This fixes a static checker warning:
drivers/gpu/drm/drm_client.c:289 drm_client_buffer_create() error: double free of 'buffer'
Extend drm_client_buffer_delete() to handle the case when there's no dumb buffer attached and drop the extra kfree.
Fixes: c76f0f7cb546 ("drm: Begin an API for in-kernel clients") Reported-by: Dan Carpenter dan.carpenter@oracle.com Cc: Daniel Vetter daniel.vetter@ffwll.ch Signed-off-by: Noralf Trønnes noralf@tronnes.org Reviewed-by: Daniel Vetter daniel.vetter@ffwll.ch ---
Changes since version 1: - Let drm_client_buffer_delete() handle all freeing (Daniel Vetter)
drivers/gpu/drm/drm_client.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/drm_client.c b/drivers/gpu/drm/drm_client.c index 9b142f58d489..baff50a4c234 100644 --- a/drivers/gpu/drm/drm_client.c +++ b/drivers/gpu/drm/drm_client.c @@ -218,7 +218,9 @@ static void drm_client_buffer_delete(struct drm_client_buffer *buffer) if (buffer->gem) drm_gem_object_put_unlocked(buffer->gem);
- drm_mode_destroy_dumb(dev, buffer->handle, buffer->client->file); + if (buffer->handle) + drm_mode_destroy_dumb(dev, buffer->handle, buffer->client->file); + kfree(buffer); }
@@ -243,7 +245,7 @@ drm_client_buffer_create(struct drm_client_dev *client, u32 width, u32 height, u dumb_args.bpp = drm_format_plane_cpp(format, 0) * 8; ret = drm_mode_create_dumb(dev, &dumb_args, client->file); if (ret) - goto err_free; + goto err_delete;
buffer->handle = dumb_args.handle; buffer->pitch = dumb_args.pitch; @@ -276,8 +278,6 @@ drm_client_buffer_create(struct drm_client_dev *client, u32 width, u32 height, u
err_delete: drm_client_buffer_delete(buffer); -err_free: - kfree(buffer);
return ERR_PTR(ret); }
Den 12.07.2018 17.04, skrev Noralf Trønnes:
This fixes a static checker warning:
drivers/gpu/drm/drm_client.c:289 drm_client_buffer_create() error: double free of 'buffer'
Extend drm_client_buffer_delete() to handle the case when there's no dumb buffer attached and drop the extra kfree.
Fixes: c76f0f7cb546 ("drm: Begin an API for in-kernel clients") Reported-by: Dan Carpenter dan.carpenter@oracle.com Cc: Daniel Vetter daniel.vetter@ffwll.ch Signed-off-by: Noralf Trønnes noralf@tronnes.org Reviewed-by: Daniel Vetter daniel.vetter@ffwll.ch
Changes since version 1:
- Let drm_client_buffer_delete() handle all freeing (Daniel Vetter)
Applied, thanks for review and an improved solution.
Noralf.
drivers/gpu/drm/drm_client.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/drm_client.c b/drivers/gpu/drm/drm_client.c index 9b142f58d489..baff50a4c234 100644 --- a/drivers/gpu/drm/drm_client.c +++ b/drivers/gpu/drm/drm_client.c @@ -218,7 +218,9 @@ static void drm_client_buffer_delete(struct drm_client_buffer *buffer) if (buffer->gem) drm_gem_object_put_unlocked(buffer->gem);
- drm_mode_destroy_dumb(dev, buffer->handle, buffer->client->file);
- if (buffer->handle)
drm_mode_destroy_dumb(dev, buffer->handle, buffer->client->file);- kfree(buffer); }
@@ -243,7 +245,7 @@ drm_client_buffer_create(struct drm_client_dev *client, u32 width, u32 height, u dumb_args.bpp = drm_format_plane_cpp(format, 0) * 8; ret = drm_mode_create_dumb(dev, &dumb_args, client->file); if (ret)
goto err_free;
goto err_delete;buffer->handle = dumb_args.handle; buffer->pitch = dumb_args.pitch;
@@ -276,8 +278,6 @@ drm_client_buffer_create(struct drm_client_dev *client, u32 width, u32 height, u
err_delete: drm_client_buffer_delete(buffer); -err_free:
kfree(buffer);
return ERR_PTR(ret); }
dri-devel@lists.freedesktop.org
-
Noralf Trønnes