| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20231213144431.94956-2-donald.robson@imgtec.com>
Date: Wed, 13 Dec 2023 14:44:31 +0000
From: Donald Robson <donald.robson@...tec.com>
To: <dri-devel@...ts.freedesktop.org>, <linux-kernel@...r.kernel.org>
CC: <frank.binns@...tec.com>, <donald.robson@...tec.com>,
<matt.coster@...tec.com>, <maarten.lankhorst@...ux.intel.com>,
<mripard@...nel.org>, <tzimmermann@...e.de>, <airlied@...il.com>,
<daniel@...ll.ch>, Dan Carpenter <dan.carpenter@...aro.org>
Subject: [PATCH 2/2] drm/imagination: Fix error path in pvr_vm_create_context
It is possible to double free the vm_ctx->mmu_ctx object in this
function.
630 err_page_table_destroy:
--> 631 pvr_mmu_context_destroy(vm_ctx->mmu_ctx);
The pvr_vm_context_put() function does:
kref_put(&vm_ctx->ref_count, pvr_vm_context_release);
Here the pvr_vm_context_release() will call:
pvr_mmu_context_destroy(vm_ctx->mmu_ctx);
Refactor to an unwind style.
Reported-by: Dan Carpenter <dan.carpenter@...aro.org>
Signed-off-by: Donald Robson <donald.robson@...tec.com>
---
drivers/gpu/drm/imagination/pvr_vm.c | 28 +++++++++++++---------------
1 file changed, 13 insertions(+), 15 deletions(-)
diff --git a/drivers/gpu/drm/imagination/pvr_vm.c b/drivers/gpu/drm/imagination/pvr_vm.c
index 432168aba577..93155eccc50d 100644
--- a/drivers/gpu/drm/imagination/pvr_vm.c
+++ b/drivers/gpu/drm/imagination/pvr_vm.c
@@ -598,23 +598,12 @@ pvr_vm_create_context(struct pvr_device *pvr_dev, bool is_userspace_context)
if (!vm_ctx)
return ERR_PTR(-ENOMEM);
- drm_gem_private_object_init(&pvr_dev->base, &vm_ctx->dummy_gem, 0);
-
vm_ctx->pvr_dev = pvr_dev;
- kref_init(&vm_ctx->ref_count);
- mutex_init(&vm_ctx->lock);
-
- drm_gpuvm_init(&vm_ctx->gpuvm_mgr,
- is_userspace_context ? "PowerVR-user-VM" : "PowerVR-FW-VM",
- 0, &pvr_dev->base, &vm_ctx->dummy_gem,
- 0, 1ULL << device_addr_bits, 0, 0, &pvr_vm_gpuva_ops);
vm_ctx->mmu_ctx = pvr_mmu_context_create(pvr_dev);
err = PTR_ERR_OR_ZERO(vm_ctx->mmu_ctx);
- if (err) {
- vm_ctx->mmu_ctx = NULL;
- goto err_put_ctx;
- }
+ if (err)
+ goto err_free;
if (is_userspace_context) {
err = pvr_fw_object_create(pvr_dev, sizeof(struct rogue_fwif_fwmemcontext),
@@ -625,13 +614,22 @@ pvr_vm_create_context(struct pvr_device *pvr_dev, bool is_userspace_context)
goto err_page_table_destroy;
}
+ drm_gem_private_object_init(&pvr_dev->base, &vm_ctx->dummy_gem, 0);
+ drm_gpuvm_init(&vm_ctx->gpuvm_mgr,
+ is_userspace_context ? "PowerVR-user-VM" : "PowerVR-FW-VM",
+ 0, &pvr_dev->base, &vm_ctx->dummy_gem,
+ 0, 1ULL << device_addr_bits, 0, 0, &pvr_vm_gpuva_ops);
+
+ mutex_init(&vm_ctx->lock);
+ kref_init(&vm_ctx->ref_count);
+
return vm_ctx;
err_page_table_destroy:
pvr_mmu_context_destroy(vm_ctx->mmu_ctx);
-err_put_ctx:
- pvr_vm_context_put(vm_ctx);
+err_free:
+ kfree(vm_ctx);
return ERR_PTR(err);
}
--
2.25.1
Powered by blists - more mailing lists