Re: [PATCH] drm: Don't free a struct never allocated by drm_gem_fb_init()

Daniel Vetter <daniel@xxxxxxxx> · Wed, 15 Apr 2020 20:33:24 +0200



On Wed, Apr 15, 2020 at 7:19 PM Andrzej Pietrasiewicz
<andrzej.p@xxxxxxxxxxxxx> wrote:
>
> drm_gem_fb_init() is passed the fb and never allocates it, so it should be
> not the one freeing it. As it is now the second call to kfree() is possible
> with the same fb. Coverity reported the following:
>
> *** CID 1492613:  Memory - corruptions  (USE_AFTER_FREE)
> /drivers/gpu/drm/drm_gem_framebuffer_helper.c: 230 in drm_gem_fb_create_with_funcs()
> 224             fb = kzalloc(sizeof(*fb), GFP_KERNEL);
> 225             if (!fb)
> 226                     return ERR_PTR(-ENOMEM);
> 227
> 228             ret = drm_gem_fb_init_with_funcs(dev, fb, file, mode_cmd, funcs);
> 229             if (ret) {
> vvv     CID 1492613:  Memory - corruptions  (USE_AFTER_FREE)
> vvv     Calling "kfree" frees pointer "fb" which has already been freed. [Note: The source code implementation of the function has been overridden by a user model.]
> 230                     kfree(fb);
> 231                     return ERR_PTR(ret);
> 232             }
> 233
> 234             return fb;
> 235     }
>
> drm_gem_fb_init_with_funcs() calls drm_gem_fb_init()
> drm_gem_fb_init() calls kfree(fb)
>
> Reported-by: coverity-bot <keescook+coverity-bot@xxxxxxxxxxxx>
> Addresses-Coverity-ID: 1492613 ("Memory - corruptions")
> Fixes: f2b816d78a94 ("drm/core: Allow drivers allocate a subclass of struct drm_framebuffer")
> Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@xxxxxxxxxxxxx>

Reviewed-by: Daniel Vetter <daniel.vetter@xxxxxxxx>

> ---
>  drivers/gpu/drm/drm_gem_framebuffer_helper.c | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_gem_framebuffer_helper.c b/drivers/gpu/drm/drm_gem_framebuffer_helper.c
> index cac15294aef6..ccc2c71fa491 100644
> --- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c
> +++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c
> @@ -76,10 +76,8 @@ drm_gem_fb_init(struct drm_device *dev,
>                 fb->obj[i] = obj[i];
>
>         ret = drm_framebuffer_init(dev, fb, funcs);
> -       if (ret) {
> +       if (ret)
>                 drm_err(dev, "Failed to init framebuffer: %d\n", ret);
> -               kfree(fb);
> -       }
>
>         return ret;
>  }
> --
> 2.17.1
>


-- 
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch