lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0d8f89d4-e16e-4c8d-b983-38df8fcc387e@collabora.com>
Date: Fri, 17 May 2024 13:09:35 +0200
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@...labora.com>
To: Michael Walle <mwalle@...nel.org>, Chun-Kuang Hu
 <chunkuang.hu@...nel.org>, Philipp Zabel <p.zabel@...gutronix.de>,
 David Airlie <airlied@...il.com>, Daniel Vetter <daniel@...ll.ch>,
 Matthias Brugger <matthias.bgg@...il.com>
Cc: Jani Nikula <jani.nikula@...el.com>, Chen-Yu Tsai <wenst@...omium.org>,
 linux-mediatek@...ts.infradead.org, linux-kernel@...r.kernel.org,
 linux-arm-kernel@...ts.infradead.org
Subject: Re: [PATCH] drm/mediatek/dp: fix spurious kfree()

Il 17/05/24 13:07, Michael Walle ha scritto:
> On Fri May 17, 2024 at 12:35 PM CEST, AngeloGioacchino Del Regno wrote:
>> Il 17/05/24 11:30, Michael Walle ha scritto:
>>> drm_edid_to_sad() might return an error or just zero. If that is the
>>> case, we must not free the SADs because there was no allocation in
>>> the first place.
>>>
>>> Fixes: dab12fa8d2bd ("drm/mediatek/dp: fix memory leak on ->get_edid callback audio detection")
>>> Signed-off-by: Michael Walle <mwalle@...nel.org>
>>> ---
>>>    drivers/gpu/drm/mediatek/mtk_dp.c | 10 ++++++++--
>>>    1 file changed, 8 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/gpu/drm/mediatek/mtk_dp.c b/drivers/gpu/drm/mediatek/mtk_dp.c
>>> index 536366956447..ada12927bbac 100644
>>> --- a/drivers/gpu/drm/mediatek/mtk_dp.c
>>> +++ b/drivers/gpu/drm/mediatek/mtk_dp.c
>>> @@ -2073,9 +2073,15 @@ static const struct drm_edid *mtk_dp_edid_read(struct drm_bridge *bridge,
>>>    		 */
>>>    		const struct edid *edid = drm_edid_raw(drm_edid);
>>>    		struct cea_sad *sads;
>>> +		int ret;
>>>    
>>> -		audio_caps->sad_count = drm_edid_to_sad(edid, &sads);
>>> -		kfree(sads);
>>> +		ret = drm_edid_to_sad(edid, &sads);
>>> +		/* Ignore any errors */
>>> +		if (ret < 0)
>>> +			ret = 0;
>>> +		if (ret)
>>
>> Eh, this will never work, because you're clearing the error before checking
>> if there's any error here?!?! :-P
> 
> Don't get what you mean? Yes, I'm ignoring the error. Thus, in case
> of an error ret will be zero and there will be no free. If ret was
> zero, there won't be a free either. So you're left with the "normal"
> case, where you have to free the sads. Just like before.
> 
>> Anyway in reality, it returns -ENOMEM if the allocation was not successful...
>> in the event that any future update adds any other error we'd be back with the same
>> issue, but I'm not sure how much should we worry about that.
>>
>> To be extremely safe, we could do...
>>
>> if (ret != -ENOMEM)
>> 	kfree(sads)
>>
>> audio_caps->sad_count = ret < 0 ? 0 : ret;
> 
> Which is the same as above, but you only check for ENOMEM?
> 

Yes, the point is to avoid kfree(sads) for -ENOMEM only, as other errors that may
be introduced later might still allocate it and leave it allocated.

> -michael
> 
>>
>> Cheers!
>> Angelo
>>
>>> +			kfree(sads);
>>> +		audio_caps->sad_count = ret;
>>>    
>>>    		/*
>>>    		 * FIXME: This should use connector->display_info.has_audio from
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