Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp368483pxb; Sat, 9 Oct 2021 23:44:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxqGbw+h+DCCMjaIEyWiXEGxlzCp9xoDjqyaknZyvZSWC+UJz26zjCIrgOkw6OIi+6dHK84 X-Received: by 2002:a17:906:d96a:: with SMTP id rp10mr16854094ejb.497.1633848273576; Sat, 09 Oct 2021 23:44:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633848273; cv=none; d=google.com; s=arc-20160816; b=G+ePUXalmgZ76x2qV7vZr+T602C70i5etbP/c6eNnf8YyZZ/LCTMg6om+JVGOCjRYO HGFbPL5guW5F9sJNtYQjKwR847S0dhlRNLLgnC+ZbjjMEwaobLTAsLlPlKy/GjwAmlpH EcamqSyTzrcLNL5NuNDCH7tgA9eFz8HGjqLiI4g64CaSUACfsNppGzrMKjhmrgZGfztK qy+0tle5aYEKx6SkdUejHD69K+7yN1ASKaLkK+Ayu0A2C0w1KttDrKF8b1EUEzBu7CJU WcPcuprdaHrD4ktj/isgS+ExIfV8XvTAE+zpByXWJI0+CJMie99LKGtEr9jTcSB9ktif zROg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from :dkim-signature; bh=/fo+SL59BqhBp8OwXWZaQWCV9nYu75S/chQz3wujueI=; b=V+p4MA5uxquwYUQge7YEMiyJNpPFoUl7KzLxLLW7G3KWGlbKB4VU1m8q356EI4V6md KnxWVO6yEb+FS35eKJ/XXfuo/VFd7zeP8ITpCKXKEqxCOOu4eXupzqx4EUTa34OJxKwt zSgq9b5ckvNYnNPVwOaa0/gcwEaJX9erxC+W2zSt7rgV3KwH00VKCsjgw0FQLp4VTLk6 D41bkOvad5fC0GwyXls8WKRQcNz8SrUhilcAAquTVXeY8pplCREcXyeaQeYnoBadRwC8 P9lR8C4jCg9zyZy0GTYGZOAqgC4ihPPzFc5uBVVl5kvOQNazzGPo+RNjFc/hXFoDkj5Z LsEw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=ZgFYjNHV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c4si7010108ejc.492.2021.10.09.23.44.07; Sat, 09 Oct 2021 23:44:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=ZgFYjNHV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229697AbhJJGoo (ORCPT + 99 others); Sun, 10 Oct 2021 02:44:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44976 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229840AbhJJGol (ORCPT ); Sun, 10 Oct 2021 02:44:41 -0400 Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 50033C061570; Sat, 9 Oct 2021 23:42:43 -0700 (PDT) Received: by mail-pf1-x432.google.com with SMTP id 187so11897504pfc.10; Sat, 09 Oct 2021 23:42:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id; bh=/fo+SL59BqhBp8OwXWZaQWCV9nYu75S/chQz3wujueI=; b=ZgFYjNHVIn8b1F/37R31LzGFz1t2iuolTYtbKonSY1vvYElgPlb7XncvrVoW1UFuYr T4Nv+62Z7y7ERSUpvHvmin3wIn0BJBNNi3eyGIDKBKXaCceSo6JwIVjDceZDT9QqI9px hz50DraMhIGWlN3GDw8gKAF3L85GQQVoCbcOlQ+dFcaBlLF9BeNs8g7Ggy53+CTou91u qmKZq2u35eDB5Q3XwclmRRluSqlYasoJ0GooeEAucKSPcFW7zg/mbhqFcegXURHa48xp iKWHx5FqYz2UquuiItB5fRLtFKRS6bU726w7v1ngB7UYuenYClbSSBGyAghjBGvfXRO8 OpHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=/fo+SL59BqhBp8OwXWZaQWCV9nYu75S/chQz3wujueI=; b=0HiQ5L38skp83VFyDFIwYBC/vX50xJ155Ngw+ZzKSsEHbBQVwsdWZJCxFi9Rs4und4 lec/QKWtGUoKdaW7Nv7gimbOI38Vytpum6M+OpYskCBN8WQHFrLwRcVBbJX8qKKlHvff IFh4kSXJvp09RSgCl/rJhXOjeD8mTOWcsT1Lq6iBiiW192va8ssFF9AmQXQzSETA1Dcf Sx9bMUCXg2NROSR2v6BS2TgBON2Ta0F+SYA218PL49Vjn5OLVpNu7CZnsKzJKQy+0pTk W807EeNmZJhlwvtQuJGzUUFxwXEeRLe0IQAJz3qcqQFb0QwQr6vt5kJZzlBhqscTYFWm Fp1A== X-Gm-Message-State: AOAM530Z7ULJ8OI0h9GyXJCM1+b0lY6cq5whZ8m5WGONlb/6QoJfK4o3 vyqTnRiYj2VfpJIcxbkm8Q== X-Received: by 2002:a63:7746:: with SMTP id s67mr2983525pgc.225.1633848162816; Sat, 09 Oct 2021 23:42:42 -0700 (PDT) Received: from vultr.guest ([107.191.53.97]) by smtp.gmail.com with ESMTPSA id t3sm2553823pgu.87.2021.10.09.23.42.41 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 09 Oct 2021 23:42:42 -0700 (PDT) From: Zheyu Ma To: dri-devel@lists.freedesktop.org Cc: linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, Zheyu Ma Subject: [PATCH 2/2] fbdev: fbmem: Fix double free of 'fb_info->pixmap.addr' Date: Sun, 10 Oct 2021 06:42:28 +0000 Message-Id: <1633848148-29747-1-git-send-email-zheyuma97@gmail.com> X-Mailer: git-send-email 2.7.4 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org savagefb and some other drivers call kfree to free 'info->pixmap.addr' even after calling unregister_framebuffer, which may cause double free. Fix this by setting 'fb_info->pixmap.addr' to NULL after kfree in unregister_framebuffer. The following log reveals it: [ 37.318872] BUG: KASAN: double-free or invalid-free in kfree+0x13e/0x290 [ 37.319369] [ 37.320803] Call Trace: [ 37.320992] dump_stack_lvl+0xa8/0xd1 [ 37.321274] print_address_description+0x87/0x3b0 [ 37.321632] ? kfree+0x13e/0x290 [ 37.321879] ? kfree+0x13e/0x290 [ 37.322126] ? kfree+0x13e/0x290 [ 37.322374] kasan_report_invalid_free+0x58/0x90 [ 37.322724] ____kasan_slab_free+0x123/0x140 [ 37.323049] __kasan_slab_free+0x11/0x20 [ 37.323347] slab_free_freelist_hook+0x81/0x150 [ 37.323689] ? savagefb_remove+0xa1/0xc0 [savagefb] [ 37.324066] kfree+0x13e/0x290 [ 37.324304] savagefb_remove+0xa1/0xc0 [savagefb] [ 37.324655] pci_device_remove+0xa9/0x250 [ 37.324959] ? pci_device_probe+0x7d0/0x7d0 [ 37.325273] device_release_driver_internal+0x4f7/0x7a0 [ 37.325666] driver_detach+0x1e8/0x2c0 [ 37.325952] bus_remove_driver+0x134/0x290 [ 37.326262] ? sysfs_remove_groups+0x97/0xb0 [ 37.326584] driver_unregister+0x77/0xa0 [ 37.326883] pci_unregister_driver+0x2c/0x1c0 [ 37.336124] [ 37.336245] Allocated by task 5465: [ 37.336507] ____kasan_kmalloc+0xb5/0xe0 [ 37.336801] __kasan_kmalloc+0x9/0x10 [ 37.337069] kmem_cache_alloc_trace+0x12b/0x220 [ 37.337405] register_framebuffer+0x3f3/0xa00 [ 37.337731] foo_register_framebuffer+0x3b/0x50 [savagefb] [ 37.338136] [ 37.338255] Freed by task 5475: [ 37.338492] kasan_set_track+0x3d/0x70 [ 37.338774] kasan_set_free_info+0x23/0x40 [ 37.339081] ____kasan_slab_free+0x10b/0x140 [ 37.339399] __kasan_slab_free+0x11/0x20 [ 37.339694] slab_free_freelist_hook+0x81/0x150 [ 37.340034] kfree+0x13e/0x290 [ 37.340267] do_unregister_framebuffer+0x21c/0x3d0 [ 37.340624] unregister_framebuffer+0x23/0x40 [ 37.340950] savagefb_remove+0x45/0xc0 [savagefb] [ 37.341302] pci_device_remove+0xa9/0x250 [ 37.341603] device_release_driver_internal+0x4f7/0x7a0 [ 37.341990] driver_detach+0x1e8/0x2c0 [ 37.342272] bus_remove_driver+0x134/0x290 [ 37.342577] driver_unregister+0x77/0xa0 [ 37.342873] pci_unregister_driver+0x2c/0x1c0 [ 37.343196] cleanup_module+0x15/0x1c [savagefb] [ 37.343543] __se_sys_delete_module+0x398/0x490 [ 37.343881] __x64_sys_delete_module+0x56/0x60 [ 37.344221] do_syscall_64+0x4d/0xc0 [ 37.344492] entry_SYSCALL_64_after_hwframe+0x44/0xae Signed-off-by: Zheyu Ma --- drivers/video/fbdev/core/fbmem.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index 7420d2c16e47..b81b0e37daed 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1702,8 +1702,10 @@ static void do_unregister_framebuffer(struct fb_info *fb_info) { unlink_framebuffer(fb_info); if (fb_info->pixmap.addr && - (fb_info->pixmap.flags & FB_PIXMAP_DEFAULT)) + (fb_info->pixmap.flags & FB_PIXMAP_DEFAULT)) { kfree(fb_info->pixmap.addr); + fb_info->pixmap.addr = NULL; + } fb_destroy_modelist(&fb_info->modelist); registered_fb[fb_info->node] = NULL; num_registered_fb--; -- 2.17.6