[next] drm/v3d: fix double free of bin

Message ID	20191024104801.3122-1-colin.king@canonical.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=RtGS=YR=lists.freedesktop.org=dri-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3438020856 From: Colin King <colin.king@canonical.com> To: Eric Anholt <eric@anholt.net>, David Airlie <airlied@linux.ie>, Daniel Vetter <daniel.vetter@ffwll.ch>, Navid Emamdoost <navid.emamdoost@gmail.com>, Iago Toral Quiroga <itoral@igalia.com>, dri-devel@lists.freedesktop.org Subject: [PATCH][next] drm/v3d: fix double free of bin Date: Thu, 24 Oct 2019 11:48:01 +0100 Message-Id: <20191024104801.3122-1-colin.king@canonical.com> MIME-Version: 1.0 Precedence: list Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
Series	[next] drm/v3d: fix double free of bin \| expand [next] drm/v3d: fix double free of bin

Colin King Oct. 24, 2019, 10:48 a.m. UTC

From: Colin Ian King <colin.king@canonical.com>

Two different fixes have addressed the same memory leak of bin and
this now causes a double free of bin.  While the individual memory
leak fixes are fine, both fixes together are problematic.

Addresses-Coverity: ("Double free")
Fixes: 29cd13cfd762 ("drm/v3d: Fix memory leak in v3d_submit_cl_ioctl")
Fixes: 0d352a3a8a1f (" rm/v3d: don't leak bin job if v3d_job_init fails.")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/gpu/drm/v3d/v3d_gem.c | 1 -
 1 file changed, 1 deletion(-)

Daniel Vetter Oct. 24, 2019, 12:38 p.m. UTC | #1

On Thu, Oct 24, 2019 at 11:48:01AM +0100, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
> 
> Two different fixes have addressed the same memory leak of bin and
> this now causes a double free of bin.  While the individual memory
> leak fixes are fine, both fixes together are problematic.
> 
> Addresses-Coverity: ("Double free")
> Fixes: 29cd13cfd762 ("drm/v3d: Fix memory leak in v3d_submit_cl_ioctl")
> Fixes: 0d352a3a8a1f (" rm/v3d: don't leak bin job if v3d_job_init fails.")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>

That sounds like wrong merge resolution somewhere, and we don't have those
patches merged together in any final tree yet anywhere. What's this based
on?
-Daniel

> ---
>  drivers/gpu/drm/v3d/v3d_gem.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c
> index 549dde83408b..37515e47b47e 100644
> --- a/drivers/gpu/drm/v3d/v3d_gem.c
> +++ b/drivers/gpu/drm/v3d/v3d_gem.c
> @@ -568,7 +568,6 @@ v3d_submit_cl_ioctl(struct drm_device *dev, void *data,
>  		ret = v3d_job_init(v3d, file_priv, &bin->base,
>  				   v3d_job_free, args->in_sync_bcl);
>  		if (ret) {
> -			kfree(bin);
>  			v3d_job_put(&render->base);
>  			kfree(bin);
>  			return ret;
> -- 
> 2.20.1
>

Colin King Oct. 24, 2019, 12:43 p.m. UTC | #2

On 24/10/2019 13:38, Daniel Vetter wrote:
> On Thu, Oct 24, 2019 at 11:48:01AM +0100, Colin King wrote:
>> From: Colin Ian King <colin.king@canonical.com>
>>
>> Two different fixes have addressed the same memory leak of bin and
>> this now causes a double free of bin.  While the individual memory
>> leak fixes are fine, both fixes together are problematic.
>>
>> Addresses-Coverity: ("Double free")
>> Fixes: 29cd13cfd762 ("drm/v3d: Fix memory leak in v3d_submit_cl_ioctl")
>> Fixes: 0d352a3a8a1f (" rm/v3d: don't leak bin job if v3d_job_init fails.")
>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> 
> That sounds like wrong merge resolution somewhere, and we don't have those
> patches merged together in any final tree yet anywhere. What's this based
> on?
> -Daniel

linux-next

Colin
> 
>> ---
>>  drivers/gpu/drm/v3d/v3d_gem.c | 1 -
>>  1 file changed, 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c
>> index 549dde83408b..37515e47b47e 100644
>> --- a/drivers/gpu/drm/v3d/v3d_gem.c
>> +++ b/drivers/gpu/drm/v3d/v3d_gem.c
>> @@ -568,7 +568,6 @@ v3d_submit_cl_ioctl(struct drm_device *dev, void *data,
>>  		ret = v3d_job_init(v3d, file_priv, &bin->base,
>>  				   v3d_job_free, args->in_sync_bcl);
>>  		if (ret) {
>> -			kfree(bin);
>>  			v3d_job_put(&render->base);
>>  			kfree(bin);
>>  			return ret;
>> -- 
>> 2.20.1
>>
>

