[PATCH] drm/crtc: fix intent use after free in drm_mode_setcrtc()
wen yang
yellowriver2010 at hotmail.com
Sun Nov 25 11:20:56 UTC 2018
From: Wen Yang <wen.yang99 at zte.com.cn>
This patch fixes a possible use-after-free in nvmet_rdma_cm_handler,
detected by the semantic patch kfree.cocci, with the following reports:
./drivers/gpu/drm/drm_crtc.c:708:18-31: ERROR: reference preceded by free on line 723
./drivers/gpu/drm/drm_crtc.c:719:7-20: ERROR: reference preceded by free on line 723
./drivers/gpu/drm/drm_crtc.c:723:7-20: ERROR: reference preceded by free on line 723
The following code has potential use-after-free:
585 retry:
586 ret = drm_modeset_lock_all_ctx(crtc->dev, &ctx);
587 if (ret)
588 goto out;
...
713 out:
714 if (fb)
715 drm_framebuffer_put(fb);
716
717 if (connector_set) {
718 for (i = 0; i < crtc_req->count_connectors; i++) {
719 if (connector_set[i])
720 drm_connector_put(connector_set[i]);
721 }
722 }
723 kfree(connector_set);
725 drm_mode_destroy(dev, mode);
726 if (ret == -EDEADLK) {
727 ret = drm_modeset_backoff(&ctx);
728 if (!ret)
729 goto retry;
730 }
Signed-off-by: Wen Yang <wen.yang99 at zte.com.cn>
CC: Julia Lawall <julia.lawall at lip6.fr>
CC: Gustavo Padovan <gustavo at padovan.org>
CC: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>
CC: Sean Paul <seanpaul at chromium.org>
CC: David Airlie <airlied at linux.ie>
CC: dri-devel at lists.freedesktop.org
CC: linux-kernel at vger.kernel.org
---
drivers/gpu/drm/drm_crtc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index 0358388..6315c39 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -721,6 +721,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
}
}
kfree(connector_set);
+ connector_set = NULL;
drm_mode_destroy(dev, mode);
if (ret == -EDEADLK) {
ret = drm_modeset_backoff(&ctx);
--
2.7.4
More information about the dri-devel
mailing list