* [jgunthorpe:pr/3 47/49] samples/vfio-mdev/mbochs.c:565:7-17: ERROR: reference preceded by free on line 558 (fwd)
@ 2021-03-02 19:35 Julia Lawall
2021-03-02 20:01 ` Jason Gunthorpe
0 siblings, 1 reply; 2+ messages in thread
From: Julia Lawall @ 2021-03-02 19:35 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 6398 bytes --]
Hello,
There is a clear use after free/double free at the end of this function.
julia
---------- Forwarded message ----------
Date: Tue, 2 Mar 2021 21:38:20 +0800
From: kernel test robot <lkp@intel.com>
To: kbuild(a)lists.01.org
Cc: lkp(a)intel.com, Julia Lawall <julia.lawall@lip6.fr>
Subject: [jgunthorpe:pr/3 47/49] samples/vfio-mdev/mbochs.c:565:7-17: ERROR:
reference preceded by free on line 558
CC: kbuild-all(a)lists.01.org
TO: Jason Gunthorpe <jgg@nvidia.com>
tree: https://github.com/jgunthorpe/linux pr/3
head: 149ed847a48641c2da496c00eec4d077d1ce61a6
commit: 3123f620f4f19dd10cbc81b04687f98eebadab1a [47/49] vfio/mbochs: Convert to use vfio_register_group_dev()
:::::: branch date: 12 hours ago
:::::: commit date: 12 hours ago
config: arm64-randconfig-c003-20210302 (attached as .config)
compiler: aarch64-linux-gcc (GCC) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
"coccinelle warnings: (new ones prefixed by >>)"
>> samples/vfio-mdev/mbochs.c:565:7-17: ERROR: reference preceded by free on line 558
vim +565 samples/vfio-mdev/mbochs.c
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 507
3123f620f4f19d Jason Gunthorpe 2021-02-26 508 static int mbochs_probe(struct mdev_device *mdev)
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 509 {
7422d3095cdf9c Jason Gunthorpe 2021-02-25 510 const struct mbochs_type *type =
7422d3095cdf9c Jason Gunthorpe 2021-02-25 511 &mbochs_types[mdev_get_type_group_id(mdev)];
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 512 struct device *dev = mdev_dev(mdev);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 513 struct mdev_state *mdev_state;
3123f620f4f19d Jason Gunthorpe 2021-02-26 514 int ret = -ENOMEM;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 515
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 516 if (!type)
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 517 type = &mbochs_types[0];
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 518 if (type->mbytes + mbochs_used_mbytes > max_mbytes)
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 519 return -ENOMEM;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 520
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 521 mdev_state = kzalloc(sizeof(struct mdev_state), GFP_KERNEL);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 522 if (mdev_state == NULL)
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 523 return -ENOMEM;
3123f620f4f19d Jason Gunthorpe 2021-02-26 524 vfio_init_group_dev(&mdev_state->vdev, &mdev->dev, &mbochs_dev_ops);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 525
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 526 mdev_state->vconfig = kzalloc(MBOCHS_CONFIG_SPACE_SIZE, GFP_KERNEL);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 527 if (mdev_state->vconfig == NULL)
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 528 goto err_mem;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 529
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 530 mdev_state->memsize = type->mbytes * 1024 * 1024;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 531 mdev_state->pagecount = mdev_state->memsize >> PAGE_SHIFT;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 532 mdev_state->pages = kcalloc(mdev_state->pagecount,
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 533 sizeof(struct page *),
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 534 GFP_KERNEL);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 535 if (!mdev_state->pages)
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 536 goto err_mem;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 537
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 538 dev_info(dev, "%s: %s, %d MB, %ld pages\n", __func__,
7422d3095cdf9c Jason Gunthorpe 2021-02-25 539 type->name, type->mbytes, mdev_state->pagecount);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 540
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 541 mutex_init(&mdev_state->ops_lock);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 542 mdev_state->mdev = mdev;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 543 INIT_LIST_HEAD(&mdev_state->dmabufs);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 544 mdev_state->next_id = 1;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 545
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 546 mdev_state->type = type;
104c7405a64d93 Gerd Hoffmann 2018-09-21 547 mdev_state->edid_regs.max_xres = type->max_x;
104c7405a64d93 Gerd Hoffmann 2018-09-21 548 mdev_state->edid_regs.max_yres = type->max_y;
104c7405a64d93 Gerd Hoffmann 2018-09-21 549 mdev_state->edid_regs.edid_offset = MBOCHS_EDID_BLOB_OFFSET;
104c7405a64d93 Gerd Hoffmann 2018-09-21 550 mdev_state->edid_regs.edid_max_size = sizeof(mdev_state->edid_blob);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 551 mbochs_create_config_space(mdev_state);
3123f620f4f19d Jason Gunthorpe 2021-02-26 552 mbochs_reset(mdev_state);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 553
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 554 mbochs_used_mbytes += type->mbytes;
3123f620f4f19d Jason Gunthorpe 2021-02-26 555
3123f620f4f19d Jason Gunthorpe 2021-02-26 556 ret = vfio_register_group_dev(&mdev_state->vdev);
3123f620f4f19d Jason Gunthorpe 2021-02-26 557 if (ret) {
3123f620f4f19d Jason Gunthorpe 2021-02-26 @558 kfree(mdev_state);
3123f620f4f19d Jason Gunthorpe 2021-02-26 559 goto err_mem;
3123f620f4f19d Jason Gunthorpe 2021-02-26 560 }
3123f620f4f19d Jason Gunthorpe 2021-02-26 561 dev_set_drvdata(&mdev->dev, mdev_state);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 562 return 0;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 563
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 564 err_mem:
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 @565 kfree(mdev_state->vconfig);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 566 kfree(mdev_state);
3123f620f4f19d Jason Gunthorpe 2021-02-26 567 return ret;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 568 }
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 569
:::::: The code at line 565 was first introduced by commit
:::::: a5e6e6505f38f7bce1d3576503a2bffff3fa888c sample: vfio bochs vbe display (host device for bochs-drm)
:::::: TO: Gerd Hoffmann <kraxel@redhat.com>
:::::: CC: Alex Williamson <alex.williamson@redhat.com>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 28428 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [jgunthorpe:pr/3 47/49] samples/vfio-mdev/mbochs.c:565:7-17: ERROR: reference preceded by free on line 558 (fwd)
2021-03-02 19:35 [jgunthorpe:pr/3 47/49] samples/vfio-mdev/mbochs.c:565:7-17: ERROR: reference preceded by free on line 558 (fwd) Julia Lawall
@ 2021-03-02 20:01 ` Jason Gunthorpe
0 siblings, 0 replies; 2+ messages in thread
From: Jason Gunthorpe @ 2021-03-02 20:01 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 188 bytes --]
On Tue, Mar 02, 2021 at 08:35:53PM +0100, Julia Lawall wrote:
> Hello,
>
> There is a clear use after free/double free at the end of this function.
Thank you so much Julia!
Jason
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-03-02 20:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-02 19:35 [jgunthorpe:pr/3 47/49] samples/vfio-mdev/mbochs.c:565:7-17: ERROR: reference preceded by free on line 558 (fwd) Julia Lawall
2021-03-02 20:01 ` Jason Gunthorpe
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.