Bug in virtio gpu connector destroy
Dave Airlie
airlied at gmail.com
Mon Jul 16 22:08:15 UTC 2018
Cc'ing some others
On Mon., 16 Jul. 2018, 23:33 Damir Shaikhutdinov, <
Damir.Shaikhutdinov at opensynergy.com> wrote:
> Hi Dave!
>
> I'm debugging virtio gpu unloading path in kernel 4.14, and found some bug
> that presents even in 4.18.
>
> In file drivers/gpu/drm/virtio/virtgpu_display.c:
>
> static void virtio_gpu_conn_destroy <https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_conn_destroy>(struct drm_connector <https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector> *connector){
> struct virtio_gpu_output <https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_output> *virtio_gpu_output <https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_output> =
> drm_connector_to_virtio_gpu_output <https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector_to_virtio_gpu_output>(connector);
>
> drm_connector_unregister <https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector_unregister>(connector);
> drm_connector_cleanup <https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector_cleanup>(connector);
> kfree <https://elixir.bootlin.com/linux/v4.18-rc5/ident/kfree>(virtio_gpu_output <https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_output>); // <--- here is the bug}
>
>
>
> https://elixir.bootlin.com/linux/v4.18-rc5/source/drivers/gpu/drm/virtio/virtgpu_display.c#L264
>
> This virtio_gpu_output pointer in this function points to a memory NOT
> allocated by k*alloc, but to an element of
> outputs array in struct virtio device.
>
> You can find the actual code that initialize connector few lines lower:
>
> struct virtio_gpu_output <https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_output> *output <https://elixir.bootlin.com/linux/v4.18-rc5/ident/output> = vgdev->outputs <https://elixir.bootlin.com/linux/v4.18-rc5/ident/outputs> + index;
> struct drm_connector <https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector> *connector = &output <https://elixir.bootlin.com/linux/v4.18-rc5/ident/output>->conn <https://elixir.bootlin.com/linux/v4.18-rc5/ident/conn>;
>
> ....
> drm_connector_init <https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector_init>(dev, connector, &virtio_gpu_connector_funcs <https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_connector_funcs>,
> DRM_MODE_CONNECTOR_VIRTUAL <https://elixir.bootlin.com/linux/v4.18-rc5/ident/DRM_MODE_CONNECTOR_VIRTUAL>);
>
> So, connector points to a field "conn" inside struct "virtio_gpu_output", which is an element of array
> vgdev->outputs, and not something that was allocated separately.
>
> Kfree-ing it is an error.
>
>
> Can you confirm that bug?
>
>
> With best regards,
>
> Damir Shaikhutdinov
> Senior Software Engineer
>
> OpenSynergy GmbH
> Rotherstr. 20, 10245 Berlin
>
> Phone: +49 30 60 98 54 0.
> Fax: +49 30 60 98 54 0 -99
> EMail: damir.shaikhutdinov at opensynergy.com
> www.opensynergy.com
>
> Handelsregister/Commercial Registry: Amtsgericht Charlottenburg, HRB 108616B
> Geschäftsführung: Stefaan Sonck Thiebaut, Rolf Morich
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/dri-devel/attachments/20180717/6e27246a/attachment.html>
More information about the dri-devel
mailing list