From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 12 Oct 2016 06:22:27 +0000
Subject: [patch] drm/savage: dereferencing an error pointer
Message-Id: <20161012062227.GU12841@mwanda>
List-Id: <kernel-janitors.vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: David Airlie <airlied@linux.ie>, Markus Elfring <elfring@users.sourceforge.net>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>, kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org

A recent cleanup changed the kmalloc() + copy_from_user() to
memdup_user() but the error handling wasn't updated so we might call
kfree(-EFAULT) and crash.

Fixes: a6e3918bcdb1 ('GPU-DRM-Savage: Use memdup_user() rather than duplicating')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/gpu/drm/savage/savage_state.c b/drivers/gpu/drm/savage/savage_state.c
index 3dc0d8f..2db89be 100644
--- a/drivers/gpu/drm/savage/savage_state.c
+++ b/drivers/gpu/drm/savage/savage_state.c
@@ -1004,6 +1004,7 @@ int savage_bci_cmdbuf(struct drm_device *dev, void *data, struct drm_file *file_
 		kvb_addr = memdup_user(cmdbuf->vb_addr, cmdbuf->vb_size);
 		if (IS_ERR(kvb_addr)) {
 			ret = PTR_ERR(kvb_addr);
+			kvb_addr = NULL;
 			goto done;
 		}
 		cmdbuf->vb_addr = kvb_addr;

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dan Carpenter <dan.carpenter@oracle.com>
Subject: [patch] drm/savage: dereferencing an error pointer
Date: Wed, 12 Oct 2016 09:22:27 +0300
Message-ID: <20161012062227.GU12841@mwanda>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Return-path: <dri-devel-bounces@lists.freedesktop.org>
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69])
 by gabe.freedesktop.org (Postfix) with ESMTPS id 3C4936E7C1
 for <dri-devel@lists.freedesktop.org>; Wed, 12 Oct 2016 06:23:03 +0000 (UTC)
Content-Disposition: inline
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
To: David Airlie <airlied@linux.ie>, Markus Elfring <elfring@users.sourceforge.net>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>, kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org
List-Id: dri-devel@lists.freedesktop.org

QSByZWNlbnQgY2xlYW51cCBjaGFuZ2VkIHRoZSBrbWFsbG9jKCkgKyBjb3B5X2Zyb21fdXNlcigp
IHRvCm1lbWR1cF91c2VyKCkgYnV0IHRoZSBlcnJvciBoYW5kbGluZyB3YXNuJ3QgdXBkYXRlZCBz
byB3ZSBtaWdodCBjYWxsCmtmcmVlKC1FRkFVTFQpIGFuZCBjcmFzaC4KCkZpeGVzOiBhNmUzOTE4
YmNkYjEgKCdHUFUtRFJNLVNhdmFnZTogVXNlIG1lbWR1cF91c2VyKCkgcmF0aGVyIHRoYW4gZHVw
bGljYXRpbmcnKQpTaWduZWQtb2ZmLWJ5OiBEYW4gQ2FycGVudGVyIDxkYW4uY2FycGVudGVyQG9y
YWNsZS5jb20+CgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9ncHUvZHJtL3NhdmFnZS9zYXZhZ2Vfc3Rh
dGUuYyBiL2RyaXZlcnMvZ3B1L2RybS9zYXZhZ2Uvc2F2YWdlX3N0YXRlLmMKaW5kZXggM2RjMGQ4
Zi4uMmRiODliZSAxMDA2NDQKLS0tIGEvZHJpdmVycy9ncHUvZHJtL3NhdmFnZS9zYXZhZ2Vfc3Rh
dGUuYworKysgYi9kcml2ZXJzL2dwdS9kcm0vc2F2YWdlL3NhdmFnZV9zdGF0ZS5jCkBAIC0xMDA0
LDYgKzEwMDQsNyBAQCBpbnQgc2F2YWdlX2JjaV9jbWRidWYoc3RydWN0IGRybV9kZXZpY2UgKmRl
diwgdm9pZCAqZGF0YSwgc3RydWN0IGRybV9maWxlICpmaWxlXwogCQlrdmJfYWRkciA9IG1lbWR1
cF91c2VyKGNtZGJ1Zi0+dmJfYWRkciwgY21kYnVmLT52Yl9zaXplKTsKIAkJaWYgKElTX0VSUihr
dmJfYWRkcikpIHsKIAkJCXJldCA9IFBUUl9FUlIoa3ZiX2FkZHIpOworCQkJa3ZiX2FkZHIgPSBO
VUxMOwogCQkJZ290byBkb25lOwogCQl9CiAJCWNtZGJ1Zi0+dmJfYWRkciA9IGt2Yl9hZGRyOwpf
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpkcmktZGV2ZWwg
bWFpbGluZyBsaXN0CmRyaS1kZXZlbEBsaXN0cy5mcmVlZGVza3RvcC5vcmcKaHR0cHM6Ly9saXN0
cy5mcmVlZGVza3RvcC5vcmcvbWFpbG1hbi9saXN0aW5mby9kcmktZGV2ZWwK