| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aPtjAcNP3fuRNBs5@fedora>
Date: Fri, 24 Oct 2025 13:29:05 +0200
From: José Expósito <jose.exposito89@...il.com>
To: Dan Carpenter <dan.carpenter@...aro.org>
Cc: Louis Chauvet <louis.chauvet@...tlin.com>,
Haneen Mohammed <hamohammed.sa@...il.com>,
Simona Vetter <simona@...ll.ch>,
Melissa Wen <melissa.srw@...il.com>,
Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
Maxime Ripard <mripard@...nel.org>,
Thomas Zimmermann <tzimmermann@...e.de>,
David Airlie <airlied@...il.com>,
Luca Ceresoli <luca.ceresoli@...tlin.com>,
Harry Wentland <harry.wentland@....com>,
dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
kernel-janitors@...r.kernel.org
Subject: Re: [PATCH next] drm/vkms: Fix use after frees on error paths
On Fri, Oct 24, 2025 at 02:15:23PM +0300, Dan Carpenter wrote:
> These error paths free a pointer and then dereference it on the next line
> to get the error code. Save the error code first and then free the
> memory.
>
> Fixes: 3e4d5b30d2b2 ("drm/vkms: Allow to configure multiple CRTCs via configfs")
> Fixes: 2f1734ba271b ("drm/vkms: Allow to configure multiple planes via configfs")
> Fixes: 67d8cf92e13e ("drm/vkms: Allow to configure multiple encoders via configfs")
> Fixes: 272acbca96a3 ("drm/vkms: Allow to configure multiple connectors via configfs")
> Fixes: 13fc9b9745cc ("drm/vkms: Add and remove VKMS instances via configfs")
> Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
Thanks for fixing this:
Reviewed-by: José Expósito <jose.exposito89@...il.com>
> ---
> drivers/gpu/drm/vkms/vkms_configfs.c | 20 +++++++++++++++-----
> 1 file changed, 15 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/gpu/drm/vkms/vkms_configfs.c b/drivers/gpu/drm/vkms/vkms_configfs.c
> index 07ab794e1052..506666e21c91 100644
> --- a/drivers/gpu/drm/vkms/vkms_configfs.c
> +++ b/drivers/gpu/drm/vkms/vkms_configfs.c
> @@ -204,6 +204,7 @@ static struct config_group *make_crtc_group(struct config_group *group,
> {
> struct vkms_configfs_device *dev;
> struct vkms_configfs_crtc *crtc;
> + int ret;
>
> dev = child_group_to_vkms_configfs_device(group);
>
> @@ -219,8 +220,9 @@ static struct config_group *make_crtc_group(struct config_group *group,
>
> crtc->config = vkms_config_create_crtc(dev->config);
> if (IS_ERR(crtc->config)) {
> + ret = PTR_ERR(crtc->config);
> kfree(crtc);
> - return ERR_CAST(crtc->config);
> + return ERR_PTR(ret);
> }
>
> config_group_init_type_name(&crtc->group, name, &crtc_item_type);
> @@ -358,6 +360,7 @@ static struct config_group *make_plane_group(struct config_group *group,
> {
> struct vkms_configfs_device *dev;
> struct vkms_configfs_plane *plane;
> + int ret;
>
> dev = child_group_to_vkms_configfs_device(group);
>
> @@ -373,8 +376,9 @@ static struct config_group *make_plane_group(struct config_group *group,
>
> plane->config = vkms_config_create_plane(dev->config);
> if (IS_ERR(plane->config)) {
> + ret = PTR_ERR(plane->config);
> kfree(plane);
> - return ERR_CAST(plane->config);
> + return ERR_PTR(ret);
> }
>
> config_group_init_type_name(&plane->group, name, &plane_item_type);
> @@ -472,6 +476,7 @@ static struct config_group *make_encoder_group(struct config_group *group,
> {
> struct vkms_configfs_device *dev;
> struct vkms_configfs_encoder *encoder;
> + int ret;
>
> dev = child_group_to_vkms_configfs_device(group);
>
> @@ -487,8 +492,9 @@ static struct config_group *make_encoder_group(struct config_group *group,
>
> encoder->config = vkms_config_create_encoder(dev->config);
> if (IS_ERR(encoder->config)) {
> + ret = PTR_ERR(encoder->config);
> kfree(encoder);
> - return ERR_CAST(encoder->config);
> + return ERR_PTR(ret);
> }
>
> config_group_init_type_name(&encoder->group, name,
> @@ -637,6 +643,7 @@ static struct config_group *make_connector_group(struct config_group *group,
> {
> struct vkms_configfs_device *dev;
> struct vkms_configfs_connector *connector;
> + int ret;
>
> dev = child_group_to_vkms_configfs_device(group);
>
> @@ -652,8 +659,9 @@ static struct config_group *make_connector_group(struct config_group *group,
>
> connector->config = vkms_config_create_connector(dev->config);
> if (IS_ERR(connector->config)) {
> + ret = PTR_ERR(connector->config);
> kfree(connector);
> - return ERR_CAST(connector->config);
> + return ERR_PTR(ret);
> }
>
> config_group_init_type_name(&connector->group, name,
> @@ -756,6 +764,7 @@ static struct config_group *make_device_group(struct config_group *group,
> const char *name)
> {
> struct vkms_configfs_device *dev;
> + int ret;
>
> if (strcmp(name, DEFAULT_DEVICE_NAME) == 0)
> return ERR_PTR(-EINVAL);
> @@ -766,8 +775,9 @@ static struct config_group *make_device_group(struct config_group *group,
>
> dev->config = vkms_config_create(name);
> if (IS_ERR(dev->config)) {
> + ret = PTR_ERR(dev->config);
> kfree(dev);
> - return ERR_CAST(dev->config);
> + return ERR_PTR(ret);
> }
>
> config_group_init_type_name(&dev->group, name, &device_item_type);
> --
> 2.51.0
>
Powered by blists - more mailing lists