<div dir="auto">Cc'ing some others</div><br><div class="gmail_quote"><div dir="ltr">On Mon., 16 Jul. 2018, 23:33 Damir Shaikhutdinov, <<a href="mailto:Damir.Shaikhutdinov@opensynergy.com">Damir.Shaikhutdinov@opensynergy.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">




<div>
<div style="direction:ltr;font-family:Tahoma;color:#000000;font-size:10pt">
<div>Hi Dave!</div>
<div><br>
</div>
<div>I'm debugging virtio gpu unloading path in kernel 4.14, and found some bug that presents even in 4.18.</div>
<div><br>
</div>
<div>In file drivers/gpu/drm/virtio/virtgpu_display.c:<br>
</div>
<div><br>
</div>
<div>
<pre><span class="m_8279510472940849587k">static</span> <span class="m_8279510472940849587kt">void</span> <span class="m_8279510472940849587nf"><a href="https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_conn_destroy" target="_blank" rel="noreferrer">virtio_gpu_conn_destroy</a></span><span class="m_8279510472940849587p">(</span><span class="m_8279510472940849587k">struct</span> <span class="m_8279510472940849587n"><a href="https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector" target="_blank" rel="noreferrer">drm_connector</a></span> <span class="m_8279510472940849587o">*</span><span class="m_8279510472940849587n">connector</span><span class="m_8279510472940849587p">)</span>
<span class="m_8279510472940849587p">{</span>
        <span class="m_8279510472940849587k">struct</span> <span class="m_8279510472940849587n"><a href="https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_output" target="_blank" rel="noreferrer">virtio_gpu_output</a></span> <span class="m_8279510472940849587o">*</span><span class="m_8279510472940849587n"><a href="https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_output" target="_blank" rel="noreferrer">virtio_gpu_output</a></span> <span class="m_8279510472940849587o">=</span>
                <span class="m_8279510472940849587n"><a href="https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector_to_virtio_gpu_output" target="_blank" rel="noreferrer">drm_connector_to_virtio_gpu_output</a></span><span class="m_8279510472940849587p">(</span><span class="m_8279510472940849587n">connector</span><span class="m_8279510472940849587p">);</span>

