Thank you for pointing out my spelling error. ok, I upload a PoC and compile it to a binary. you can test it.
regards, butt3rflyh4ck.
On Fri, Jul 10, 2020 at 7:53 PM Dan Carpenter dan.carpenter@oracle.com wrote:
On Fri, Jul 10, 2020 at 04:24:03PM +0800, butt3rflyh4ck wrote:
I report a bug (in linux-5.8.0-rc4) found by syzkaller.
kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.8.0-rc4.confi...
I test the reproducer and crash too.
In the drm_em_vram_t() function, ttm_bo_init() function call
^^^^^^^^^^^^^This a typo. The function name is drm_gem_vram_init().
ttm_bo_init_reserved(), the ttm_bo_init_reserved() function call ttm_bo_put(), it will free gbo->bo that is struct ttm_buffer_object.
then, goto the err_drm_gem_object_release lable, drm_gem_object_release() function will free gbo->bo.base, so cause use after free.
There is a third free in drm_gem_vram_create(). This is a triple free bug. The correct place to free this is in drm_gem_vram_create() because that's where it was allocated.
This code is quite subtle so I'm not going to attempt to fix it because I can't test it.
regards, dan carpenter