| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 May 2024 13:07:06 +0200
From: "Michael Walle" <mwalle@...nel.org>
To: "AngeloGioacchino Del Regno" <angelogioacchino.delregno@...labora.com>,
"Chun-Kuang Hu" <chunkuang.hu@...nel.org>, "Philipp Zabel"
<p.zabel@...gutronix.de>, "David Airlie" <airlied@...il.com>, "Daniel
Vetter" <daniel@...ll.ch>, "Matthias Brugger" <matthias.bgg@...il.com>
Cc: "Jani Nikula" <jani.nikula@...el.com>, "Chen-Yu Tsai"
<wenst@...omium.org>, <linux-mediatek@...ts.infradead.org>,
<linux-kernel@...r.kernel.org>, <linux-arm-kernel@...ts.infradead.org>
Subject: Re: [PATCH] drm/mediatek/dp: fix spurious kfree()
On Fri May 17, 2024 at 12:35 PM CEST, AngeloGioacchino Del Regno wrote:
> Il 17/05/24 11:30, Michael Walle ha scritto:
> > drm_edid_to_sad() might return an error or just zero. If that is the
> > case, we must not free the SADs because there was no allocation in
> > the first place.
> >
> > Fixes: dab12fa8d2bd ("drm/mediatek/dp: fix memory leak on ->get_edid callback audio detection")
> > Signed-off-by: Michael Walle <mwalle@...nel.org>
> > ---
> > drivers/gpu/drm/mediatek/mtk_dp.c | 10 ++++++++--
> > 1 file changed, 8 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/mediatek/mtk_dp.c b/drivers/gpu/drm/mediatek/mtk_dp.c
> > index 536366956447..ada12927bbac 100644
> > --- a/drivers/gpu/drm/mediatek/mtk_dp.c
> > +++ b/drivers/gpu/drm/mediatek/mtk_dp.c
> > @@ -2073,9 +2073,15 @@ static const struct drm_edid *mtk_dp_edid_read(struct drm_bridge *bridge,
> > */
> > const struct edid *edid = drm_edid_raw(drm_edid);
> > struct cea_sad *sads;
> > + int ret;
> >
> > - audio_caps->sad_count = drm_edid_to_sad(edid, &sads);
> > - kfree(sads);
> > + ret = drm_edid_to_sad(edid, &sads);
> > + /* Ignore any errors */
> > + if (ret < 0)
> > + ret = 0;
> > + if (ret)
>
> Eh, this will never work, because you're clearing the error before checking
> if there's any error here?!?! :-P
Don't get what you mean? Yes, I'm ignoring the error. Thus, in case
of an error ret will be zero and there will be no free. If ret was
zero, there won't be a free either. So you're left with the "normal"
case, where you have to free the sads. Just like before.
> Anyway in reality, it returns -ENOMEM if the allocation was not successful...
> in the event that any future update adds any other error we'd be back with the same
> issue, but I'm not sure how much should we worry about that.
>
> To be extremely safe, we could do...
>
> if (ret != -ENOMEM)
> kfree(sads)
>
> audio_caps->sad_count = ret < 0 ? 0 : ret;
Which is the same as above, but you only check for ENOMEM?
-michael
>
> Cheers!
> Angelo
>
> > + kfree(sads);
> > + audio_caps->sad_count = ret;
> >
> > /*
> > * FIXME: This should use connector->display_info.has_audio from
Download attachment "signature.asc" of type "application/pgp-signature" (298 bytes)
Powered by blists - more mailing lists