diff mbox series

drm/imx: fix memory leak in imx_pd_bind

Message ID 20191004190938.15353-1-navid.emamdoost@gmail.com (mailing list archive)
State New, archived
Headers show
Series drm/imx: fix memory leak in imx_pd_bind | expand

Commit Message

Navid Emamdoost Oct. 4, 2019, 7:09 p.m. UTC 
In imx_pd_bind, the duplicated memory for imxpd->edid via kmemdup should
be released in drm_of_find_panel_or_bridge or imx_pd_register fail.

Fixes: ebc944613567 ("drm: convert drivers to use drm_of_find_panel_or_bridge")
Fixes: 19022aaae677 ("staging: drm/imx: Add parallel display support")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
---
 drivers/gpu/drm/imx/parallel-display.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Comments

Markus Elfring Oct. 5, 2019, 3:02 p.m. UTC | #1 
> In imx_pd_bind, the duplicated memory for imxpd->edid via kmemdup should
> be released in drm_of_find_panel_or_bridge or imx_pd_register fail.

Please improve this change description.


> +++ b/drivers/gpu/drm/imx/parallel-display.c
> @@ -227,14 +227,18 @@ static int imx_pd_bind(struct device *dev, struct device *master, void *data)
>
>  	/* port@1 is the output port */
>  	ret = drm_of_find_panel_or_bridge(np, 1, 0, &imxpd->panel, &imxpd->bridge);
> -	if (ret && ret != -ENODEV)
> +	if (ret && ret != -ENODEV) {
> +		kfree(imxpd->edid);
>  		return ret;
> +	}
>
>  	imxpd->dev = dev;

Please use a jump target here instead of adding duplicate source code
for the completion of exception handling.

 	if (ret && ret != -ENODEV)
-		return ret;
+		goto free_edid;

…

+free_edid:
+ 	kfree(imxpd->edid);
+ 	return ret;


Regards,
Markus
Markus Elfring Oct. 6, 2019, 9:33 a.m. UTC | #2 
I have taken another look also at the implementation of the function “imx_pd_bind”.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/gpu/drm/imx/parallel-display.c?id=43b815c6a8e7dbccb5b8bd9c4b099c24bc22d135#n197
https://elixir.bootlin.com/linux/v5.4-rc1/source/drivers/gpu/drm/imx/parallel-display.c#L197

Now I find an unchecked call of the function “kmemdup” suspicious.
Will this detail trigger further software development considerations?

Regards,
Markus
Navid Emamdoost Oct. 7, 2019, 4:26 a.m. UTC | #3 
Hi Markus,

I agree with you, kmemdup may fail so a null check seems necessary there.

On Sun, Oct 6, 2019 at 4:33 AM Markus Elfring <Markus.Elfring@web.de> wrote:
>
> I have taken another look also at the implementation of the function “imx_pd_bind”.
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/gpu/drm/imx/parallel-display.c?id=43b815c6a8e7dbccb5b8bd9c4b099c24bc22d135#n197
> https://elixir.bootlin.com/linux/v5.4-rc1/source/drivers/gpu/drm/imx/parallel-display.c#L197
>
> Now I find an unchecked call of the function “kmemdup” suspicious.
> Will this detail trigger further software development considerations?
>
> Regards,
> Markus
Markus Elfring Oct. 7, 2019, 7:44 a.m. UTC | #4 
> I agree with you, kmemdup may fail so a null check seems necessary there.

Would this place (and similar ones) be pointed out for further considerations
also by the source code analysis tool which your software research group
seems to be developing?
https://github.com/umnsec/cheq/

Regards,
Markus
Markus Elfring Oct. 12, 2019, 11:54 a.m. UTC | #5 
> +free_edid:
> + 	kfree(imxpd->edid);
> + 	return ret;

I have taken another look at this change idea.
Can the function call “devm_kfree(dev, imxpd)” become relevant
also at this place?

Would you like to combine it with the update suggestion
“Fix error handling for a kmemdup() call in imx_pd_bind()”?
https://lore.kernel.org/r/3fd6aa8b-2529-7ff5-3e19-05267101b2a4@web.de/
https://lore.kernel.org/patchwork/patch/1138912/
https://lkml.org/lkml/2019/10/12/87

Regards,
Markus
Navid Emamdoost Oct. 12, 2019, 7:22 p.m. UTC | #6 
No, that is not correct! You should not try to free imxpd here as it
is a resource-managed allocation via devm_kzalloc(). It means memory
allocated with this function is automatically freed on driver detach.
So, this patch introduces a double-free.

