| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <78abd541-71e9-4b3b-a05d-2c7caf8d5b2f@stanley.mountain>
Date: Wed, 12 Feb 2025 18:23:48 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Louis Chauvet <louis.chauvet@...tlin.com>
Cc: Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
Maxime Ripard <mripard@...nel.org>,
Thomas Zimmermann <tzimmermann@...e.de>,
David Airlie <airlied@...il.com>, Simona Vetter <simona@...ll.ch>,
dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
kernel-janitors@...r.kernel.org
Subject: [PATCH next] drm: writeback: Fix use after free in
drm_writeback_connector_cleanup()
The drm_writeback_cleanup_job() function frees "pos" so call
list_del(&pos->list_entry) first to avoid a use after free.
Fixes: 1914ba2b91ea ("drm: writeback: Create drmm variants for drm_writeback_connector initialization")
Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
---
drivers/gpu/drm/drm_writeback.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_writeback.c b/drivers/gpu/drm/drm_writeback.c
index 3628fbef7752..f139b49af4c9 100644
--- a/drivers/gpu/drm/drm_writeback.c
+++ b/drivers/gpu/drm/drm_writeback.c
@@ -360,8 +360,8 @@ static void drm_writeback_connector_cleanup(struct drm_device *dev,
spin_lock_irqsave(&wb_connector->job_lock, flags);
list_for_each_entry_safe(pos, n, &wb_connector->job_queue, list_entry) {
- drm_writeback_cleanup_job(pos);
list_del(&pos->list_entry);
+ drm_writeback_cleanup_job(pos);
}
spin_unlock_irqrestore(&wb_connector->job_lock, flags);
}
--
2.47.2
Powered by blists - more mailing lists