: don't leak bin job if v3d_job_init fails.")
> Signed-off-by: Colin Ian King <[email protected]>

That sounds like wrong merge resolution somewhere, and we don't have those
patches merged together in any final tree yet anywhere. What's this based
on?
-Daniel

> ---
> drivers/gpu/drm/v3d/v3d_gem.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c
> index 549dde83408b..37515e47b47e 100644
> --- a/drivers/gpu/drm/v3d/v3d_gem.c
> +++ b/drivers/gpu/drm/v3d/v3d_gem.c
> @@ -568,7 +568,6 @@ v3d_submit_cl_ioctl(struct drm_device *dev, void *data,
> ret = v3d_job_init(v3d, file_priv, &bin->base,
> v3d_job_free, args->in_sync_bcl);
> if (ret) {
> - kfree(bin);
> v3d_job_put(&render->base);
> kfree(bin);
> return ret;
> --
> 2.20.1
>

--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

2019-10-25 11:39:03

by Daniel Vetter

[permalink] [raw]
Subject: Re: [PATCH][next] drm/v3d: fix double free of bin

On Thu, Oct 24, 2019 at 2:43 PM Colin Ian King <[email protected]> wrote:
>
> On 24/10/2019 13:38, Daniel Vetter wrote:
> > On Thu, Oct 24, 2019 at 11:48:01AM +0100, Colin King wrote:
> >> From: Colin Ian King <[email protected]>
> >>
> >> Two different fixes have addressed the same memory leak of bin and
> >> this now causes a double free of bin. While the individual memory
> >> leak fixes are fine, both fixes together are problematic.
> >>
> >> Addresses-Coverity: ("Double free")
> >> Fixes: 29cd13cfd762 ("drm/v3d: Fix memory leak in v3d_submit_cl_ioctl")
> >> Fixes: 0d352a3a8a1f (" rm/v3d: don't leak bin job if v3d_job_init fails.")
> >> Signed-off-by: Colin Ian King <[email protected]>
> >
> > That sounds like wrong merge resolution somewhere, and we don't have those
> > patches merged together in any final tree yet anywhere. What's this based
> > on?
> > -Daniel
>
> linux-next

Ok adding Stephen. There's a merge conflict between drm-misc-fixes and
drm-next (I think) and the merge double-added the kfree(bin). See
above for the relevant sha1. Dave is already on here as a heads-up,
but also adding drm-misc maintainers.

Cheers, Daniel

>
> Colin
> >
> >> ---
> >> drivers/gpu/drm/v3d/v3d_gem.c | 1 -
> >> 1 file changed, 1 deletion(-)
> >>
> >> diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c
> >> index 549dde83408b..37515e47b47e 100644
> >> --- a/drivers/gpu/drm/v3d/v3d_gem.c
> >> +++ b/drivers/gpu/drm/v3d/v3d_gem.c
> >> @@ -568,7 +568,6 @@ v3d_submit_cl_ioctl(struct drm_device *dev, void *data,
> >> ret = v3d_job_init(v3d, file_priv, &bin->base,
> >> v3d_job_free, args->in_sync_bcl);
> >> if (ret) {
> >> - kfree(bin);
> >> v3d_job_put(&render->base);
> >> kfree(bin);
> >> return ret;
> >> --
> >> 2.20.1
> >>
> >
>
> _______________________________________________
> dri-devel mailing list
> [email protected]
> https://lists.freedesktop.org/mailman/listinfo/dri-devel



--
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch

2019-10-25 13:34:50

by Colin King

[permalink] [raw]
Subject: Re: [PATCH][next] drm/v3d: fix double free of bin

On 24/10/2019 13:38, Daniel Vetter wrote:
> On Thu, Oct 24, 2019 at 11:48:01AM +0100, Colin King wrote:
>> From: Colin Ian King <[email protected]>
>>
>> Two different fixes have addressed the same memory leak of bin and
>> this now causes a double free of bin. While the individual memory
>> leak fixes are fine, both fixes together are problematic.
>>
>> Addresses-Coverity: ("Double free")
>> Fixes: 29cd13cfd762 ("drm/v3d: Fix memory leak in v3d_submit_cl_ioctl")
>> Fixes: 0d352a3a8a1f (" rm/v3d: don't leak bin job if v3d_job_init fails.")
>> Signed-off-by: Colin Ian King <[email protected]>
>
> That sounds like wrong merge resolution somewhere, and we don't have those
> patches merged together in any final tree yet anywhere. What's this based
> on?
> -Daniel

