Re: [PATCH][next] drm/dp_mst: fix multiple frees of tx->bytes
From: Lyude Paul
Date: Wed Nov 20 2019 - 13:59:27 EST
Heh, surprised I missed this one!
Reviewed-by: Lyude Paul <lyude@xxxxxxxxxx>
Do you need me to push this to drm-misc, or do you have commit rights already?
On Wed, 2019-11-20 at 17:35 +0000, Colin King wrote:
> From: Colin Ian King <colin.king@xxxxxxxxxxxxx>
>
> Currently tx->bytes is being freed r->num_transactions number of
> times because tx is not being set correctly. Fix this by setting
> tx to &r->transactions[i] so that the correct objects are being
> freed on each loop iteration.
>
> Addresses-Coverity: ("Double free")
> Fixes: 2f015ec6eab6 ("drm/dp_mst: Add sideband down request tracing +
> selftests")
> Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
> ---
> drivers/gpu/drm/drm_dp_mst_topology.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c
> b/drivers/gpu/drm/drm_dp_mst_topology.c
> index ae5809a1f19a..2754e7e075e7 100644
> --- a/drivers/gpu/drm/drm_dp_mst_topology.c
> +++ b/drivers/gpu/drm/drm_dp_mst_topology.c
> @@ -517,8 +517,10 @@ drm_dp_decode_sideband_req(const struct
> drm_dp_sideband_msg_tx *raw,
> }
>
> if (failed) {
> - for (i = 0; i < r->num_transactions; i++)
> + for (i = 0; i < r->num_transactions; i++) {
> + tx = &r->transactions[i];
> kfree(tx->bytes);
> + }
> return -ENOMEM;
> }
>
--
Cheers,
Lyude Paul