drivers/gpu/drm/i915/display/intel_bios.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
When (size != 0 || ptrs->lvds_ entries != 3), the program tries to
free() the ptrs. However, the ptrs is not created by calling kzmalloc(),
but is obtained by pointer offset operation.
This may lead to memory leaks or undefined behavior.
Fix this by replacing the arguments of kfree() with ptrs_block.
Fixes: a87d0a847607 ("drm/i915/bios: Generate LFP data table pointers if the VBT lacks them")
Signed-off-by: Xia Fukun <xiafukun@huawei.com>
---
drivers/gpu/drm/i915/display/intel_bios.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
index 28bdb936cd1f..edbdb949b6ce 100644
--- a/drivers/gpu/drm/i915/display/intel_bios.c
+++ b/drivers/gpu/drm/i915/display/intel_bios.c
@@ -414,7 +414,7 @@ static void *generate_lfp_data_ptrs(struct drm_i915_private *i915,
ptrs->lvds_entries++;
if (size != 0 || ptrs->lvds_entries != 3) {
- kfree(ptrs);
+ kfree(ptrs_block);
return NULL;
}
--
2.17.1On Fri, 25 Nov 2022, Xia Fukun <xiafukun@huawei.com> wrote:
> When (size != 0 || ptrs->lvds_ entries != 3), the program tries to
> free() the ptrs. However, the ptrs is not created by calling kzmalloc(),
> but is obtained by pointer offset operation.
> This may lead to memory leaks or undefined behavior.
Yeah probably worse things will happen than just leak.
>
> Fix this by replacing the arguments of kfree() with ptrs_block.
>
> Fixes: a87d0a847607 ("drm/i915/bios: Generate LFP data table pointers if the VBT lacks them")
> Signed-off-by: Xia Fukun <xiafukun@huawei.com>
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
> ---
> drivers/gpu/drm/i915/display/intel_bios.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
> index 28bdb936cd1f..edbdb949b6ce 100644
> --- a/drivers/gpu/drm/i915/display/intel_bios.c
> +++ b/drivers/gpu/drm/i915/display/intel_bios.c
> @@ -414,7 +414,7 @@ static void *generate_lfp_data_ptrs(struct drm_i915_private *i915,
> ptrs->lvds_entries++;
>
> if (size != 0 || ptrs->lvds_entries != 3) {
> - kfree(ptrs);
> + kfree(ptrs_block);
> return NULL;
> }
--
Jani Nikula, Intel Open Source Graphics Center
On Fri, 25 Nov 2022, Jani Nikula <jani.nikula@linux.intel.com> wrote:
> On Fri, 25 Nov 2022, Xia Fukun <xiafukun@huawei.com> wrote:
>> When (size != 0 || ptrs->lvds_ entries != 3), the program tries to
>> free() the ptrs. However, the ptrs is not created by calling kzmalloc(),
>> but is obtained by pointer offset operation.
>> This may lead to memory leaks or undefined behavior.
>
> Yeah probably worse things will happen than just leak.
>
>>
>> Fix this by replacing the arguments of kfree() with ptrs_block.
>>
>> Fixes: a87d0a847607 ("drm/i915/bios: Generate LFP data table pointers if the VBT lacks them")
>> Signed-off-by: Xia Fukun <xiafukun@huawei.com>
>
> Reviewed-by: Jani Nikula <jani.nikula@intel.com>
And pushed to drm-intel-next, thanks for the patch.
BR,
Jani.
>
>> ---
>> drivers/gpu/drm/i915/display/intel_bios.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
>> index 28bdb936cd1f..edbdb949b6ce 100644
>> --- a/drivers/gpu/drm/i915/display/intel_bios.c
>> +++ b/drivers/gpu/drm/i915/display/intel_bios.c
>> @@ -414,7 +414,7 @@ static void *generate_lfp_data_ptrs(struct drm_i915_private *i915,
>> ptrs->lvds_entries++;
>>
>> if (size != 0 || ptrs->lvds_entries != 3) {
>> - kfree(ptrs);
>> + kfree(ptrs_block);
>> return NULL;
>> }
--
Jani Nikula, Intel Open Source Graphics Center
© 2016 - 2025 Red Hat, Inc.