drivers/gpu/drm/v3d/v3d_gem.c:573 v3d_submit_cl_ioctl() error: double free of 'bin'

* drivers/gpu/drm/v3d/v3d_gem.c:573 v3d_submit_cl_ioctl() error: double free of 'bin'
@ 2020-10-25 18:25 kernel test robot
  0 siblings, 0 replies; only message in thread
From: kernel test robot @ 2020-10-25 18:25 UTC (permalink / raw)
  To: kbuild

[-- Attachment #1: Type: text/plain, Size: 13351 bytes --]

CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
CC: Dave Airlie <airlied@redhat.com>

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   d76913908102044f14381df865bb74df17a538cb
commit: 77e0723bd27f830d0903225372aa778fe2975648 Merge v5.4-rc7 into drm-next
date:   12 months ago
:::::: branch date: 23 hours ago
:::::: commit date: 12 months ago
config: i386-randconfig-m021-20201026 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

New smatch warnings:
drivers/gpu/drm/v3d/v3d_gem.c:573 v3d_submit_cl_ioctl() error: double free of 'bin'

Old smatch warnings:
drivers/gpu/drm/v3d/v3d_drv.h:281 nsecs_to_jiffies_timeout() warn: should this be a bitwise op?

vim +/bin +573 drivers/gpu/drm/v3d/v3d_gem.c

a783a09ee76d62 Eric Anholt        2019-04-16  511  
57692c94dcbe99 Eric Anholt        2018-04-30  512  /**
57692c94dcbe99 Eric Anholt        2018-04-30  513   * v3d_submit_cl_ioctl() - Submits a job (frame) to the V3D.
57692c94dcbe99 Eric Anholt        2018-04-30  514   * @dev: DRM device
57692c94dcbe99 Eric Anholt        2018-04-30  515   * @data: ioctl argument
57692c94dcbe99 Eric Anholt        2018-04-30  516   * @file_priv: DRM file for this fd
57692c94dcbe99 Eric Anholt        2018-04-30  517   *
57692c94dcbe99 Eric Anholt        2018-04-30  518   * This is the main entrypoint for userspace to submit a 3D frame to
57692c94dcbe99 Eric Anholt        2018-04-30  519   * the GPU.  Userspace provides the binner command list (if
57692c94dcbe99 Eric Anholt        2018-04-30  520   * applicable), and the kernel sets up the render command list to draw
57692c94dcbe99 Eric Anholt        2018-04-30  521   * to the framebuffer described in the ioctl, using the command lists
57692c94dcbe99 Eric Anholt        2018-04-30  522   * that the 3D engine's binner will produce.
57692c94dcbe99 Eric Anholt        2018-04-30  523   */
57692c94dcbe99 Eric Anholt        2018-04-30  524  int
57692c94dcbe99 Eric Anholt        2018-04-30  525  v3d_submit_cl_ioctl(struct drm_device *dev, void *data,
57692c94dcbe99 Eric Anholt        2018-04-30  526  		    struct drm_file *file_priv)
57692c94dcbe99 Eric Anholt        2018-04-30  527  {
57692c94dcbe99 Eric Anholt        2018-04-30  528  	struct v3d_dev *v3d = to_v3d_dev(dev);
57692c94dcbe99 Eric Anholt        2018-04-30  529  	struct v3d_file_priv *v3d_priv = file_priv->driver_priv;
57692c94dcbe99 Eric Anholt        2018-04-30  530  	struct drm_v3d_submit_cl *args = data;
a783a09ee76d62 Eric Anholt        2019-04-16  531  	struct v3d_bin_job *bin = NULL;
a783a09ee76d62 Eric Anholt        2019-04-16  532  	struct v3d_render_job *render;
455d56ce809fcc Iago Toral Quiroga 2019-09-19  533  	struct v3d_job *clean_job = NULL;
455d56ce809fcc Iago Toral Quiroga 2019-09-19  534  	struct v3d_job *last_job;
57692c94dcbe99 Eric Anholt        2018-04-30  535  	struct ww_acquire_ctx acquire_ctx;
57692c94dcbe99 Eric Anholt        2018-04-30  536  	int ret = 0;
57692c94dcbe99 Eric Anholt        2018-04-30  537  
