| Message ID | 20221126073315.365567-2-yangyingliang@huawei.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | gpu: host1x: possible double free and memory leak | expand |
On 11/26/22 09:33, Yang Yingliang wrote: > If context device has no IOMMU, the 'cdl->devs' is freed in > error path, but host1x_memory_context_list_init() doesn't > return an error code, so the module can be loaded successfully, > when it's unloading, the host1x_memory_context_list_free() is > called in host1x_remove(), it will cause double free. Set the > 'cdl->devs' to NULL after freeing it to avoid double free. > > Fixes: 8aa5bcb61612 ("gpu: host1x: Add context device management code") > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> > --- > drivers/gpu/host1x/context.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/gpu/host1x/context.c b/drivers/gpu/host1x/context.c > index b08cf11f9a66..291f34562e2e 100644 > --- a/drivers/gpu/host1x/context.c > +++ b/drivers/gpu/host1x/context.c > @@ -87,6 +87,7 @@ int host1x_memory_context_list_init(struct host1x *host1x) > device_del(&cdl->devs[i].dev); > > kfree(cdl->devs); > + cdl->devs = NULL; > cdl->len = 0; > > return err; Thanks! Reviewed-by: Mikko Perttunen <mperttunen@nvidia.com>
From: Thierry Reding <treding@nvidia.com> On Sat, 26 Nov 2022 15:33:14 +0800, Yang Yingliang wrote: > If context device has no IOMMU, the 'cdl->devs' is freed in > error path, but host1x_memory_context_list_init() doesn't > return an error code, so the module can be loaded successfully, > when it's unloading, the host1x_memory_context_list_free() is > called in host1x_remove(), it will cause double free. Set the > 'cdl->devs' to NULL after freeing it to avoid double free. > > [...] Applied, thanks! [1/2] gpu: host1x: fix potential double free if IOMMU is disabled (no commit info) Best regards,
diff --git a/drivers/gpu/host1x/context.c b/drivers/gpu/host1x/context.c index b08cf11f9a66..291f34562e2e 100644 --- a/drivers/gpu/host1x/context.c +++ b/drivers/gpu/host1x/context.c @@ -87,6 +87,7 @@ int host1x_memory_context_list_init(struct host1x *host1x) device_del(&cdl->devs[i].dev); kfree(cdl->devs); + cdl->devs = NULL; cdl->len = 0; return err;
If context device has no IOMMU, the 'cdl->devs' is freed in error path, but host1x_memory_context_list_init() doesn't return an error code, so the module can be loaded successfully, when it's unloading, the host1x_memory_context_list_free() is called in host1x_remove(), it will cause double free. Set the 'cdl->devs' to NULL after freeing it to avoid double free. Fixes: 8aa5bcb61612 ("gpu: host1x: Add context device management code") Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- drivers/gpu/host1x/context.c | 1 + 1 file changed, 1 insertion(+)