From: Wen Yang wen.yang99@zte.com.cn
This patch fixes a possible use-after-free in nvmet_rdma_cm_handler, detected by the semantic patch kfree.cocci, with the following reports: ./drivers/gpu/drm/drm_crtc.c:708:18-31: ERROR: reference preceded by free on line 723 ./drivers/gpu/drm/drm_crtc.c:719:7-20: ERROR: reference preceded by free on line 723 ./drivers/gpu/drm/drm_crtc.c:723:7-20: ERROR: reference preceded by free on line 723
The following code has potential use-after-free: 585 retry: 586 ret = drm_modeset_lock_all_ctx(crtc->dev, &ctx); 587 if (ret) 588 goto out; ... 713 out: 714 if (fb) 715 drm_framebuffer_put(fb); 716 717 if (connector_set) { 718 for (i = 0; i < crtc_req->count_connectors; i++) { 719 if (connector_set[i]) 720 drm_connector_put(connector_set[i]); 721 } 722 } 723 kfree(connector_set); 725 drm_mode_destroy(dev, mode); 726 if (ret == -EDEADLK) { 727 ret = drm_modeset_backoff(&ctx); 728 if (!ret) 729 goto retry; 730 }
Signed-off-by: Wen Yang wen.yang99@zte.com.cn CC: Julia Lawall julia.lawall@lip6.fr CC: Gustavo Padovan gustavo@padovan.org CC: Maarten Lankhorst maarten.lankhorst@linux.intel.com CC: Sean Paul seanpaul@chromium.org CC: David Airlie airlied@linux.ie CC: dri-devel@lists.freedesktop.org CC: linux-kernel@vger.kernel.org --- drivers/gpu/drm/drm_crtc.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index 0358388..6315c39 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -721,6 +721,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, } } kfree(connector_set); + connector_set = NULL; drm_mode_destroy(dev, mode); if (ret == -EDEADLK) { ret = drm_modeset_backoff(&ctx);