Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp514270imm; Wed, 8 Aug 2018 00:33:09 -0700 (PDT) X-Google-Smtp-Source: AA+uWPzOdRN+qkCnnAQsy0XwZhbs/71gbr753nxBrS79G2NIXhCRGZlGh9QL2vnAxPfXrJm0nMb0 X-Received: by 2002:a63:c50c:: with SMTP id f12-v6mr1416824pgd.88.1533713589700; Wed, 08 Aug 2018 00:33:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533713589; cv=none; d=google.com; s=arc-20160816; b=iy/4NYg9TEFNKhmWCIRIbkSuTeRATAwBbIVvUzAcXI9m1VW+5RyaQ2yAXD00z2EalA EN1dz//vWbrbxLCo22S+S/s0aUz5JPLVBYVTF91I05tylzK0wfHRQ1E52tPkWZ5zWdf5 lsNBOZa3Y4rABQ5yQGpZbdMtIrccIfRyI2smmasHh8dFnGPNXTclZ9xW5bVqPeJkW6Tw kMqJiwEZqvBsUasth2D+/Wby2/VOfeBEP9/7Lf87zW3sehGOU34ZjZUC9miaWwl9BjWg lkXnOuVN4Yi7d0E5MhfAWeLTmz0PI3A1fZRA/mtoUkgOMIRlPNsB4MuA/raGUoZdD25Q 56Hg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:reply-to:message-id :subject:cc:to:from:date:arc-authentication-results; bh=X4Dmho0IYFl5SWzSBE8dj6qqUXU7ms0ny6Xyyt2Fbu0=; b=Eiep6aE8jJh475e0LWECc/NOmLe5bxq0aCnF6vAPeBIZdwfuGhXiurnrZ6tL7AfZR4 EcYFznOFzhm/KmrzRyCxftyV9T2/5iFpOZXj/wCtLPNtTPjGOoXK9Md5IO1+Vg5CEbJO zyrADjlpgz6A4akNYX/1nBa+1fFtzuy1dJUS1qVbHuSukNCSRQb4wU2KTuhAR37deAFZ Hx5N5t7EB08EBWtxvAkiSJVHzYwHe2+HEOpRcSq9UbeuRhfsf4M5x5SiMxLuBAHuD3Qr amJ6rMlfDJPunWFQpRvp2JcsWptJJiQj7kj+Rzetbup7lkGLrUb8OBefF3SxYFsmY8WP Cgbw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w19-v6si2744704plp.25.2018.08.08.00.32.52; Wed, 08 Aug 2018 00:33:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726942AbeHHJuZ (ORCPT + 99 others); Wed, 8 Aug 2018 05:50:25 -0400 Received: from mga18.intel.com ([134.134.136.126]:13628 "EHLO mga18.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726869AbeHHJuY (ORCPT ); Wed, 8 Aug 2018 05:50:24 -0400 X-Amp-Result: UNSCANNABLE X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 08 Aug 2018 00:32:00 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.51,456,1526367600"; d="asc'?scan'208";a="81619004" Received: from zhen-hp.sh.intel.com (HELO zhen-hp) ([10.239.13.143]) by orsmga002.jf.intel.com with ESMTP; 08 Aug 2018 00:31:58 -0700 Date: Wed, 8 Aug 2018 15:23:20 +0800 From: Zhenyu Wang To: Yi Wang Cc: zhi.a.wang@intel.com, jani.nikula@linux.intel.com, joonas.lahtinen@linux.intel.com, rodrigo.vivi@intel.com, airlied@linux.ie, intel-gvt-dev@lists.freedesktop.org, intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, jiang.biao2@zte.com.cn, zhong.weidong@zte.com.cn Subject: Re: [PATCH] drm/i915/gvt: fix memory leak in intel_vgpu_ioctl() Message-ID: <20180808072320.GP22630@zhen-hp.sh.intel.com> Reply-To: Zhenyu Wang References: <1533256879-10220-1-git-send-email-wang.yi59@zte.com.cn> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="b0R8ugpUbPHtGZft" Content-Disposition: inline In-Reply-To: <1533256879-10220-1-git-send-email-wang.yi59@zte.com.cn> User-Agent: