Cc'ing some others
On Mon., 16 Jul. 2018, 23:33 Damir Shaikhutdinov, < Damir.Shaikhutdinov@opensynergy.com> wrote:
Hi Dave!
I'm debugging virtio gpu unloading path in kernel 4.14, and found some bug that presents even in 4.18.
In file drivers/gpu/drm/virtio/virtgpu_display.c:
static void virtio_gpu_conn_destroy https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_conn_destroy(struct drm_connector https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector *connector){ struct virtio_gpu_output https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_output *virtio_gpu_output https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_output = drm_connector_to_virtio_gpu_output https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector_to_virtio_gpu_output(connector);
drm_connector_unregister https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector_unregister(connector); drm_connector_cleanup https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector_cleanup(connector); kfree https://elixir.bootlin.com/linux/v4.18-rc5/ident/kfree(virtio_gpu_output https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_output); // <--- here is the bug}
https://elixir.bootlin.com/linux/v4.18-rc5/source/drivers/gpu/drm/virtio/vir...
This virtio_gpu_output pointer in this function points to a memory NOT allocated by k*alloc, but to an element of outputs array in struct virtio device.
You can find the actual code that initialize connector few lines lower:
struct virtio_gpu_output https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_output *output https://elixir.bootlin.com/linux/v4.18-rc5/ident/output = vgdev->outputs https://elixir.bootlin.com/linux/v4.18-rc5/ident/outputs + index; struct drm_connector https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector *connector = &output https://elixir.bootlin.com/linux/v4.18-rc5/ident/output->conn https://elixir.bootlin.com/linux/v4.18-rc5/ident/conn;
.... drm_connector_init https://elixir.bootlin.com/linux/v4.18-rc5/ident/drm_connector_init(dev, connector, &virtio_gpu_connector_funcs https://elixir.bootlin.com/linux/v4.18-rc5/ident/virtio_gpu_connector_funcs, DRM_MODE_CONNECTOR_VIRTUAL https://elixir.bootlin.com/linux/v4.18-rc5/ident/DRM_MODE_CONNECTOR_VIRTUAL);
So, connector points to a field "conn" inside struct "virtio_gpu_output", which is an element of array vgdev->outputs, and not something that was allocated separately.
Kfree-ing it is an error.
Can you confirm that bug?
With best regards,
Damir Shaikhutdinov Senior Software Engineer
OpenSynergy GmbH Rotherstr. 20, 10245 Berlin
Phone: +49 30 60 98 54 0. Fax: +49 30 60 98 54 0 -99 EMail: damir.shaikhutdinov@opensynergy.com www.opensynergy.com
Handelsregister/Commercial Registry: Amtsgericht Charlottenburg, HRB 108616B Geschäftsführung: Stefaan Sonck Thiebaut, Rolf Morich
dri-devel@lists.freedesktop.org
-
Dave Airlie