Cc'ing some others On Mon., 16 Jul. 2018, 23:33 Damir Shaikhutdinov, < damir.shaikhutdi...@opensynergy.com> wrote:
> Hi Dave! > > I'm debugging virtio gpu unloading path in kernel 4.14, and found some bug > that presents even in 4.18. > > In file drivers/gpu/drm/virtio/virtgpu_display.c: > > static void virtio_gpu_conn_destroy > <https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_conn_destroy>(struct > drm_connector > <https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector> *connector){ > struct virtio_gpu_output > <https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_output> > *virtio_gpu_output > <https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_output> = > drm_connector_to_virtio_gpu_output > <https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector_to_virtio_gpu_output>(connector); > > drm_connector_unregister > <https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector_unregister>(connector); > drm_connector_cleanup > <https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector_cleanup>(connector); > kfree > <https://elixir.bootlin.com/linux/v4.18-rc5/ident/kfree>(virtio_gpu_output > <https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_output>); // > <--- here is the bug} > > > > https://elixir.bootlin.com/linux/v4.18-rc5/source/drivers/gpu/drm/virtio/virtgpu_display.c#L264 > > This virtio_gpu_output pointer in this function points to a memory NOT > allocated by k*alloc, but to an element of > outputs array in struct virtio device. > > You can find the actual code that initialize connector few lines lower: > > struct virtio_gpu_output > <https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_output> *output > <https://elixir.bootlin.com/linux/v4.18-rc5/ident/output> = vgdev->outputs > <https://elixir.bootlin.com/linux/v4.18-rc5/ident/outputs> + index; > struct drm_connector > <https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector> *connector = > &output <https://elixir.bootlin.com/linux/v4.18-rc5/ident/output>->conn > <https://elixir.bootlin.com/linux/v4.18-rc5/ident/conn>; > > .... > drm_connector_init > <https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector_init>(dev, > connector, &virtio_gpu_connector_funcs > <https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_connector_funcs>, > DRM_MODE_CONNECTOR_VIRTUAL > <https://elixir.bootlin.com/linux/v4.18-rc5/ident/DRM_MODE_CONNECTOR_VIRTUAL>); > > So, connector points to a field "conn" inside struct "virtio_gpu_output", > which is an element of array > vgdev->outputs, and not something that was allocated separately. > > Kfree-ing it is an error. > > > Can you confirm that bug? > > > With best regards, > > Damir Shaikhutdinov > Senior Software Engineer > > OpenSynergy GmbH > Rotherstr. 20, 10245 Berlin > > Phone: +49 30 60 98 54 0. > Fax: +49 30 60 98 54 0 -99 > EMail: damir.shaikhutdi...@opensynergy.com > www.opensynergy.com > > Handelsregister/Commercial Registry: Amtsgericht Charlottenburg, HRB 108616B > Geschäftsführung: Stefaan Sonck Thiebaut, Rolf Morich > >
_______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
