| Message ID | 20201030114808.GD3251003@mwanda (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm/virtio: Fix a double free in virtio_gpu_cmd_map() | expand |
On Fri, Oct 30, 2020 at 4:48 AM Dan Carpenter <dan.carpenter@oracle.com> wrote: > This is freed both here and in the caller (virtio_gpu_vram_map()) so > it's a double free. The correct place is only in the caller. > > Fixes: 16845c5d5409 ("drm/virtio: implement blob resources: implement vram > object") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > drivers/gpu/drm/virtio/virtgpu_vq.c | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c > b/drivers/gpu/drm/virtio/virtgpu_vq.c > index 72586cd8cc4c..3f200306c9d7 100644 > --- a/drivers/gpu/drm/virtio/virtgpu_vq.c > +++ b/drivers/gpu/drm/virtio/virtgpu_vq.c > @@ -1212,10 +1212,8 @@ int virtio_gpu_cmd_map(struct virtio_gpu_device > *vgdev, > struct virtio_gpu_resp_map_info *resp_buf; > > resp_buf = kzalloc(sizeof(*resp_buf), GFP_KERNEL); > - if (!resp_buf) { > - virtio_gpu_array_put_free(objs); > + if (!resp_buf) > return -ENOMEM; > - } > > cmd_p = virtio_gpu_alloc_cmd_resp > (vgdev, virtio_gpu_cmd_resource_map_cb, &vbuf, > sizeof(*cmd_p), > -- > 2.28.0 > Reviewed-by: Gurchetan Singh <gurchetansingh@chromium.org>
On Fri, Oct 30, 2020 at 02:48:08PM +0300, Dan Carpenter wrote: > This is freed both here and in the caller (virtio_gpu_vram_map()) so > it's a double free. The correct place is only in the caller. > > Fixes: 16845c5d5409 ("drm/virtio: implement blob resources: implement vram object") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Pushed to drm-misc-next. thanks, Gerd
diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c index 72586cd8cc4c..3f200306c9d7 100644 --- a/drivers/gpu/drm/virtio/virtgpu_vq.c +++ b/drivers/gpu/drm/virtio/virtgpu_vq.c @@ -1212,10 +1212,8 @@ int virtio_gpu_cmd_map(struct virtio_gpu_device *vgdev, struct virtio_gpu_resp_map_info *resp_buf; resp_buf = kzalloc(sizeof(*resp_buf), GFP_KERNEL); - if (!resp_buf) { - virtio_gpu_array_put_free(objs); + if (!resp_buf) return -ENOMEM; - } cmd_p = virtio_gpu_alloc_cmd_resp (vgdev, virtio_gpu_cmd_resource_map_cb, &vbuf, sizeof(*cmd_p),
This is freed both here and in the caller (virtio_gpu_vram_map()) so it's a double free. The correct place is only in the caller. Fixes: 16845c5d5409 ("drm/virtio: implement blob resources: implement vram object") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/gpu/drm/virtio/virtgpu_vq.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)