lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150913093607.GA6074@gmail.com>
Date:	Sun, 13 Sep 2015 11:36:07 +0200
From:	Ingo Molnar <mingo@...nel.org>
To:	Sudip Mukherjee <sudipm.mukherjee@...il.com>
Cc:	David Airlie <airlied@...ux.ie>,
	Daniel Vetter <daniel.vetter@...ll.ch>,
	linux-kernel@...r.kernel.org, dri-devel@...ts.freedesktop.org
Subject: Re: [PATCH] drm/mgag200: fix memory leak


* Sudip Mukherjee <sudipm.mukherjee@...il.com> wrote:

> If drm_fb_helper_alloc_fbi() fails then we were directly returning
> without freeing sysram. Also if drm_fb_helper_alloc_fbi() succeeds but
> mgag200_framebuffer_init() fails then we were not releasing sysram and
> we were not releasing fbi helper also.
> 
> Signed-off-by: Sudip Mukherjee <sudip@...torindia.org>
> ---
>  drivers/gpu/drm/mgag200/mgag200_fb.c | 15 ++++++++++++---
>  1 file changed, 12 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/gpu/drm/mgag200/mgag200_fb.c b/drivers/gpu/drm/mgag200/mgag200_fb.c
> index 87de15e..5fe476a 100644
> --- a/drivers/gpu/drm/mgag200/mgag200_fb.c
> +++ b/drivers/gpu/drm/mgag200/mgag200_fb.c
> @@ -189,14 +189,16 @@ static int mgag200fb_create(struct drm_fb_helper *helper,
>  		return -ENOMEM;
>  
>  	info = drm_fb_helper_alloc_fbi(helper);
> -	if (IS_ERR(info))
> -		return PTR_ERR(info);
> +	if (IS_ERR(info)) {
> +		ret = PTR_ERR(info);
> +		goto err_alloc_fbi;
> +	}
>  
>  	info->par = mfbdev;
>  
>  	ret = mgag200_framebuffer_init(dev, &mfbdev->mfb, &mode_cmd, gobj);
>  	if (ret)
> -		return ret;
> +		goto err_framebuffer_init;
>  
>  	mfbdev->sysram = sysram;
>  	mfbdev->size = size;
> @@ -226,6 +228,13 @@ static int mgag200fb_create(struct drm_fb_helper *helper,
>  	DRM_DEBUG_KMS("allocated %dx%d\n",
>  		      fb->width, fb->height);
>  	return 0;
> +
> +err_framebuffer_init:
> +	drm_fb_helper_release_fbi(helper);
> +
> +err_alloc_fbi:
> +	vfree(sysram);
> +	return ret;
>  }
>  
>  static int mga_fbdev_destroy(struct drm_device *dev,

There's a new regression: v4.3-rc1 crashes on bootup on non-supported hardware, if 
CONFIG_DRM_MGAG200=y (built into the kernel).

[   10.191561] bus: 'i2c': add device i2c-0
[   10.227367] mgadrmfb: enable CONFIG_FB_LITTLE_ENDIAN to support this framebuffer
[   10.235781] [drm:mgag200_modeset_init] *ERROR* mga_fbdev_init failed
[   10.242992] mgag200 0000:0b:00.0: Fatal error during modeset init: -22
[   10.250456] kfree_debugcheck: out of range ptr 6b6b6b6b6b6b6b6bh.
[   10.257378] invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC 
[   10.264730] Modules linked in:
[   10.268319] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.3.0-rc1-01643-g6013d75-dirty #15
[   10.277498] Hardware name: Intel Corporation S2600GZ/S2600GZ, BIOS SE5C600.86B.02.02.0002.122320131210 12/23/2013
[   10.289111] task: ffff88017fb6c040 ti: ffff88017fb70000 task.ti: ffff88017fb70000
[   10.297611] RIP: 0010:[<ffffffffa493d1a7>]  [<ffffffffa493d1a7>] kfree_debugcheck+0x20/0x25
[   10.307170] RSP: 0000:ffff88017fb73b28  EFLAGS: 00010086
[   10.313213] RAX: 0000000000000035 RBX: 6b6b6b6b6b6b6b6b RCX: 0000000000000000
[   10.321297] RDX: ffffffffa489ac8f RSI: ffffffffa489b27b RDI: ffffffffa489b11e
[   10.329381] RBP: ffff88017fb73b30 R08: 0000000000000001 R09: 0000000000000000
[   10.337466] R10: ffffffffa537dec0 R11: 0000000000000000 R12: 0000000000000001
[   10.345549] R13: ffffffffa4c2c22a R14: 0000000000000202 R15: ffff8807ee3f1018
[   10.353632] FS:  0000000000000000(0000) GS:ffff88081b200000(0000) knlGS:0000000000000000
[   10.362812] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   10.369330] CR2: 0000000000000000 CR3: 00000000258c0000 CR4: 00000000001406f0
[   10.377415] Stack:
[   10.379761]  6b6b6b6b6b6b6b6b ffff88017fb73b70 ffffffffa493e421 ffff8807ee784ea0
[   10.388499]  ffff8807ee784e18 0000000000000001 ffff8807ee361060 00000000ffffffea
[   10.397238]  ffff8807ee3f1018 ffff88017fb73b98 ffffffffa4c2c22a ffff8807ee784e18
[   10.405968] Call Trace:
[   10.408804]  [<ffffffffa493e421>] kfree+0x5a/0x195
[   10.414256]  [<ffffffffa4c2c22a>] drm_fb_helper_crtc_free+0x28/0x75
[   10.421368]  [<ffffffffa4c2cbbd>] drm_fb_helper_fini+0x6b/0x6e
[   10.427996]  [<ffffffffa4ce522d>] mgag200_fbdev_fini+0x8a/0xb9
[   10.434621]  [<ffffffffa4ce0a17>] mgag200_driver_unload+0x23/0x43
[   10.441539]  [<ffffffffa4ce0ee1>] mgag200_driver_load+0x4aa/0x4bc
[   10.448458]  [<ffffffffa4c3537c>] drm_dev_register+0x6a/0xab
[   10.454889]  [<ffffffffa4c36e42>] drm_get_pci_dev+0xe8/0x1ab
[   10.461322]  [<ffffffffa4ce4b73>] mga_pci_probe+0xa1/0xaa
[   10.467465]  [<ffffffffa4b785ba>] pci_device_probe+0x7e/0xe8
...

Thanks,

	Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