[PATCH] drm: Don't free a struct never allocated by drm_gem_fb_init()

Thu Apr 16 11:35:50 UTC 2020

W dniu 15.04.2020 o 20:33, Daniel Vetter pisze:
> On Wed, Apr 15, 2020 at 7:19 PM Andrzej Pietrasiewicz
> <andrzej.p at collabora.com> wrote:
>>
>> drm_gem_fb_init() is passed the fb and never allocates it, so it should be
>> not the one freeing it. As it is now the second call to kfree() is possible
>> with the same fb. Coverity reported the following:
>>
>> *** CID 1492613:  Memory - corruptions  (USE_AFTER_FREE)
>> /drivers/gpu/drm/drm_gem_framebuffer_helper.c: 230 in drm_gem_fb_create_with_funcs()
>> 224             fb = kzalloc(sizeof(*fb), GFP_KERNEL);
>> 225             if (!fb)
>> 226                     return ERR_PTR(-ENOMEM);
>> 227
>> 228             ret = drm_gem_fb_init_with_funcs(dev, fb, file, mode_cmd, funcs);
>> 229             if (ret) {
>> vvv     CID 1492613:  Memory - corruptions  (USE_AFTER_FREE)
>> vvv     Calling "kfree" frees pointer "fb" which has already been freed. [Note: The source code implementation of the function has been overridden by a user model.]
>> 230                     kfree(fb);
>> 231                     return ERR_PTR(ret);
>> 232             }
>> 233
>> 234             return fb;
>> 235     }
>>
>> drm_gem_fb_init_with_funcs() calls drm_gem_fb_init()
>> drm_gem_fb_init() calls kfree(fb)
>>
>> Reported-by: coverity-bot <keescook+coverity-bot at chromium.org>
>> Addresses-Coverity-ID: 1492613 ("Memory - corruptions")
>> Fixes: f2b816d78a94 ("drm/core: Allow drivers allocate a subclass of struct drm_framebuffer")
>> Signed-off-by: Andrzej Pietrasiewicz <andrzej.p at collabora.com>
> 
> Reviewed-by: Daniel Vetter <daniel.vetter at ffwll.ch>
> 
>> ---
>>   drivers/gpu/drm/drm_gem_framebuffer_helper.c | 4 +---
>>   1 file changed, 1 insertion(+), 3 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/drm_gem_framebuffer_helper.c b/drivers/gpu/drm/drm_gem_framebuffer_helper.c
>> index cac15294aef6..ccc2c71fa491 100644
>> --- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c
>> +++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c
>> @@ -76,10 +76,8 @@ drm_gem_fb_init(struct drm_device *dev,
>>                  fb->obj[i] = obj[i];
>>
>>          ret = drm_framebuffer_init(dev, fb, funcs);
>> -       if (ret) {
>> +       if (ret)
>>                  drm_err(dev, "Failed to init framebuffer: %d\n", ret);
>> -               kfree(fb);
>> -       }
>>
>>          return ret;
>>   }
>> --
>> 2.17.1
>>
> 
>