| Message ID | 20240711-bridge-connector-fix-dbl-free-v1-1-d558b2d0eb93@collabora.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm/bridge-connector: Fix double free in error handling paths | expand |
On Thu, Jul 11, 2024 at 02:26:55PM GMT, Cristian Ciocaltea wrote: > The recent switch to drmm allocation in drm_bridge_connector_init() may > cause double free on bridge_connector in some of the error handling > paths. > > Drop the explicit kfree() calls on bridge_connector. > > Fixes: c12907be57b1 ("drm/bridge-connector: switch to using drmm allocations") > Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com> > --- > drivers/gpu/drm/drm_bridge_connector.c | 8 ++------ > 1 file changed, 2 insertions(+), 6 deletions(-) > Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
On Thu, 11 Jul 2024 14:26:55 +0300, Cristian Ciocaltea wrote: > The recent switch to drmm allocation in drm_bridge_connector_init() may > cause double free on bridge_connector in some of the error handling > paths. > > Drop the explicit kfree() calls on bridge_connector. > > > [...] Applied, thanks! [1/1] drm/bridge-connector: Fix double free in error handling paths https://cgit.freedesktop.org/drm/drm-misc/commit/?id=ca5442ed8f53 Rob
Hi Robert, On 7/18/24 3:02 PM, Robert Foss wrote: > On Thu, 11 Jul 2024 14:26:55 +0300, Cristian Ciocaltea wrote: >> The recent switch to drmm allocation in drm_bridge_connector_init() may >> cause double free on bridge_connector in some of the error handling >> paths. >> >> Drop the explicit kfree() calls on bridge_connector. >> >> >> [...] > > Applied, thanks! > > [1/1] drm/bridge-connector: Fix double free in error handling paths > https://cgit.freedesktop.org/drm/drm-misc/commit/?id=ca5442ed8f53 The fix is supposed to reach v6.11 tree, hence wondering if this fall through the cracks as it haven't shown up in -rc1, neither in linux-next - should have been applied to drm-misc-fixes instead of drm-misc?! Sorry for the noise if this already follows the regular DRM workflow and just needs more time to get picked into the target branches. Thanks, Cristian
On Wed, Jul 31, 2024 at 10:03 PM Cristian Ciocaltea <cristian.ciocaltea@collabora.com> wrote: > > Hi Robert, > > On 7/18/24 3:02 PM, Robert Foss wrote: > > On Thu, 11 Jul 2024 14:26:55 +0300, Cristian Ciocaltea wrote: > >> The recent switch to drmm allocation in drm_bridge_connector_init() may > >> cause double free on bridge_connector in some of the error handling > >> paths. > >> > >> Drop the explicit kfree() calls on bridge_connector. > >> > >> > >> [...] > > > > Applied, thanks! > > > > [1/1] drm/bridge-connector: Fix double free in error handling paths > > https://cgit.freedesktop.org/drm/drm-misc/commit/?id=ca5442ed8f53 > > The fix is supposed to reach v6.11 tree, hence wondering if this fall > through the cracks as it haven't shown up in -rc1, neither in linux-next > - should have been applied to drm-misc-fixes instead of drm-misc?! I'm seeing the commit in linux-next. https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/log/?qt=grep&q=drm/bridge-connector:+Fix+double+free+in+error+handling+paths It was probably submitted to drm-misc-next, and not drm-misc-fixes and thereby missed 6.11 inclusion. Let me push it to drm-misc-fixes too. > > Sorry for the noise if this already follows the regular DRM workflow and > just needs more time to get picked into the target branches. > > Thanks, > Cristian >
On Thu, 11 Jul 2024 14:26:55 +0300, Cristian Ciocaltea wrote: > The recent switch to drmm allocation in drm_bridge_connector_init() may > cause double free on bridge_connector in some of the error handling > paths. > > Drop the explicit kfree() calls on bridge_connector. > > > [...] Applied, thanks! [1/1] drm/bridge-connector: Fix double free in error handling paths (no commit info) Rob
diff --git a/drivers/gpu/drm/drm_bridge_connector.c b/drivers/gpu/drm/drm_bridge_connector.c index 0869b663f17e..a4fbf1eb7ac5 100644 --- a/drivers/gpu/drm/drm_bridge_connector.c +++ b/drivers/gpu/drm/drm_bridge_connector.c @@ -443,10 +443,8 @@ struct drm_connector *drm_bridge_connector_init(struct drm_device *drm, panel_bridge = bridge; } - if (connector_type == DRM_MODE_CONNECTOR_Unknown) { - kfree(bridge_connector); + if (connector_type == DRM_MODE_CONNECTOR_Unknown) return ERR_PTR(-EINVAL); - } if (bridge_connector->bridge_hdmi) ret = drmm_connector_hdmi_init(drm, connector, @@ -461,10 +459,8 @@ struct drm_connector *drm_bridge_connector_init(struct drm_device *drm, ret = drmm_connector_init(drm, connector, &drm_bridge_connector_funcs, connector_type, ddc); - if (ret) { - kfree(bridge_connector); + if (ret) return ERR_PTR(ret); - } drm_connector_helper_add(connector, &drm_bridge_connector_helper_funcs);
The recent switch to drmm allocation in drm_bridge_connector_init() may cause double free on bridge_connector in some of the error handling paths. Drop the explicit kfree() calls on bridge_connector. Fixes: c12907be57b1 ("drm/bridge-connector: switch to using drmm allocations") Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com> --- drivers/gpu/drm/drm_bridge_connector.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) --- base-commit: 1eb586a9782cde8e5091b9de74603e0a8386b09e change-id: 20240711-bridge-connector-fix-dbl-free-9dd324f0b270