Cc'ing some others
On Mon., 16 Jul. 2018, 23:33 Damir Shaikhutdinov, <Damir.Shaikhutdinov@xxxxxxxxxxxxxxx> wrote:
Hi Dave!
I'm debugging virtio gpu unloading path in kernel 4.14, and found some bug that presents even in 4.18.
In file drivers/gpu/drm/virtio/virtgpu_display.c:
static void virtio_gpu_conn_destroy(struct drm_connector *connector) { struct virtio_gpu_output *virtio_gpu_output = drm_connector_to_virtio_gpu_output(connector); drm_connector_unregister(connector); drm_connector_cleanup(connector); kfree(virtio_gpu_output); // <--- here is the bug }
This virtio_gpu_output pointer in this function points to a memory NOT allocated by k*alloc, but to an element ofoutputs array in struct virtio device.
You can find the actual code that initialize connector few lines lower:
struct virtio_gpu_output *output = vgdev->outputs + index; struct drm_connector *connector = &output->conn;
....
drm_connector_init(dev, connector, &virtio_gpu_connector_funcs, DRM_MODE_CONNECTOR_VIRTUAL);
So, connector points to a field "conn" inside struct "virtio_gpu_output", which is an element of array
vgdev->outputs, and not something that was allocated separately.
Kfree-ing it is an error.
Can you confirm that bug?
With best regards,
Damir Shaikhutdinov Senior Software Engineer OpenSynergy GmbH Rotherstr. 20, 10245 Berlin Phone: +49 30 60 98 54 0. Fax: +49 30 60 98 54 0 -99 EMail: damir.shaikhutdinov@xxxxxxxxxxxxxxx www.opensynergy.com Handelsregister/Commercial Registry: Amtsgericht Charlottenburg, HRB 108616B
Geschäftsführung: Stefaan Sonck Thiebaut, Rolf Morich
_______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/dri-devel
