lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 17 May 2024 12:35:05 +0200
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@...labora.com>
To: Michael Walle <mwalle@...nel.org>, Chun-Kuang Hu
 <chunkuang.hu@...nel.org>, Philipp Zabel <p.zabel@...gutronix.de>,
 David Airlie <airlied@...il.com>, Daniel Vetter <daniel@...ll.ch>,
 Matthias Brugger <matthias.bgg@...il.com>
Cc: Jani Nikula <jani.nikula@...el.com>, Chen-Yu Tsai <wenst@...omium.org>,
 linux-mediatek@...ts.infradead.org, linux-kernel@...r.kernel.org,
 linux-arm-kernel@...ts.infradead.org
Subject: Re: [PATCH] drm/mediatek/dp: fix spurious kfree()

Il 17/05/24 11:30, Michael Walle ha scritto:
> drm_edid_to_sad() might return an error or just zero. If that is the
> case, we must not free the SADs because there was no allocation in
> the first place.
> 
> Fixes: dab12fa8d2bd ("drm/mediatek/dp: fix memory leak on ->get_edid callback audio detection")
> Signed-off-by: Michael Walle <mwalle@...nel.org>
> ---
>   drivers/gpu/drm/mediatek/mtk_dp.c | 10 ++++++++--
>   1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/mediatek/mtk_dp.c b/drivers/gpu/drm/mediatek/mtk_dp.c
> index 536366956447..ada12927bbac 100644
> --- a/drivers/gpu/drm/mediatek/mtk_dp.c
> +++ b/drivers/gpu/drm/mediatek/mtk_dp.c
> @@ -2073,9 +2073,15 @@ static const struct drm_edid *mtk_dp_edid_read(struct drm_bridge *bridge,
>   		 */
>   		const struct edid *edid = drm_edid_raw(drm_edid);
>   		struct cea_sad *sads;
> +		int ret;
>   
> -		audio_caps->sad_count = drm_edid_to_sad(edid, &sads);
> -		kfree(sads);
> +		ret = drm_edid_to_sad(edid, &sads);
> +		/* Ignore any errors */
> +		if (ret < 0)
> +			ret = 0;
> +		if (ret)

Eh, this will never work, because you're clearing the error before checking
if there's any error here?!?! :-P


Anyway in reality, it returns -ENOMEM if the allocation was not successful...
in the event that any future update adds any other error we'd be back with the same
issue, but I'm not sure how much should we worry about that.

To be extremely safe, we could do...

if (ret != -ENOMEM)
	kfree(sads)

audio_caps->sad_count = ret < 0 ? 0 : ret;

Cheers!
Angelo

> +			kfree(sads);
> +		audio_caps->sad_count = ret;
>   
>   		/*
>   		 * FIXME: This should use connector->display_info.has_audio from

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