On Sat, Oct 12, 2019 at 6:54 AM Markus Elfring <Markus.Elfring@web.de> wrote:
>
> > +free_edid:
> > +     kfree(imxpd->edid);
> > +     return ret;
>
> I have taken another look at this change idea.
> Can the function call “devm_kfree(dev, imxpd)” become relevant
> also at this place?
>
> Would you like to combine it with the update suggestion
> “Fix error handling for a kmemdup() call in imx_pd_bind()”?
> https://lore.kernel.org/r/3fd6aa8b-2529-7ff5-3e19-05267101b2a4@web.de/
> https://lore.kernel.org/patchwork/patch/1138912/
> https://lkml.org/lkml/2019/10/12/87
>
> Regards,
> Markus
Navid Emamdoost Nov. 21, 2019, 6:31 p.m. UTC | #7 
On Fri, Oct 4, 2019 at 2:09 PM Navid Emamdoost
<navid.emamdoost@gmail.com> wrote:
>
> In imx_pd_bind, the duplicated memory for imxpd->edid via kmemdup should
> be released in drm_of_find_panel_or_bridge or imx_pd_register fail.
>
> Fixes: ebc944613567 ("drm: convert drivers to use drm_of_find_panel_or_bridge")
> Fixes: 19022aaae677 ("staging: drm/imx: Add parallel display support")
> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> ---

Would you please review this patch?

Thanks,

>  drivers/gpu/drm/imx/parallel-display.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/imx/parallel-display.c b/drivers/gpu/drm/imx/parallel-display.c
> index e7ce17503ae1..9522d2cb0ad5 100644
> --- a/drivers/gpu/drm/imx/parallel-display.c
> +++ b/drivers/gpu/drm/imx/parallel-display.c
> @@ -227,14 +227,18 @@ static int imx_pd_bind(struct device *dev, struct device *master, void *data)
>
>         /* port@1 is the output port */
>         ret = drm_of_find_panel_or_bridge(np, 1, 0, &imxpd->panel, &imxpd->bridge);
> -       if (ret && ret != -ENODEV)
> +       if (ret && ret != -ENODEV) {
> +               kfree(imxpd->edid);
>                 return ret;
> +       }
>
>         imxpd->dev = dev;
>
>         ret = imx_pd_register(drm, imxpd);
> -       if (ret)
> +       if (ret) {
> +               kfree(imxpd->edid);
>                 return ret;
> +       }
>
>         dev_set_drvdata(dev, imxpd);
>
> --
> 2.17.1
>
Marco Felsch Nov. 22, 2019, 7:22 a.m. UTC | #8 
Hi Navid,

On 19-11-21 12:31, Navid Emamdoost wrote:
> On Fri, Oct 4, 2019 at 2:09 PM Navid Emamdoost
> <navid.emamdoost@gmail.com> wrote:
> >
> > In imx_pd_bind, the duplicated memory for imxpd->edid via kmemdup should
> > be released in drm_of_find_panel_or_bridge or imx_pd_register fail.
> >
> > Fixes: ebc944613567 ("drm: convert drivers to use drm_of_find_panel_or_bridge")
> > Fixes: 19022aaae677 ("staging: drm/imx: Add parallel display support")
> > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> > ---
> 
> Would you please review this patch?
> 
> Thanks,

I currently work on the drm/imx driver(s) to avoid errors like [1].
Hopefully I have a working version till next week. There I fixed this
issue by using the devm_kmemdup() and dropped the explicit kfree()
within unbind().

[1] https://www.spinics.net/lists/dri-devel/msg189388.html

Regards,
  Marco

> 
> >  drivers/gpu/drm/imx/parallel-display.c | 8 ++++++--
> >  1 file changed, 6 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/imx/parallel-display.c b/drivers/gpu/drm/imx/parallel-display.c
> > index e7ce17503ae1..9522d2cb0ad5 100644
> > --- a/drivers/gpu/drm/imx/parallel-display.c
> > +++ b/drivers/gpu/drm/imx/parallel-display.c
> > @@ -227,14 +227,18 @@ static int imx_pd_bind(struct device *dev, struct device *master, void *data)
> >
> >         /* port@1 is the output port */
> >         ret = drm_of_find_panel_or_bridge(np, 1, 0, &imxpd->panel, &imxpd->bridge);
> > -       if (ret && ret != -ENODEV)
> > +       if (ret && ret != -ENODEV) {
> > +               kfree(imxpd->edid);
> >                 return ret;
> > +       }
> >
> >         imxpd->dev = dev;
> >
> >         ret = imx_pd_register(drm, imxpd);
> > -       if (ret)
> > +       if (ret) {
> > +               kfree(imxpd->edid);
> >                 return ret;
> > +       }
> >
> >         dev_set_drvdata(dev, imxpd);
> >
> > --
> > 2.17.1
> >
> 
> 
> -- 
> Navid.
> 
>
Navid Emamdoost Nov. 22, 2019, 5:43 p.m. UTC | #9 
Thanks for the update.

On Fri, Nov 22, 2019 at 1:22 AM Marco Felsch <m.felsch@pengutronix.de> wrote:
>
> Hi Navid,
>
> On 19-11-21 12:31, Navid Emamdoost wrote:
> > On Fri, Oct 4, 2019 at 2:09 PM Navid Emamdoost
> > <navid.emamdoost@gmail.com> wrote:
> > >
> > > In imx_pd_bind, the duplicated memory for imxpd->edid via kmemdup should
> > > be released in drm_of_find_panel_or_bridge or imx_pd_register fail.
> > >
> > > Fixes: ebc944613567 ("drm: convert drivers to use drm_of_find_panel_or_bridge")
> > > Fixes: 19022aaae677 ("staging: drm/imx: Add parallel display support")
> > > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> > > ---
> >
> > Would you please review this patch?
> >
> > Thanks,
>
> I currently work on the drm/imx driver(s) to avoid errors like [1].
> Hopefully I have a working version till next week. There I fixed this
> issue by using the devm_kmemdup() and dropped the explicit kfree()
> within unbind().
>
> [1] https://www.spinics.net/lists/dri-devel/msg189388.html
>
> Regards,
>   Marco
>
> >
> > >  drivers/gpu/drm/imx/parallel-display.c | 8 ++++++--
> > >  1 file changed, 6 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/gpu/drm/imx/parallel-display.c b/drivers/gpu/drm/imx/parallel-display.c
> > > index e7ce17503ae1..9522d2cb0ad5 100644
> > > --- a/drivers/gpu/drm/imx/parallel-display.c
> > > +++ b/drivers/gpu/drm/imx/parallel-display.c
> > > @@ -227,14 +227,18 @@ static int imx_pd_bind(struct device *dev, struct device *master, void *data)
> > >
> > >         /* port@1 is the output port */
> > >         ret = drm_of_find_panel_or_bridge(np, 1, 0, &imxpd->panel, &imxpd->bridge);
> > > -       if (ret && ret != -ENODEV)
> > > +       if (ret && ret != -ENODEV) {
> > > +               kfree(imxpd->edid);
> > >                 return ret;
> > > +       }
> > >
> > >         imxpd->dev = dev;
> > >
> > >         ret = imx_pd_register(drm, imxpd);
> > > -       if (ret)
> > > +       if (ret) {
> > > +               kfree(imxpd->edid);
> > >                 return ret;
> > > +       }
> > >
> > >         dev_set_drvdata(dev, imxpd);
> > >
> > > --
> > > 2.17.1
> > >
> >
> >
> > --
> > Navid.
> >
> >
>
> --
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
diff mbox series

Patch

diff --git a/drivers/gpu/drm/imx/parallel-display.c b/drivers/gpu/drm/imx/parallel-display.c
index e7ce17503ae1..9522d2cb0ad5 100644
--- a/drivers/gpu/drm/imx/parallel-display.c
+++ b/drivers/gpu/drm/imx/parallel-display.c
@@ -227,14 +227,18 @@  static int imx_pd_bind(struct device *dev, struct device *master, void *data)
 
 	/* port@1 is the output port */
 	ret = drm_of_find_panel_or_bridge(np, 1, 0, &imxpd->panel, &imxpd->bridge);
-	if (ret && ret != -ENODEV)
+	if (ret && ret != -ENODEV) {
+		kfree(imxpd->edid);
 		return ret;
+	}
 
 	imxpd->dev = dev;
 
 	ret = imx_pd_register(drm, imxpd);
-	if (ret)
+	if (ret) {
+		kfree(imxpd->edid);
 		return ret;
+	}
 
 	dev_set_drvdata(dev, imxpd);