lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aPtfy2jCI_kb3Df7@stanley.mountain>
Date: Fri, 24 Oct 2025 14:15:23 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Louis Chauvet <louis.chauvet@...tlin.com>
Cc: Haneen Mohammed <hamohammed.sa@...il.com>,
	Simona Vetter <simona@...ll.ch>,
	Melissa Wen <melissa.srw@...il.com>,
	Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
	Maxime Ripard <mripard@...nel.org>,
	Thomas Zimmermann <tzimmermann@...e.de>,
	David Airlie <airlied@...il.com>,
	Luca Ceresoli <luca.ceresoli@...tlin.com>,
	José Expósito <jose.exposito89@...il.com>,
	Harry Wentland <harry.wentland@....com>,
	dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
	kernel-janitors@...r.kernel.org
Subject: [PATCH next] drm/vkms: Fix use after frees on error paths

These error paths free a pointer and then dereference it on the next line
to get the error code.  Save the error code first and then free the
memory.

Fixes: 3e4d5b30d2b2 ("drm/vkms: Allow to configure multiple CRTCs via configfs")
Fixes: 2f1734ba271b ("drm/vkms: Allow to configure multiple planes via configfs")
Fixes: 67d8cf92e13e ("drm/vkms: Allow to configure multiple encoders via configfs")
Fixes: 272acbca96a3 ("drm/vkms: Allow to configure multiple connectors via configfs")
Fixes: 13fc9b9745cc ("drm/vkms: Add and remove VKMS instances via configfs")
Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
---
 drivers/gpu/drm/vkms/vkms_configfs.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/vkms/vkms_configfs.c b/drivers/gpu/drm/vkms/vkms_configfs.c
index 07ab794e1052..506666e21c91 100644
--- a/drivers/gpu/drm/vkms/vkms_configfs.c
+++ b/drivers/gpu/drm/vkms/vkms_configfs.c
@@ -204,6 +204,7 @@ static struct config_group *make_crtc_group(struct config_group *group,
 {
 	struct vkms_configfs_device *dev;
 	struct vkms_configfs_crtc *crtc;
+	int ret;
 
 	dev = child_group_to_vkms_configfs_device(group);
 
@@ -219,8 +220,9 @@ static struct config_group *make_crtc_group(struct config_group *group,
 
 		crtc->config = vkms_config_create_crtc(dev->config);
 		if (IS_ERR(crtc->config)) {
+			ret = PTR_ERR(crtc->config);
 			kfree(crtc);
-			return ERR_CAST(crtc->config);
+			return ERR_PTR(ret);
 		}
 
 		config_group_init_type_name(&crtc->group, name, &crtc_item_type);
@@ -358,6 +360,7 @@ static struct config_group *make_plane_group(struct config_group *group,
 {
 	struct vkms_configfs_device *dev;
 	struct vkms_configfs_plane *plane;
+	int ret;
 
 	dev = child_group_to_vkms_configfs_device(group);
 
@@ -373,8 +376,9 @@ static struct config_group *make_plane_group(struct config_group *group,
 
 		plane->config = vkms_config_create_plane(dev->config);
 		if (IS_ERR(plane->config)) {
+			ret = PTR_ERR(plane->config);
 			kfree(plane);
-			return ERR_CAST(plane->config);
+			return ERR_PTR(ret);
 		}
 
 		config_group_init_type_name(&plane->group, name, &plane_item_type);
@@ -472,6 +476,7 @@ static struct config_group *make_encoder_group(struct config_group *group,
 {
 	struct vkms_configfs_device *dev;
 	struct vkms_configfs_encoder *encoder;
+	int ret;
 
 	dev = child_group_to_vkms_configfs_device(group);
 
@@ -487,8 +492,9 @@ static struct config_group *make_encoder_group(struct config_group *group,
 
 		encoder->config = vkms_config_create_encoder(dev->config);
 		if (IS_ERR(encoder->config)) {
+			ret = PTR_ERR(encoder->config);
 			kfree(encoder);
-			return ERR_CAST(encoder->config);
+			return ERR_PTR(ret);
 		}
 
 		config_group_init_type_name(&encoder->group, name,
@@ -637,6 +643,7 @@ static struct config_group *make_connector_group(struct config_group *group,
 {
 	struct vkms_configfs_device *dev;
 	struct vkms_configfs_connector *connector;
+	int ret;
 
 	dev = child_group_to_vkms_configfs_device(group);
 
@@ -652,8 +659,9 @@ static struct config_group *make_connector_group(struct config_group *group,
 
 		connector->config = vkms_config_create_connector(dev->config);
 		if (IS_ERR(connector->config)) {
+			ret = PTR_ERR(connector->config);
 			kfree(connector);
-			return ERR_CAST(connector->config);
+			return ERR_PTR(ret);
 		}
 
 		config_group_init_type_name(&connector->group, name,
@@ -756,6 +764,7 @@ static struct config_group *make_device_group(struct config_group *group,
 					      const char *name)
 {
 	struct vkms_configfs_device *dev;
+	int ret;
 
 	if (strcmp(name, DEFAULT_DEVICE_NAME) == 0)
 		return ERR_PTR(-EINVAL);
@@ -766,8 +775,9 @@ static struct config_group *make_device_group(struct config_group *group,
 
 	dev->config = vkms_config_create(name);
 	if (IS_ERR(dev->config)) {
+		ret = PTR_ERR(dev->config);
 		kfree(dev);
-		return ERR_CAST(dev->config);
+		return ERR_PTR(ret);
 	}
 
 	config_group_init_type_name(&dev->group, name, &device_item_type);
-- 
2.51.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