55a9b74846ed5e Eric Anholt        2018-11-30  538  	trace_v3d_submit_cl_ioctl(&v3d->drm, args->rcl_start, args->rcl_end);
55a9b74846ed5e Eric Anholt        2018-11-30  539  
455d56ce809fcc Iago Toral Quiroga 2019-09-19  540  	if (args->flags != 0 &&
455d56ce809fcc Iago Toral Quiroga 2019-09-19  541  	    args->flags != DRM_V3D_SUBMIT_CL_FLUSH_CACHE) {
455d56ce809fcc Iago Toral Quiroga 2019-09-19  542  		DRM_INFO("invalid flags: %d\n", args->flags);
57692c94dcbe99 Eric Anholt        2018-04-30  543  		return -EINVAL;
57692c94dcbe99 Eric Anholt        2018-04-30  544  	}
57692c94dcbe99 Eric Anholt        2018-04-30  545  
a783a09ee76d62 Eric Anholt        2019-04-16  546  	render = kcalloc(1, sizeof(*render), GFP_KERNEL);
a783a09ee76d62 Eric Anholt        2019-04-16  547  	if (!render)
57692c94dcbe99 Eric Anholt        2018-04-30  548  		return -ENOMEM;
57692c94dcbe99 Eric Anholt        2018-04-30  549  
a783a09ee76d62 Eric Anholt        2019-04-16  550  	render->start = args->rcl_start;
a783a09ee76d62 Eric Anholt        2019-04-16  551  	render->end = args->rcl_end;
a783a09ee76d62 Eric Anholt        2019-04-16  552  	INIT_LIST_HEAD(&render->unref_list);
a783a09ee76d62 Eric Anholt        2019-04-16  553  
a783a09ee76d62 Eric Anholt        2019-04-16  554  	ret = v3d_job_init(v3d, file_priv, &render->base,
a783a09ee76d62 Eric Anholt        2019-04-16  555  			   v3d_render_job_free, args->in_sync_rcl);
a783a09ee76d62 Eric Anholt        2019-04-16  556  	if (ret) {
a783a09ee76d62 Eric Anholt        2019-04-16  557  		kfree(render);
57692c94dcbe99 Eric Anholt        2018-04-30  558  		return ret;
57692c94dcbe99 Eric Anholt        2018-04-30  559  	}
57692c94dcbe99 Eric Anholt        2018-04-30  560  
a783a09ee76d62 Eric Anholt        2019-04-16  561  	if (args->bcl_start != args->bcl_end) {
a783a09ee76d62 Eric Anholt        2019-04-16  562  		bin = kcalloc(1, sizeof(*bin), GFP_KERNEL);
29cd13cfd76247 Navid Emamdoost    2019-10-21  563  		if (!bin) {
29cd13cfd76247 Navid Emamdoost    2019-10-21  564  			v3d_job_put(&render->base);
a783a09ee76d62 Eric Anholt        2019-04-16  565  			return -ENOMEM;
29cd13cfd76247 Navid Emamdoost    2019-10-21  566  		}
57692c94dcbe99 Eric Anholt        2018-04-30  567  
a783a09ee76d62 Eric Anholt        2019-04-16  568  		ret = v3d_job_init(v3d, file_priv, &bin->base,
a783a09ee76d62 Eric Anholt        2019-04-16  569  				   v3d_job_free, args->in_sync_bcl);
a783a09ee76d62 Eric Anholt        2019-04-16  570  		if (ret) {
0d352a3a8a1f26 Iago Toral Quiroga 2019-09-16  571  			kfree(bin);
a783a09ee76d62 Eric Anholt        2019-04-16  572  			v3d_job_put(&render->base);
29cd13cfd76247 Navid Emamdoost    2019-10-21 @573  			kfree(bin);
a783a09ee76d62 Eric Anholt        2019-04-16  574  			return ret;
a783a09ee76d62 Eric Anholt        2019-04-16  575  		}
57692c94dcbe99 Eric Anholt        2018-04-30  576  
a783a09ee76d62 Eric Anholt        2019-04-16  577  		bin->start = args->bcl_start;
a783a09ee76d62 Eric Anholt        2019-04-16  578  		bin->end = args->bcl_end;
a783a09ee76d62 Eric Anholt        2019-04-16  579  		bin->qma = args->qma;
a783a09ee76d62 Eric Anholt        2019-04-16  580  		bin->qms = args->qms;
a783a09ee76d62 Eric Anholt        2019-04-16  581  		bin->qts = args->qts;
a783a09ee76d62 Eric Anholt        2019-04-16  582  		bin->render = render;
