From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Carpenter Date: Thu, 09 Dec 2010 05:35:40 +0000 Subject: [patch] drm: use after free in drm_queue_vblank_event() Message-Id: <20101209053540.GR10623@bicker> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: David Airlie Cc: kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org The "e" pointer is either NULL or freed when we call drm_vblank_put(dev, e->pipe) on the error path. Just pass the "pipe" variable directly instead. I changed another caller to use "pipe" as well for consistency. Signed-off-by: Dan Carpenter diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c index 722700d..16d5155 100644 --- a/drivers/gpu/drm/drm_irq.c +++ b/drivers/gpu/drm/drm_irq.c @@ -628,7 +628,7 @@ static int drm_queue_vblank_event(struct drm_device *dev, int pipe, if ((seq - vblwait->request.sequence) <= (1 << 23)) { e->event.tv_sec = now.tv_sec; e->event.tv_usec = now.tv_usec; - drm_vblank_put(dev, e->pipe); + drm_vblank_put(dev, pipe); list_add_tail(&e->base.link, &e->base.file_priv->event_list); wake_up_interruptible(&e->base.file_priv->event_wait); trace_drm_vblank_event_delivered(current->pid, pipe, @@ -645,7 +645,7 @@ err_unlock: spin_unlock_irqrestore(&dev->event_lock, flags); kfree(e); err_put: - drm_vblank_put(dev, e->pipe); + drm_vblank_put(dev, pipe); return ret; } From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Carpenter Subject: [patch] drm: use after free in drm_queue_vblank_event() Date: Thu, 9 Dec 2010 08:35:40 +0300 Message-ID: <20101209053540.GR10623@bicker> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mail-ww0-f43.google.com (mail-ww0-f43.google.com [74.125.82.43]) by gabe.freedesktop.org (Postfix) with ESMTP id DEB1E9E746 for ; Wed, 8 Dec 2010 21:36:28 -0800 (PST) Received: by wwi17 with SMTP id 17so1934840wwi.12 for ; Wed, 08 Dec 2010 21:36:27 -0800 (PST) Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org To: David Airlie Cc: kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org List-Id: dri-devel@lists.freedesktop.org The "e" pointer is either NULL or freed when we call drm_vblank_put(dev, e->pipe) on the error path. Just pass the "pipe" variable directly instead. I changed another caller to use "pipe" as well for consistency. Signed-off-by: Dan Carpenter diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c index 722700d..16d5155 100644 --- a/drivers/gpu/drm/drm_irq.c +++ b/drivers/gpu/drm/drm_irq.c @@ -628,7 +628,7 @@ static int drm_queue_vblank_event(struct drm_device *dev, int pipe, if ((seq - vblwait->request.sequence) <= (1 << 23)) { e->event.tv_sec = now.tv_sec; e->event.tv_usec = now.tv_usec; - drm_vblank_put(dev, e->pipe); + drm_vblank_put(dev, pipe); list_add_tail(&e->base.link, &e->base.file_priv->event_list); wake_up_interruptible(&e->base.file_priv->event_wait); trace_drm_vblank_event_delivered(current->pid, pipe, @@ -645,7 +645,7 @@ err_unlock: spin_unlock_irqrestore(&dev->event_lock, flags); kfree(e); err_put: - drm_vblank_put(dev, e->pipe); + drm_vblank_put(dev, pipe); return ret; }