        <span class="m_8279510472940849587n"><a href="https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector_unregister" target="_blank" rel="noreferrer">drm_connector_unregister</a></span><span class="m_8279510472940849587p">(</span><span class="m_8279510472940849587n">connector</span><span class="m_8279510472940849587p">);</span>
        <span class="m_8279510472940849587n"><a href="https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector_cleanup" target="_blank" rel="noreferrer">drm_connector_cleanup</a></span><span class="m_8279510472940849587p">(</span><span class="m_8279510472940849587n">connector</span><span class="m_8279510472940849587p">);</span>
        <span class="m_8279510472940849587n"><a href="https://elixir.bootlin.com/linux/v4.18-rc5/ident/kfree" target="_blank" rel="noreferrer">kfree</a></span><span class="m_8279510472940849587p">(</span><span class="m_8279510472940849587n"><a href="https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_output" target="_blank" rel="noreferrer">virtio_gpu_output</a></span><span class="m_8279510472940849587p">);</span> // <--- here is the bug
<span class="m_8279510472940849587p">}</span></pre>
</div>
<div><br>
</div>
<div><a href="https://elixir.bootlin.com/linux/v4.18-rc5/source/drivers/gpu/drm/virtio/virtgpu_display.c#L264" target="_blank" rel="noreferrer">https://elixir.bootlin.com/linux/v4.18-rc5/source/drivers/gpu/drm/virtio/virtgpu_display.c#L264</a></div>
<div><br>
</div>
<div>This virtio_gpu_output pointer in this function points to a memory NOT allocated by k*alloc, but to an element of</div>
<div>outputs array in struct virtio device.</div>
<div><br>
</div>
<div>You can find the actual code that initialize connector few lines lower:</div>
<div><br>
</div>
<div>
<pre>     <span class="m_8279510472940849587k">struct</span> <span class="m_8279510472940849587n"><a href="https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_output" target="_blank" rel="noreferrer">virtio_gpu_output</a></span> <span class="m_8279510472940849587o">*</span><span class="m_8279510472940849587n"><a href="https://elixir.bootlin.com/linux/v4.18-rc5/ident/output" target="_blank" rel="noreferrer">output</a></span> <span class="m_8279510472940849587o">=</span> <span class="m_8279510472940849587n">vgdev</span><span class="m_8279510472940849587o">-></span><span class="m_8279510472940849587n"><a href="https://elixir.bootlin.com/linux/v4.18-rc5/ident/outputs" target="_blank" rel="noreferrer">outputs</a></span> <span class="m_8279510472940849587o">+</span> <span class="m_8279510472940849587n">index</span><span class="m_8279510472940849587p">;</span>
        <span class="m_8279510472940849587k">struct</span> <span class="m_8279510472940849587n"><a href="https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector" target="_blank" rel="noreferrer">drm_connector</a></span> <span class="m_8279510472940849587o">*</span><span class="m_8279510472940849587n">connector</span> <span class="m_8279510472940849587o">=</span> <span class="m_8279510472940849587o">&</span><span class="m_8279510472940849587n"><a href="https://elixir.bootlin.com/linux/v4.18-rc5/ident/output" target="_blank" rel="noreferrer">output</a></span><span class="m_8279510472940849587o">-></span><span class="m_8279510472940849587n"><a href="https://elixir.bootlin.com/linux/v4.18-rc5/ident/conn" target="_blank" rel="noreferrer">conn</a></span><span class="m_8279510472940849587p">;<br><br>....<br></span><span class="m_8279510472940849587n"><a href="https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector_init" target="_blank" rel="noreferrer">        drm_connector_init</a></span><span class="m_8279510472940849587p">(</span><span class="m_8279510472940849587n">dev</span><span class="m_8279510472940849587p">,</span> <span class="m_8279510472940849587n">connector</span><span class="m_8279510472940849587p">,</span> <span class="m_8279510472940849587o">&</span><span class="m_8279510472940849587n"><a href="https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_connector_funcs" target="_blank" rel="noreferrer">virtio_gpu_connector_funcs</a></span><span class="m_8279510472940849587p">,</span>
                           <span class="m_8279510472940849587n"><a href="https://elixir.bootlin.com/linux/v4.18-rc5/ident/DRM_MODE_CONNECTOR_VIRTUAL" target="_blank" rel="noreferrer">DRM_MODE_CONNECTOR_VIRTUAL</a></span><span class="m_8279510472940849587p">);<br><br>So, connector points to a field "conn" inside struct "virtio_gpu_output", which is an element of array <br>vgdev->outputs, and not something that was allocated separately.<br><br>Kfree-ing it is an error.<br></span><span class="m_8279510472940849587p"></span></pre>
</div>
<div><br>
</div>
<div>Can you confirm that bug?<br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>With best regards, <br>
<div style="font-family:Tahoma;font-size:13px"><font size="1" face="Calibri"></font>
<div style="font-size:13px">
<pre><font size="1" face="Calibri">Damir Shaikhutdinov
Senior Software Engineer

OpenSynergy GmbH
Rotherstr. 20, 10245 Berlin

Phone: +49 30 60 98 54 0.
Fax:      +49 30 60 98 54 0 -99
EMail:   <a href="mailto:damir.shaikhutdinov@opensynergy.com" target="_blank" rel="noreferrer">damir.shaikhutdinov@opensynergy.com</a>

<a href="http://www.opensynergy.com" target="_blank" rel="noreferrer">www.opensynergy.com</a>

Handelsregister/Commercial Registry: Amtsgericht Charlottenburg, HRB 108616B<br><span lang="de"><span style="font-size:11pt"><font color="black"><span style="font-size:8pt">Geschäftsführung: Stefaan Sonck Thiebaut, Rolf Morich</span></font></span></span>
</font></pre>
</div>
<font size="1" face="Calibri"></font></div>
</div>
</div>
</div>

</blockquote></div>