a783a09ee76d62 Eric Anholt        2019-04-16  583  	}
57692c94dcbe99 Eric Anholt        2018-04-30  584  
455d56ce809fcc Iago Toral Quiroga 2019-09-19  585  	if (args->flags & DRM_V3D_SUBMIT_CL_FLUSH_CACHE) {
455d56ce809fcc Iago Toral Quiroga 2019-09-19  586  		clean_job = kcalloc(1, sizeof(*clean_job), GFP_KERNEL);
455d56ce809fcc Iago Toral Quiroga 2019-09-19  587  		if (!clean_job) {
455d56ce809fcc Iago Toral Quiroga 2019-09-19  588  			ret = -ENOMEM;
455d56ce809fcc Iago Toral Quiroga 2019-09-19  589  			goto fail;
455d56ce809fcc Iago Toral Quiroga 2019-09-19  590  		}
455d56ce809fcc Iago Toral Quiroga 2019-09-19  591  
455d56ce809fcc Iago Toral Quiroga 2019-09-19  592  		ret = v3d_job_init(v3d, file_priv, clean_job, v3d_job_free, 0);
455d56ce809fcc Iago Toral Quiroga 2019-09-19  593  		if (ret) {
455d56ce809fcc Iago Toral Quiroga 2019-09-19  594  			kfree(clean_job);
455d56ce809fcc Iago Toral Quiroga 2019-09-19  595  			clean_job = NULL;
455d56ce809fcc Iago Toral Quiroga 2019-09-19  596  			goto fail;
455d56ce809fcc Iago Toral Quiroga 2019-09-19  597  		}
455d56ce809fcc Iago Toral Quiroga 2019-09-19  598  
455d56ce809fcc Iago Toral Quiroga 2019-09-19  599  		last_job = clean_job;
455d56ce809fcc Iago Toral Quiroga 2019-09-19  600  	} else {
455d56ce809fcc Iago Toral Quiroga 2019-09-19  601  		last_job = &render->base;
455d56ce809fcc Iago Toral Quiroga 2019-09-19  602  	}
455d56ce809fcc Iago Toral Quiroga 2019-09-19  603  
455d56ce809fcc Iago Toral Quiroga 2019-09-19  604  	ret = v3d_lookup_bos(dev, file_priv, last_job,
a783a09ee76d62 Eric Anholt        2019-04-16  605  			     args->bo_handles, args->bo_handle_count);
57692c94dcbe99 Eric Anholt        2018-04-30  606  	if (ret)
57692c94dcbe99 Eric Anholt        2018-04-30  607  		goto fail;
57692c94dcbe99 Eric Anholt        2018-04-30  608  
455d56ce809fcc Iago Toral Quiroga 2019-09-19  609  	ret = v3d_lock_bo_reservations(last_job, &acquire_ctx);
57692c94dcbe99 Eric Anholt        2018-04-30  610  	if (ret)
57692c94dcbe99 Eric Anholt        2018-04-30  611  		goto fail;
57692c94dcbe99 Eric Anholt        2018-04-30  612  
7122b68b8a9692 Eric Anholt        2018-06-06  613  	mutex_lock(&v3d->sched_lock);
a783a09ee76d62 Eric Anholt        2019-04-16  614  	if (bin) {
a783a09ee76d62 Eric Anholt        2019-04-16  615  		ret = v3d_push_job(v3d_priv, &bin->base, V3D_BIN);
57692c94dcbe99 Eric Anholt        2018-04-30  616  		if (ret)
57692c94dcbe99 Eric Anholt        2018-04-30  617  			goto fail_unreserve;
57692c94dcbe99 Eric Anholt        2018-04-30  618  
dffa9b7a78c436 Eric Anholt        2019-04-16  619  		ret = drm_gem_fence_array_add(&render->base.deps,
dffa9b7a78c436 Eric Anholt        2019-04-16  620  					      dma_fence_get(bin->base.done_fence));
dffa9b7a78c436 Eric Anholt        2019-04-16  621  		if (ret)
dffa9b7a78c436 Eric Anholt        2019-04-16  622  			goto fail_unreserve;
57692c94dcbe99 Eric Anholt        2018-04-30  623  	}
57692c94dcbe99 Eric Anholt        2018-04-30  624  
a783a09ee76d62 Eric Anholt        2019-04-16  625  	ret = v3d_push_job(v3d_priv, &render->base, V3D_RENDER);
57692c94dcbe99 Eric Anholt        2018-04-30  626  	if (ret)
57692c94dcbe99 Eric Anholt        2018-04-30  627  		goto fail_unreserve;
455d56ce809fcc Iago Toral Quiroga 2019-09-19  628  
455d56ce809fcc Iago Toral Quiroga 2019-09-19  629  	if (clean_job) {
