Ok, firstly, thank Dan Carpenter for pointing out my spelling error
and I upload a PoC and compile it to a binary, hope that helpful for
you to test it.

regards,
butt3rflyh4ck

On Tue, Jul 14, 2020 at 12:12 AM Daniel Vetter <daniel@ffwll.ch> wrote:
>
> Adding Thomas, who's the main author for vram helpers.
> -Daniel
>
> On Fri, Jul 10, 2020 at 1:53 PM Dan Carpenter <dan.carpenter@oracle.com> wrote:
> >
> > On Fri, Jul 10, 2020 at 04:24:03PM +0800, butt3rflyh4ck wrote:
> > > I report a bug (in linux-5.8.0-rc4) found by syzkaller.
> > >
> > > kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.8.0-rc4.config
> > >
> > > I test the reproducer and crash too.
> > >
> > > In the drm_em_vram_t() function,  ttm_bo_init() function call
> >          ^^^^^^^^^^^^^
> > This a typo.  The function name is drm_gem_vram_init().
> >
> > > ttm_bo_init_reserved(),
> > > the ttm_bo_init_reserved() function  call ttm_bo_put(), it will free
> > > gbo->bo that is struct ttm_buffer_object.
> > >
> > > then, goto the err_drm_gem_object_release lable,
> > > drm_gem_object_release() function will free gbo->bo.base, so cause use
> > > after free.
> > >
> >
> > There is a third free in drm_gem_vram_create().  This is a triple free
> > bug.  The correct place to free this is in drm_gem_vram_create() because
> > that's where it was allocated.
> >
> > This code is quite subtle so I'm not going to attempt to fix it because
> > I can't test it.
> >
> > regards,
> > dan carpenter
> >
>
>
> --
> Daniel Vetter
> Software Engineer, Intel Corporation
> http://blog.ffwll.ch