When allocation for mdp5_kms fails, calling mdp5_destroy() leads to undefined behaviour, likely a nullptr exception or use-after-free troubles.
Signed-off-by: Roy Spliet nouveau@spliet.org --- drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c index 6650f478b226..02c2c7d48bae 100644 --- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c +++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c @@ -943,7 +943,8 @@ static int mdp5_init(struct platform_device *pdev, struct drm_device *dev)
return 0; fail: - mdp5_destroy(pdev); + if (mdp5_kms) + mdp5_destroy(pdev); return ret; }
On 2020-04-07 10:07, Roy Spliet wrote:
When allocation for mdp5_kms fails, calling mdp5_destroy() leads to undefined behaviour, likely a nullptr exception or use-after-free troubles.
Signed-off-by: Roy Spliet nouveau@spliet.org
Reviewed-by: Abhinav Kumar abhinavk@codeaurora.org
drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c index 6650f478b226..02c2c7d48bae 100644 --- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c +++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c @@ -943,7 +943,8 @@ static int mdp5_init(struct platform_device *pdev, struct drm_device *dev)
return 0; fail:
- mdp5_destroy(pdev);
- if (mdp5_kms)
mdp5_destroy(pdev);}
dri-devel@lists.freedesktop.org
-
abhinavk@codeaurora.org -
Roy Spliet