[Intel-gfx] [PATCH] drm/i915: Fix use after free when printing load failure

Mika Kuoppala mika.kuoppala at linux.intel.com
Wed Mar 23 08:31:46 UTC 2016


Commit d15d7538c6d2 ("drm/i915: Tune down init error message due
to failure injection") added i915_load_error message to failure
path on device initialization. The message is printed
after the device is freed. And as the message printing helper
uses the device structure, this leads to use after free.

Spotted by Kasan.

Cc: Imre Deak <imre.deak at intel.com>
Cc: Chris Wilson <chris at chris-wilson.co.uk>
Signed-off-by: Mika Kuoppala <mika.kuoppala at intel.com>
---
 drivers/gpu/drm/i915/i915_dma.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c
index a3458fcd83dc..fc8ac98c12d7 100644
--- a/drivers/gpu/drm/i915/i915_dma.c
+++ b/drivers/gpu/drm/i915/i915_dma.c
@@ -1398,10 +1398,10 @@ out_runtime_pm_put:
 	intel_runtime_pm_put(dev_priv);
 	i915_driver_cleanup_early(dev_priv);
 out_free_priv:
-	kfree(dev_priv);
-
 	i915_load_error(dev_priv, "Device initialization failed (%d)\n", ret);
 
+	kfree(dev_priv);
+
 	return ret;
 }
 
-- 
2.5.0



More information about the Intel-gfx mailing list