| Message ID | 20221125063428.69486-1-xiafukun@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm/i915/bios: fix a memory leak in generate_lfp_data_ptrs | expand |
On Fri, 25 Nov 2022, Jani Nikula <jani.nikula@linux.intel.com> wrote: > On Fri, 25 Nov 2022, Xia Fukun <xiafukun@huawei.com> wrote: >> When (size != 0 || ptrs->lvds_ entries != 3), the program tries to >> free() the ptrs. However, the ptrs is not created by calling kzmalloc(), >> but is obtained by pointer offset operation. >> This may lead to memory leaks or undefined behavior. > > Yeah probably worse things will happen than just leak. > >> >> Fix this by replacing the arguments of kfree() with ptrs_block. >> >> Fixes: a87d0a847607 ("drm/i915/bios: Generate LFP data table pointers if the VBT lacks them") >> Signed-off-by: Xia Fukun <xiafukun@huawei.com> > > Reviewed-by: Jani Nikula <jani.nikula@intel.com> And pushed to drm-intel-next, thanks for the patch. BR, Jani. > >> --- >> drivers/gpu/drm/i915/display/intel_bios.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c >> index 28bdb936cd1f..edbdb949b6ce 100644 >> --- a/drivers/gpu/drm/i915/display/intel_bios.c >> +++ b/drivers/gpu/drm/i915/display/intel_bios.c >> @@ -414,7 +414,7 @@ static void *generate_lfp_data_ptrs(struct drm_i915_private *i915, >> ptrs->lvds_entries++; >> >> if (size != 0 || ptrs->lvds_entries != 3) { >> - kfree(ptrs); >> + kfree(ptrs_block); >> return NULL; >> }
diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c index 28bdb936cd1f..edbdb949b6ce 100644 --- a/drivers/gpu/drm/i915/display/intel_bios.c +++ b/drivers/gpu/drm/i915/display/intel_bios.c @@ -414,7 +414,7 @@ static void *generate_lfp_data_ptrs(struct drm_i915_private *i915, ptrs->lvds_entries++; if (size != 0 || ptrs->lvds_entries != 3) { - kfree(ptrs); + kfree(ptrs_block); return NULL; }
When (size != 0 || ptrs->lvds_ entries != 3), the program tries to free() the ptrs. However, the ptrs is not created by calling kzmalloc(), but is obtained by pointer offset operation. This may lead to memory leaks or undefined behavior. Fix this by replacing the arguments of kfree() with ptrs_block. Fixes: a87d0a847607 ("drm/i915/bios: Generate LFP data table pointers if the VBT lacks them") Signed-off-by: Xia Fukun <xiafukun@huawei.com> --- drivers/gpu/drm/i915/display/intel_bios.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)