Mutt/1.10.0 (2018-05-17) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --b0R8ugpUbPHtGZft Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2018.08.03 08:41:19 +0800, Yi Wang wrote: > The 'sparse' variable may leak when return in function > intel_vgpu_ioctl(), and this patch fixes this. >=20 > Signed-off-by: Yi Wang > Reviewed-by: Jiang Biao > --- > drivers/gpu/drm/i915/gvt/kvmgt.c | 3 +++ > 1 file changed, 3 insertions(+) >=20 > diff --git a/drivers/gpu/drm/i915/gvt/kvmgt.c b/drivers/gpu/drm/i915/gvt/= kvmgt.c > index df4e4a0..6a6f199 100644 > --- a/drivers/gpu/drm/i915/gvt/kvmgt.c > +++ b/drivers/gpu/drm/i915/gvt/kvmgt.c > @@ -1200,6 +1200,7 @@ static long intel_vgpu_ioctl(struct mdev_device *md= ev, unsigned int cmd, > return ret; > break; > default: > + kfree(sparse); > return -EINVAL; > } > } > @@ -1215,6 +1216,7 @@ static long intel_vgpu_ioctl(struct mdev_device *md= ev, unsigned int cmd, > sizeof(info), caps.buf, > caps.size)) { > kfree(caps.buf); > + kfree(sparse); > return -EFAULT; > } > info.cap_offset =3D sizeof(info); > @@ -1223,6 +1225,7 @@ static long intel_vgpu_ioctl(struct mdev_device *md= ev, unsigned int cmd, > kfree(caps.buf); > } > =20 > + kfree(sparse); Unfortunately this would cause a double-free error in normal path, as we tried to free sparse after use to add caps. So may be better to fix free in error path and move normal free of sparse in final point, e.g diff --git a/drivers/gpu/drm/i915/gvt/kvmgt.c b/drivers/gpu/drm/i915/gvt/kv= mgt.c index 68df9aa88890..47b897b6ea93 100644 --- a/drivers/gpu/drm/i915/gvt/kvmgt.c +++ b/drivers/gpu/drm/i915/gvt/kvmgt.c @@ -1257,11 +1257,13 @@ static long intel_vgpu_ioctl(struct mdev_device *md= ev, unsigned int cmd, &sparse->header, sizeof(*sparse) + (sparse->nr_areas * sizeof(*sparse->areas))); - kfree(sparse); - if (ret) + if (ret) { + kfree(sparse); return ret; + } break; default: + kfree(sparse); return -EINVAL; } } @@ -1277,6 +1279,7 @@ static long intel_vgpu_ioctl(struct mdev_device *mdev= , unsigned int cmd, sizeof(info), caps.buf, caps.size)) { kfree(caps.buf); + kfree(sparse); return -EFAULT; } info.cap_offset =3D sizeof(info); @@ -1285,6 +1288,7 @@ static long intel_vgpu_ioctl(struct mdev_device *mdev= , unsigned int cmd, kfree(caps.buf); } =20 + kfree(sparse); return copy_to_user((void __user *)arg, &info, minsz) ? -EFAULT : 0; } else if (cmd =3D=3D VFIO_DEVICE_GET_IRQ_INFO) { --=20 Open Source Technology Center, Intel ltd. $gpg --keyserver wwwkeys.pgp.net --recv-keys 4D781827 --b0R8ugpUbPHtGZft Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQTXuabgHDW6LPt9CICxBBozTXgYJwUCW2qaaAAKCRCxBBozTXgY J1/iAKCXRN8Z4nUqYzICnKwjDuszqfNHzgCeMtnse5wwkdV+bxW7mTmN1m0M0J4= =Nbo5 -----END PGP SIGNATURE----- --b0R8ugpUbPHtGZft--