possible use-after-free in amdgpu_dm
Christian König
ckoenig.leichtzumerken at gmail.com
Tue Oct 17 17:18:53 UTC 2017
Am 17.10.2017 um 16:10 schrieb Tom St Denis:
> In this block of code:
>
> void amdgpu_dm_connector_funcs_reset(struct drm_connector *connector)
> {
> struct dm_connector_state *state =
> to_dm_connector_state(connector->state);
>
> kfree(state);
>
> state = kzalloc(sizeof(*state), GFP_KERNEL);
>
>
> The value of state is never compared with NULL and moreso the value of
> connector->state is never written to if NULL. Wouldn't this mean the
> pointer points to freed memory?
Why should we compare the value of state to NULL? What's done here is
just to get the size of the type state points to.
Not sure if that is really covered by the C standard, but in practice it
works fine even when state is NULL.
Christian.
>
> Cheers,
> Tom
> _______________________________________________
> amd-gfx mailing list
> amd-gfx at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/amd-gfx
More information about the amd-gfx
mailing list