* [patch] drm/savage: dereferencing an error pointer
@ 2016-10-12 6:22 Dan Carpenter
2016-10-12 11:12 ` SF Markus Elfring
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2016-10-12 6:22 UTC (permalink / raw)
To: David Airlie, Markus Elfring; +Cc: Daniel Vetter, kernel-janitors, dri-devel
A recent cleanup changed the kmalloc() + copy_from_user() to
memdup_user() but the error handling wasn't updated so we might call
kfree(-EFAULT) and crash.
Fixes: a6e3918bcdb1 ('GPU-DRM-Savage: Use memdup_user() rather than duplicating')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/gpu/drm/savage/savage_state.c b/drivers/gpu/drm/savage/savage_state.c
index 3dc0d8f..2db89be 100644
--- a/drivers/gpu/drm/savage/savage_state.c
+++ b/drivers/gpu/drm/savage/savage_state.c
@@ -1004,6 +1004,7 @@ int savage_bci_cmdbuf(struct drm_device *dev, void *data, struct drm_file *file_
kvb_addr = memdup_user(cmdbuf->vb_addr, cmdbuf->vb_size);
if (IS_ERR(kvb_addr)) {
ret = PTR_ERR(kvb_addr);
+ kvb_addr = NULL;
goto done;
}
cmdbuf->vb_addr = kvb_addr;
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [patch] drm/savage: dereferencing an error pointer
2016-10-12 6:22 [patch] drm/savage: dereferencing an error pointer Dan Carpenter
@ 2016-10-12 11:12 ` SF Markus Elfring
0 siblings, 0 replies; 2+ messages in thread
From: SF Markus Elfring @ 2016-10-12 11:12 UTC (permalink / raw)
To: Dan Carpenter, Daniel Vetter, David Airlie; +Cc: kernel-janitors, dri-devel
> A recent cleanup changed the kmalloc() + copy_from_user() to
> memdup_user() but the error handling wasn't updated so we might call
> kfree(-EFAULT) and crash.
>
> Fixes: a6e3918bcdb1 ('GPU-DRM-Savage: Use memdup_user() rather than duplicating')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/drivers/gpu/drm/savage/savage_state.c b/drivers/gpu/drm/savage/savage_state.c
> index 3dc0d8f..2db89be 100644
> --- a/drivers/gpu/drm/savage/savage_state.c
> +++ b/drivers/gpu/drm/savage/savage_state.c
> @@ -1004,6 +1004,7 @@ int savage_bci_cmdbuf(struct drm_device *dev, void *data, struct drm_file *file_
> kvb_addr = memdup_user(cmdbuf->vb_addr, cmdbuf->vb_size);
> if (IS_ERR(kvb_addr)) {
> ret = PTR_ERR(kvb_addr);
> + kvb_addr = NULL;
> goto done;
> }
> cmdbuf->vb_addr = kvb_addr;
>
Thanks for this update suggestion.
Can it be that I offered an other approach for a corresponding software correction
by the update step “[PATCH 2/2] GPU-DRM-Savage: Less function calls in
savage_bci_cmdbuf() after error detection” (on 2016-08-18)?
https://patchwork.kernel.org/patch/9289183/
https://lkml.kernel.org/r/<c97563c0-d463-8b15-5956-26d93641a54f@users.sourceforge.net>
Will this one become worth for further development consideratons once more?
Can the shown resetting of an error pointer to a safe null pointer be omitted
in such use cases when the jump targets will be accordingly configured as it is
desired for efficient exception handling implementations?
Regards,
Markus
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-10-12 11:13 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-12 6:22 [patch] drm/savage: dereferencing an error pointer Dan Carpenter
2016-10-12 11:12 ` SF Markus Elfring
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).