Daniel Vetter Oct. 24, 2019, 12:49 p.m. UTC | #3

On Thu, Oct 24, 2019 at 2:43 PM Colin Ian King <colin.king@canonical.com> wrote:
>
> On 24/10/2019 13:38, Daniel Vetter wrote:
> > On Thu, Oct 24, 2019 at 11:48:01AM +0100, Colin King wrote:
> >> From: Colin Ian King <colin.king@canonical.com>
> >>
> >> Two different fixes have addressed the same memory leak of bin and
> >> this now causes a double free of bin.  While the individual memory
> >> leak fixes are fine, both fixes together are problematic.
> >>
> >> Addresses-Coverity: ("Double free")
> >> Fixes: 29cd13cfd762 ("drm/v3d: Fix memory leak in v3d_submit_cl_ioctl")
> >> Fixes: 0d352a3a8a1f (" rm/v3d: don't leak bin job if v3d_job_init fails.")
> >> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> >
> > That sounds like wrong merge resolution somewhere, and we don't have those
> > patches merged together in any final tree yet anywhere. What's this based
> > on?
> > -Daniel
>
> linux-next

Ok adding Stephen. There's a merge conflict between drm-misc-fixes and
drm-next (I think) and the merge double-added the kfree(bin). See
above for the relevant sha1. Dave is already on here as a heads-up,
but also adding drm-misc maintainers.

Cheers, Daniel

>
> Colin
> >
> >> ---
> >>  drivers/gpu/drm/v3d/v3d_gem.c | 1 -
> >>  1 file changed, 1 deletion(-)
> >>
> >> diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c
> >> index 549dde83408b..37515e47b47e 100644
> >> --- a/drivers/gpu/drm/v3d/v3d_gem.c
> >> +++ b/drivers/gpu/drm/v3d/v3d_gem.c
> >> @@ -568,7 +568,6 @@ v3d_submit_cl_ioctl(struct drm_device *dev, void *data,
> >>              ret = v3d_job_init(v3d, file_priv, &bin->base,
> >>                                 v3d_job_free, args->in_sync_bcl);
> >>              if (ret) {
> >> -                    kfree(bin);
> >>                      v3d_job_put(&render->base);
> >>                      kfree(bin);
> >>                      return ret;
> >> --
> >> 2.20.1
> >>
> >
>
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel

Stephen Rothwell Oct. 24, 2019, 7:51 p.m. UTC | #4

Hi all,

On Thu, 24 Oct 2019 14:49:36 +0200 Daniel Vetter <daniel@ffwll.ch> wrote:
>
> Ok adding Stephen. There's a merge conflict between drm-misc-fixes and
> drm-next (I think) and the merge double-added the kfree(bin). See
> above for the relevant sha1. Dave is already on here as a heads-up,
> but also adding drm-misc maintainers.
> 
> > >> ---
> > >>  drivers/gpu/drm/v3d/v3d_gem.c | 1 -
> > >>  1 file changed, 1 deletion(-)
> > >>
> > >> diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c
> > >> index 549dde83408b..37515e47b47e 100644
> > >> --- a/drivers/gpu/drm/v3d/v3d_gem.c
> > >> +++ b/drivers/gpu/drm/v3d/v3d_gem.c
> > >> @@ -568,7 +568,6 @@ v3d_submit_cl_ioctl(struct drm_device *dev, void *data,
> > >>              ret = v3d_job_init(v3d, file_priv, &bin->base,
> > >>                                 v3d_job_free, args->in_sync_bcl);
> > >>              if (ret) {
> > >> -                    kfree(bin);
> > >>                      v3d_job_put(&render->base);
> > >>                      kfree(bin);
> > >>                      return ret;

I will add this as a merge fixup until drm-misc-fixes is merged into
the drm tree.

Dan Carpenter Oct. 25, 2019, 11:58 a.m. UTC | #5

On Thu, Oct 24, 2019 at 02:38:53PM +0200, Daniel Vetter wrote:
> On Thu, Oct 24, 2019 at 11:48:01AM +0100, Colin King wrote:
> > From: Colin Ian King <colin.king@canonical.com>
> > 
> > Two different fixes have addressed the same memory leak of bin and
> > this now causes a double free of bin.  While the individual memory
> > leak fixes are fine, both fixes together are problematic.
> > 
> > Addresses-Coverity: ("Double free")
> > Fixes: 29cd13cfd762 ("drm/v3d: Fix memory leak in v3d_submit_cl_ioctl")
> > Fixes: 0d352a3a8a1f (" rm/v3d: don't leak bin job if v3d_job_init fails.")
> > Signed-off-by: Colin Ian King <colin.king@canonical.com>
> 
> That sounds like wrong merge resolution somewhere, and we don't have those
> patches merged together in any final tree yet anywhere. What's this based
> on?
> -Daniel

linux-next.

I sent this fix to you and Stephen Rothwell yesterday so this one is
sorted already.  Stephen will apply my patch until you guys merge your
drm trees.

regards,
dan carpenter

[next] drm/v3d: fix double free of bin

Commit Message

Comments

Patch