Cc'ing some others

On Mon., 16 Jul. 2018, 23:33 Damir Shaikhutdinov, <Damir.Shaikhutdinov@opensynergy.com> wrote:

Hi Dave!

I'm debugging virtio gpu unloading path in kernel 4.14, and found some bug that presents even in 4.18.

In file drivers/gpu/drm/virtio/virtgpu_display.c:
static void virtio_gpu_conn_destroy(struct drm_connector *connector)
{
	struct virtio_gpu_output *virtio_gpu_output =
		drm_connector_to_virtio_gpu_output(connector);

	drm_connector_unregister(connector);
	drm_connector_cleanup(connector);
	kfree(virtio_gpu_output); // <--- here is the bug
}
https://elixir.bootlin.com/linux/v4.18-rc5/source/drivers/gpu/drm/virtio/virtgpu_display.c#L264

This virtio_gpu_output pointer in this function points to a memory NOT allocated by k*alloc, but to an element of

outputs array in struct virtio device.

You can find the actual code that initialize connector few lines lower:
	struct virtio_gpu_output *output = vgdev->outputs + index;
	struct drm_connector *connector = &output->conn;

....
        drm_connector_init(dev, connector, &virtio_gpu_connector_funcs,
			   DRM_MODE_CONNECTOR_VIRTUAL);

So, connector points to a field "conn" inside struct "virtio_gpu_output", which is an element of array 
vgdev->outputs, and not something that was allocated separately.

Kfree-ing it is an error.
Can you confirm that bug?
With best regards,
Damir Shaikhutdinov
Senior Software Engineer

OpenSynergy GmbH
Rotherstr. 20, 10245 Berlin

Phone: +49 30 60 98 54 0.
Fax:      +49 30 60 98 54 0 -99
EMail:   damir.shaikhutdinov@opensynergy.com

www.opensynergy.com

Handelsregister/Commercial Registry: Amtsgericht Charlottenburg, HRB 108616B
Geschäftsführung: Stefaan Sonck Thiebaut, Rolf Morich