[next] drm/dp_mst: fix multiple frees of tx->bytes

Message ID	20191120173509.347490-1-colin.king@canonical.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=gKce=ZM=lists.freedesktop.org=dri-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CE8D62088F From: Colin King <colin.king@canonical.com> To: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>, Maxime Ripard <mripard@kernel.org>, Sean Paul <sean@poorly.run>, David Airlie <airlied@linux.ie>, Daniel Vetter <daniel.vetter@ffwll.ch>, Lyude Paul <lyude@redhat.com>, dri-devel@lists.freedesktop.org Subject: [PATCH][next] drm/dp_mst: fix multiple frees of tx->bytes Date: Wed, 20 Nov 2019 17:35:09 +0000 Message-Id: <20191120173509.347490-1-colin.king@canonical.com> MIME-Version: 1.0 Precedence: list Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
Series	[next] drm/dp_mst: fix multiple frees of tx->bytes \| expand [next] drm/dp_mst: fix multiple frees of tx->bytes

Message ID

20191120173509.347490-1-colin.king@canonical.com (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CE8D62088F
From: Colin King <colin.king@canonical.com>
To: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
 Maxime Ripard <mripard@kernel.org>, Sean Paul <sean@poorly.run>,
 David Airlie <airlied@linux.ie>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Lyude Paul <lyude@redhat.com>, dri-devel@lists.freedesktop.org
Subject: [PATCH][next] drm/dp_mst: fix multiple frees of tx->bytes
Date: Wed, 20 Nov 2019 17:35:09 +0000
Message-Id: <20191120173509.347490-1-colin.king@canonical.com>
MIME-Version: 1.0
Precedence: list
Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Series

[next] drm/dp_mst: fix multiple frees of tx->bytes | expand

Commit Message

Colin King Nov. 20, 2019, 5:35 p.m. UTC

From: Colin Ian King <colin.king@canonical.com>

Currently tx->bytes is being freed r->num_transactions number of
times because tx is not being set correctly. Fix this by setting
tx to &r->transactions[i] so that the correct objects are being
freed on each loop iteration.

Addresses-Coverity: ("Double free")
Fixes: 2f015ec6eab6 ("drm/dp_mst: Add sideband down request tracing + selftests")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/gpu/drm/drm_dp_mst_topology.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Lyude Paul Nov. 20, 2019, 6:59 p.m. UTC | #1

Heh, surprised I missed this one!

Reviewed-by: Lyude Paul <lyude@redhat.com>

Do you need me to push this to drm-misc, or do you have commit rights already?

On Wed, 2019-11-20 at 17:35 +0000, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
> 
> Currently tx->bytes is being freed r->num_transactions number of
> times because tx is not being set correctly. Fix this by setting
> tx to &r->transactions[i] so that the correct objects are being
> freed on each loop iteration.
> 
> Addresses-Coverity: ("Double free")
> Fixes: 2f015ec6eab6 ("drm/dp_mst: Add sideband down request tracing +
> selftests")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
>  drivers/gpu/drm/drm_dp_mst_topology.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c
> b/drivers/gpu/drm/drm_dp_mst_topology.c
> index ae5809a1f19a..2754e7e075e7 100644
> --- a/drivers/gpu/drm/drm_dp_mst_topology.c
> +++ b/drivers/gpu/drm/drm_dp_mst_topology.c
> @@ -517,8 +517,10 @@ drm_dp_decode_sideband_req(const struct
> drm_dp_sideband_msg_tx *raw,
>  			}
>  
>  			if (failed) {
> -				for (i = 0; i < r->num_transactions; i++)
> +				for (i = 0; i < r->num_transactions; i++) {
> +					tx = &r->transactions[i];
>  					kfree(tx->bytes);
> +				}
>  				return -ENOMEM;
>  			}
>

Colin King Nov. 20, 2019, 7:11 p.m. UTC | #2

On 20/11/2019 18:59, Lyude Paul wrote:
> Heh, surprised I missed this one!
> 
> Reviewed-by: Lyude Paul <lyude@redhat.com>
> 
> Do you need me to push this to drm-misc, or do you have commit rights already

I have no commit rights.


> 
> On Wed, 2019-11-20 at 17:35 +0000, Colin King wrote:
>> From: Colin Ian King <colin.king@canonical.com>
>>
>> Currently tx->bytes is being freed r->num_transactions number of
>> times because tx is not being set correctly. Fix this by setting
>> tx to &r->transactions[i] so that the correct objects are being
>> freed on each loop iteration.
>>
>> Addresses-Coverity: ("Double free")
>> Fixes: 2f015ec6eab6 ("drm/dp_mst: Add sideband down request tracing +
>> selftests")
>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>> ---
>>  drivers/gpu/drm/drm_dp_mst_topology.c | 4 +++-
>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c
>> b/drivers/gpu/drm/drm_dp_mst_topology.c
>> index ae5809a1f19a..2754e7e075e7 100644
>> --- a/drivers/gpu/drm/drm_dp_mst_topology.c
>> +++ b/drivers/gpu/drm/drm_dp_mst_topology.c
>> @@ -517,8 +517,10 @@ drm_dp_decode_sideband_req(const struct
>> drm_dp_sideband_msg_tx *raw,
>>  			}
>>  
>>  			if (failed) {
>> -				for (i = 0; i < r->num_transactions; i++)
>> +				for (i = 0; i < r->num_transactions; i++) {
>> +					tx = &r->transactions[i];
>>  					kfree(tx->bytes);
>> +				}
>>  				return -ENOMEM;
>>  			}
>>