linux-next

Colin
>
>> ---
>> drivers/gpu/drm/v3d/v3d_gem.c | 1 -
>> 1 file changed, 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c
>> index 549dde83408b..37515e47b47e 100644
>> --- a/drivers/gpu/drm/v3d/v3d_gem.c
>> +++ b/drivers/gpu/drm/v3d/v3d_gem.c
>> @@ -568,7 +568,6 @@ v3d_submit_cl_ioctl(struct drm_device *dev, void *data,
>> ret = v3d_job_init(v3d, file_priv, &bin->base,
>> v3d_job_free, args->in_sync_bcl);
>> if (ret) {
>> - kfree(bin);
>> v3d_job_put(&render->base);
>> kfree(bin);
>> return ret;
>> --
>> 2.20.1
>>
>

2019-10-25 19:03:15

by Stephen Rothwell

[permalink] [raw]
Subject: Re: [PATCH][next] drm/v3d: fix double free of bin

Hi all,

On Thu, 24 Oct 2019 14:49:36 +0200 Daniel Vetter <[email protected]> wrote:
>
> Ok adding Stephen. There's a merge conflict between drm-misc-fixes and
> drm-next (I think) and the merge double-added the kfree(bin). See
> above for the relevant sha1. Dave is already on here as a heads-up,
> but also adding drm-misc maintainers.
>
> > >> ---
> > >> drivers/gpu/drm/v3d/v3d_gem.c | 1 -
> > >> 1 file changed, 1 deletion(-)
> > >>
> > >> diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c
> > >> index 549dde83408b..37515e47b47e 100644
> > >> --- a/drivers/gpu/drm/v3d/v3d_gem.c
> > >> +++ b/drivers/gpu/drm/v3d/v3d_gem.c
> > >> @@ -568,7 +568,6 @@ v3d_submit_cl_ioctl(struct drm_device *dev, void *data,
> > >> ret = v3d_job_init(v3d, file_priv, &bin->base,
> > >> v3d_job_free, args->in_sync_bcl);
> > >> if (ret) {
> > >> - kfree(bin);
> > >> v3d_job_put(&render->base);
> > >> kfree(bin);
> > >> return ret;

I will add this as a merge fixup until drm-misc-fixes is merged into
the drm tree.

--
Cheers,
Stephen Rothwell


Attachments:
(No filename) (499.00 B)
OpenPGP digital signature

2019-10-25 20:01:45

by Dan Carpenter

[permalink] [raw]
Subject: Re: [PATCH][next] drm/v3d: fix double free of bin

On Thu, Oct 24, 2019 at 02:38:53PM +0200, Daniel Vetter wrote:
> On Thu, Oct 24, 2019 at 11:48:01AM +0100, Colin King wrote:
> > From: Colin Ian King <[email protected]>
> >
> > Two different fixes have addressed the same memory leak of bin and
> > this now causes a double free of bin. While the individual memory
> > leak fixes are fine, both fixes together are problematic.
> >
> > Addresses-Coverity: ("Double free")
> > Fixes: 29cd13cfd762 ("drm/v3d: Fix memory leak in v3d_submit_cl_ioctl")
> > Fixes: 0d352a3a8a1f (" rm/v3d: don't leak bin job if v3d_job_init fails.")
> > Signed-off-by: Colin Ian King <[email protected]>
>
> That sounds like wrong merge resolution somewhere, and we don't have those
> patches merged together in any final tree yet anywhere. What's this based
> on?
> -Daniel

linux-next.

I sent this fix to you and Stephen Rothwell yesterday so this one is
sorted already. Stephen will apply my patch until you guys merge your
drm trees.

regards,
dan carpenter