possible use-after-free in amdgpu_dm
Tom St Denis
tom.stdenis at amd.com
Tue Oct 17 14:10:26 UTC 2017
In this block of code:
void amdgpu_dm_connector_funcs_reset(struct drm_connector *connector)
{
struct dm_connector_state *state =
to_dm_connector_state(connector->state);
kfree(state);
state = kzalloc(sizeof(*state), GFP_KERNEL);
The value of state is never compared with NULL and moreso the value of
connector->state is never written to if NULL. Wouldn't this mean the
pointer points to freed memory?
Cheers,
Tom
More information about the amd-gfx
mailing list