Lyude Paul Nov. 20, 2019, 7:18 p.m. UTC | #3

On Wed, 2019-11-20 at 19:11 +0000, Colin Ian King wrote:
> On 20/11/2019 18:59, Lyude Paul wrote:
> > Heh, surprised I missed this one!
> > 
> > Reviewed-by: Lyude Paul <lyude@redhat.com>
> > 
> > Do you need me to push this to drm-misc, or do you have commit rights
> > already
> 
> I have no commit rights.

Gotcha:

Enumerating objects: 11, done.
Counting objects: 100% (11/11), done.
Delta compression using up to 4 threads
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 885 bytes | 442.00 KiB/s, done.
Total 6 (delta 5), reused 0 (delta 0)
To ssh://git.freedesktop.org/git/drm/drm-misc
   8896e40c05cc..2c8bc91488fc  drm-misc-next -> drm-misc-next
Pushing drm-misc-fixes to for-linux-next-fixes... Everything up-to-date
Done.
Pushing drm-misc-next-fixes to for-linux-next... Everything up-to-date
Done.
Updating rerere cache... Done.
Reloading nightly.conf... Done.
Fetching drm-amd... Done.
Fetching drm-intel... Done.
Fetching sound-upstream (local remote sound)... Done.
Fetching drm... Done.
Fetching drm-misc... Done.
Fetching linux-upstream (local remote origin)... Done.
Fetching drm-tip... Done.
Merging drm/drm-fixes... Reset. Done.
Merging drm-misc/drm-misc-fixes... Fast-forward. Done.
Merging drm-intel/drm-intel-fixes... Fast-forward. Done.
Merging drm-amd/drm-amd-fixes... Fast-forward. Done.
Merging drm/drm-next... Done.
Merging drm-misc/drm-misc-next-fixes... Done.
Merging drm-intel/drm-intel-next-fixes... Done.
Merging drm-amd/drm-amd-next-fixes... Fast-forward. Done.
Merging drm-misc/drm-misc-next... Done.
Merging drm-intel/drm-intel-next-queued... Done.
Merging drm-intel/drm-intel-next... Fast-forward. Done.
Merging drm-amd/drm-amd-next... Fast-forward. Done.
Merging sound-upstream/for-linus (local remote sound)... Fast-forward. Done.
Merging sound-upstream/for-next (local remote sound)... Done.
Merging drm-intel/topic/core-for-CI... Done.
Adding integration manifest drm-tip: 2019y-11m-20d-19h-16m-39s UTC... Done.
Pushing drm-tip... Done.
Finalizing rerere cache... Nothing changed. Pushing rerere cache... Done.

Thanks for the patch!
> 
> 
> > On Wed, 2019-11-20 at 17:35 +0000, Colin King wrote:
> > > From: Colin Ian King <colin.king@canonical.com>
> > > 
> > > Currently tx->bytes is being freed r->num_transactions number of
> > > times because tx is not being set correctly. Fix this by setting
> > > tx to &r->transactions[i] so that the correct objects are being
> > > freed on each loop iteration.
> > > 
> > > Addresses-Coverity: ("Double free")
> > > Fixes: 2f015ec6eab6 ("drm/dp_mst: Add sideband down request tracing +
> > > selftests")
> > > Signed-off-by: Colin Ian King <colin.king@canonical.com>
> > > ---
> > >  drivers/gpu/drm/drm_dp_mst_topology.c | 4 +++-
> > >  1 file changed, 3 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c
> > > b/drivers/gpu/drm/drm_dp_mst_topology.c
> > > index ae5809a1f19a..2754e7e075e7 100644
> > > --- a/drivers/gpu/drm/drm_dp_mst_topology.c
> > > +++ b/drivers/gpu/drm/drm_dp_mst_topology.c
> > > @@ -517,8 +517,10 @@ drm_dp_decode_sideband_req(const struct
> > > drm_dp_sideband_msg_tx *raw,
> > >  			}
> > >  
> > >  			if (failed) {
> > > -				for (i = 0; i < r->num_transactions; i++)
> > > +				for (i = 0; i < r->num_transactions; i++) {
> > > +					tx = &r->transactions[i];
> > >  					kfree(tx->bytes);
> > > +				}
> > >  				return -ENOMEM;
> > >  			}
> > >

diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c
index ae5809a1f19a..2754e7e075e7 100644
--- a/drivers/gpu/drm/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/drm_dp_mst_topology.c
@@ -517,8 +517,10 @@  drm_dp_decode_sideband_req(const struct drm_dp_sideband_msg_tx *raw,
 			}
 
 			if (failed) {
-				for (i = 0; i < r->num_transactions; i++)
+				for (i = 0; i < r->num_transactions; i++) {
+					tx = &r->transactions[i];
 					kfree(tx->bytes);
+				}
 				return -ENOMEM;
 			}

[next] drm/dp_mst: fix multiple frees of tx->bytes

Commit Message

Comments

Patch