455d56ce809fcc Iago Toral Quiroga 2019-09-19  630  		struct dma_fence *render_fence =
455d56ce809fcc Iago Toral Quiroga 2019-09-19  631  			dma_fence_get(render->base.done_fence);
455d56ce809fcc Iago Toral Quiroga 2019-09-19  632  		ret = drm_gem_fence_array_add(&clean_job->deps, render_fence);
455d56ce809fcc Iago Toral Quiroga 2019-09-19  633  		if (ret)
455d56ce809fcc Iago Toral Quiroga 2019-09-19  634  			goto fail_unreserve;
455d56ce809fcc Iago Toral Quiroga 2019-09-19  635  		ret = v3d_push_job(v3d_priv, clean_job, V3D_CACHE_CLEAN);
455d56ce809fcc Iago Toral Quiroga 2019-09-19  636  		if (ret)
455d56ce809fcc Iago Toral Quiroga 2019-09-19  637  			goto fail_unreserve;
455d56ce809fcc Iago Toral Quiroga 2019-09-19  638  	}
455d56ce809fcc Iago Toral Quiroga 2019-09-19  639  
7122b68b8a9692 Eric Anholt        2018-06-06  640  	mutex_unlock(&v3d->sched_lock);
57692c94dcbe99 Eric Anholt        2018-04-30  641  
a783a09ee76d62 Eric Anholt        2019-04-16  642  	v3d_attach_fences_and_unlock_reservation(file_priv,
455d56ce809fcc Iago Toral Quiroga 2019-09-19  643  						 last_job,
d223f98f02099b Eric Anholt        2019-04-16  644  						 &acquire_ctx,
d223f98f02099b Eric Anholt        2019-04-16  645  						 args->out_sync,
455d56ce809fcc Iago Toral Quiroga 2019-09-19  646  						 last_job->done_fence);
57692c94dcbe99 Eric Anholt        2018-04-30  647  
a783a09ee76d62 Eric Anholt        2019-04-16  648  	if (bin)
a783a09ee76d62 Eric Anholt        2019-04-16  649  		v3d_job_put(&bin->base);
a783a09ee76d62 Eric Anholt        2019-04-16  650  	v3d_job_put(&render->base);
455d56ce809fcc Iago Toral Quiroga 2019-09-19  651  	if (clean_job)
455d56ce809fcc Iago Toral Quiroga 2019-09-19  652  		v3d_job_put(clean_job);
57692c94dcbe99 Eric Anholt        2018-04-30  653  
57692c94dcbe99 Eric Anholt        2018-04-30  654  	return 0;
57692c94dcbe99 Eric Anholt        2018-04-30  655  
57692c94dcbe99 Eric Anholt        2018-04-30  656  fail_unreserve:
7122b68b8a9692 Eric Anholt        2018-06-06  657  	mutex_unlock(&v3d->sched_lock);
455d56ce809fcc Iago Toral Quiroga 2019-09-19  658  	drm_gem_unlock_reservations(last_job->bo,
455d56ce809fcc Iago Toral Quiroga 2019-09-19  659  				    last_job->bo_count, &acquire_ctx);
57692c94dcbe99 Eric Anholt        2018-04-30  660  fail:
a783a09ee76d62 Eric Anholt        2019-04-16  661  	if (bin)
a783a09ee76d62 Eric Anholt        2019-04-16  662  		v3d_job_put(&bin->base);
a783a09ee76d62 Eric Anholt        2019-04-16  663  	v3d_job_put(&render->base);
455d56ce809fcc Iago Toral Quiroga 2019-09-19  664  	if (clean_job)
455d56ce809fcc Iago Toral Quiroga 2019-09-19  665  		v3d_job_put(clean_job);
57692c94dcbe99 Eric Anholt        2018-04-30  666  
57692c94dcbe99 Eric Anholt        2018-04-30  667  	return ret;
57692c94dcbe99 Eric Anholt        2018-04-30  668  }
57692c94dcbe99 Eric Anholt        2018-04-30  669  

:::::: The code at line 573 was first introduced by commit
:::::: 29cd13cfd7624726d9e6becbae9aa419ef35af7f drm/v3d: Fix memory leak in v3d_submit_cl_ioctl

:::::: TO: Navid Emamdoost <navid.emamdoost@gmail.com>
:::::: CC: Daniel Vetter <daniel.vetter@ffwll.ch>

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org

[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 36923 bytes --]

^ permalink raw reply	[flat|nested] only message in thread