Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp776939ybe; Fri, 13 Sep 2019 06:14:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqz7DG59LvAlZx3FGzJxHy37LC0E2mR+L80CMpZOXAy8xya6JrWRQegqybhf860TlXT+zHGD X-Received: by 2002:a50:eb93:: with SMTP id y19mr40860600edr.65.1568380460533; Fri, 13 Sep 2019 06:14:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568380460; cv=none; d=google.com; s=arc-20160816; b=OCBlEytkRBI4pLAzDSuWSym1/fiOQmyfvBGwYNLdffEFJipCrvd24ehcSuOAd8ofFl QrV3rMwuEHKehzY9XYnzKSKvOeA5T7ZQH7lW1DA+Mqj6240J2IEPzUl5nnFq9oFMtInF oOxGexpF8gwfvN1oP+HkH98R500smOv28uXJpPPHsRik4CJMSPaNbsX6pZHfA4vB5QD2 PKbn87zi30X2mvO0lBjeL7c4INP5pp88NEEHL8rAFsbmMDdbA9Z4eK1LURxE77y7QZUh L8vOO4e5CS1wF70WD4kCYlsTKVG+j0WuS5hD84pQ+GhHM9uIi2RQmP99IfPBrEHr09VX Yt7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=1+Ae1INvRugvh3qrg1SKrHUk3QBuuMjDzhQC3AsH1j8=; b=pvKq3X4+It5nrnML9RGGFgct6opdjEF4tpA8VooKg+A+kMBNbkOMWXo5TNQHjMKB3a Q2Msuub0EUhSCibyqHs5pWtKhoJcBsEaOhVm8ufzRjieWJsksLaBsQYi0EqG5SyM9mJZ yhzZ/adYjvXIVsl0KDfvnL98PKiYVtLO0uw+Q8fm8b1E6BO56iCHk6EmQ/BSoUXgSpDy t/l3Bq2haeC3Lq/Xxr/o9Hd6T9a2BGF0zivmfU4m7sJoLnAqCBIH3Z4llHSi8nHdbp1H 3CRxvwhJ3YKNFtCelrLMPC3UEyP9vv9SO6MuAT1PGgiQjgCo93J5rQN+LOvjz+IgXax0 WjTQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=PN7aJngV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a3si16692185edc.75.2019.09.13.06.13.56; Fri, 13 Sep 2019 06:14:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=PN7aJngV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388543AbfIMNJd (ORCPT + 99 others); Fri, 13 Sep 2019 09:09:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:34106 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388524AbfIMNJa (ORCPT ); Fri, 13 Sep 2019 09:09:30 -0400 Received: from localhost (unknown [104.132.45.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DBAA720CC7; Fri, 13 Sep 2019 13:09:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1568380169; bh=p2OG/25OntIVnTzVIz2+SUyWxOBIql0bEaDlV5Vj7Nc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PN7aJngVSBVqykgBBLB7nzSkkOBrfdxf/ALhUEuo6tDPXaIZPUzka4ytnI0Wv6CHl FJhiw4h22XJRA09CcEo2yHsh029bOQtvmh4Sow4A9K3lQ0icVcbsDb8X6tVCrFnHgm j9DZz0odvb/Pe8L7GUuAflysL4qZoVeYs+CTM6vE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Thomas Hellstrom Subject: [PATCH 4.9 04/14] drm/vmwgfx: Fix double free in vmw_recv_msg() Date: Fri, 13 Sep 2019 14:06:57 +0100 Message-Id: <20190913130443.808362056@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20190913130440.264749443@linuxfoundation.org> References: <20190913130440.264749443@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter commit 08b0c891605acf727e43e3e03a25857d3e789b61 upstream. We recently added a kfree() after the end of the loop: if (retries == RETRIES) { kfree(reply); return -EINVAL; } There are two problems. First the test is wrong and because retries equals RETRIES if we succeed on the last iteration through the loop. Second if we fail on the last iteration through the loop then the kfree is a double free. When you're reading this code, please note the break statement at the end of the while loop. This patch changes the loop so that if it's not successful then "reply" is NULL and we can test for that afterward. Cc: Fixes: 6b7c3b86f0b6 ("drm/vmwgfx: fix memory leak when too many retries have occurred") Signed-off-by: Dan Carpenter Reviewed-by: Thomas Hellstrom Signed-off-by: Thomas Hellstrom Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/vmwgfx/vmwgfx_msg.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) --- a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c @@ -264,7 +264,7 @@ static int vmw_recv_msg(struct rpc_chann if ((HIGH_WORD(ebx) & MESSAGE_STATUS_SUCCESS) == 0) { kfree(reply); - + reply = NULL; if ((HIGH_WORD(ebx) & MESSAGE_STATUS_CPT) != 0) { /* A checkpoint occurred. Retry. */ continue; @@ -288,7 +288,7 @@ static int vmw_recv_msg(struct rpc_chann if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0) { kfree(reply); - + reply = NULL; if ((HIGH_WORD(ecx) & MESSAGE_STATUS_CPT) != 0) { /* A checkpoint occurred. Retry. */ continue; @@ -300,10 +300,8 @@ static int vmw_recv_msg(struct rpc_chann break; } - if (retries == RETRIES) { - kfree(reply); + if (!reply) return -EINVAL; - } *msg_len = reply_len; *msg = reply;