From: Noralf Trønnes Date: Thu, 12 Jul 2018 15:04:14 +0000 (+0200) Subject: drm/client: Fix double free in error path X-Git-Tag: v4.19-rc1~138^2~20^2~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cf19fa2cfa4e9b5458b6f3503c5317dd1a2bfbae;p=thirdparty%2Flinux.git drm/client: Fix double free in error path This fixes a static checker warning: drivers/gpu/drm/drm_client.c:289 drm_client_buffer_create() error: double free of 'buffer' Extend drm_client_buffer_delete() to handle the case when there's no dumb buffer attached and drop the extra kfree. Fixes: c76f0f7cb546 ("drm: Begin an API for in-kernel clients") Reported-by: Dan Carpenter Cc: Daniel Vetter Signed-off-by: Noralf Trønnes Reviewed-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20180712150414.46908-1-noralf@tronnes.org --- diff --git a/drivers/gpu/drm/drm_client.c b/drivers/gpu/drm/drm_client.c index 9b142f58d489f..baff50a4c2349 100644 --- a/drivers/gpu/drm/drm_client.c +++ b/drivers/gpu/drm/drm_client.c @@ -218,7 +218,9 @@ static void drm_client_buffer_delete(struct drm_client_buffer *buffer) if (buffer->gem) drm_gem_object_put_unlocked(buffer->gem); - drm_mode_destroy_dumb(dev, buffer->handle, buffer->client->file); + if (buffer->handle) + drm_mode_destroy_dumb(dev, buffer->handle, buffer->client->file); + kfree(buffer); } @@ -243,7 +245,7 @@ drm_client_buffer_create(struct drm_client_dev *client, u32 width, u32 height, u dumb_args.bpp = drm_format_plane_cpp(format, 0) * 8; ret = drm_mode_create_dumb(dev, &dumb_args, client->file); if (ret) - goto err_free; + goto err_delete; buffer->handle = dumb_args.handle; buffer->pitch = dumb_args.pitch; @@ -276,8 +278,6 @@ drm_client_buffer_create(struct drm_client_dev *client, u32 width, u32 height, u err_delete: drm_client_buffer_delete(buffer); -err_free: - kfree(buffer); return ERR_PTR(ret); }