From: Alan Cox <alan@lxorguk.ukuu.org.uk>
To: airlied@linux.ie, dri-devel@lists.freedesktop.org
Subject: [PATCH 4/4] intel, gma500, lvds: Fix use after free and mem leak in psb_intel_lvds_init()
Date: Thu, 02 Feb 2012 15:19:13 +0000 [thread overview]
Message-ID: <20120202151911.20683.22832.stgit@bob.linux.org.uk> (raw)
In-Reply-To: <20120202151821.20683.87619.stgit@bob.linux.org.uk>
From: Jesper Juhl <jj@chaosbits.net>
In psb_intel_lvds_init(), if we fail to allocate memory for
'psb_intel_connector' we free the memory we previously allocated for
'psb_intel_encoder', but we then proceed to use that free'd pointer
when we do 'psb_intel_encoder->dev_priv = lvds_priv;'.
We may also leak the memory we allocated for 'psb_intel_encoder' if we
'goto failed_connector;' and the variable goes out of scope.
While I was there anyway, I also removed the pointless 'if
(psb_intel_connector)' before freeing it at the 'failed_connector:'
label - kfree() deals gracefully with NULL pointers, so it is not
needed.
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Alan Cox <alan@linux.intel.com>
---
drivers/gpu/drm/gma500/psb_intel_lvds.c | 9 ++++-----
1 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/gma500/psb_intel_lvds.c b/drivers/gpu/drm/gma500/psb_intel_lvds.c
index 69a9651..c83f5b5 100644
--- a/drivers/gpu/drm/gma500/psb_intel_lvds.c
+++ b/drivers/gpu/drm/gma500/psb_intel_lvds.c
@@ -713,7 +713,6 @@ void psb_intel_lvds_init(struct drm_device *dev,
psb_intel_encoder =
kzalloc(sizeof(struct psb_intel_encoder), GFP_KERNEL);
-
if (!psb_intel_encoder) {
dev_err(dev->dev, "psb_intel_encoder allocation error\n");
return;
@@ -721,10 +720,9 @@ void psb_intel_lvds_init(struct drm_device *dev,
psb_intel_connector =
kzalloc(sizeof(struct psb_intel_connector), GFP_KERNEL);
-
if (!psb_intel_connector) {
- kfree(psb_intel_encoder);
dev_err(dev->dev, "psb_intel_connector allocation error\n");
+ goto failed_encoder;
}
lvds_priv = kzalloc(sizeof(struct psb_intel_lvds_priv), GFP_KERNEL);
@@ -862,7 +860,8 @@ failed_blc_i2c:
drm_encoder_cleanup(encoder);
drm_connector_cleanup(connector);
failed_connector:
- if (psb_intel_connector)
- kfree(psb_intel_connector);
+ kfree(psb_intel_connector);
+failed_encoder:
+ kfree(psb_intel_encoder);
}
prev parent reply other threads:[~2012-02-02 15:05 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-02 15:18 [PATCH 1/4] gma500: clean up some of the struct fields we no longer use Alan Cox
2012-02-02 15:18 ` [PATCH 2/4] gma500: now move the Oaktrail save state into its own structure Alan Cox
2012-02-02 15:19 ` [PATCH 3/4] gma500: Kconfig documentation tweak Alan Cox
2012-02-02 15:19 ` Alan Cox [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120202151911.20683.22832.stgit@bob.linux.org.uk \
--to=alan@lxorguk.ukuu.org.uk \
--cc=airlied@linux.ie \
--cc=dri-devel@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.