* [PATCH 1/2] fbdev/imsttfb: fix double free in probe()
@ 2023-10-27 12:04 Dan Carpenter
2023-10-27 12:05 ` [PATCH 2/2] fbdev/imsttfb: fix a resource leak in probe Dan Carpenter
2023-11-05 18:22 ` [PATCH 1/2] fbdev/imsttfb: fix double free in probe() Helge Deller
0 siblings, 2 replies; 3+ messages in thread
From: Dan Carpenter @ 2023-10-27 12:04 UTC (permalink / raw)
To: Helge Deller
Cc: Thomas Zimmermann, Javier Martinez Canillas, Sam Ravnborg,
Zheng Wang, linux-fbdev, dri-devel, kernel-janitors
The init_imstt() function calls framebuffer_release() on error and then
the probe() function calls it again. It should only be done in probe.
Fixes: 518ecb6a209f ("fbdev: imsttfb: Fix error path of imsttfb_probe()")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
drivers/video/fbdev/imsttfb.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/video/fbdev/imsttfb.c b/drivers/video/fbdev/imsttfb.c
index e7e03e920729..acb943f85700 100644
--- a/drivers/video/fbdev/imsttfb.c
+++ b/drivers/video/fbdev/imsttfb.c
@@ -1421,7 +1421,6 @@ static int init_imstt(struct fb_info *info)
if ((info->var.xres * info->var.yres) * (info->var.bits_per_pixel >> 3) > info->fix.smem_len
|| !(compute_imstt_regvals(par, info->var.xres, info->var.yres))) {
printk("imsttfb: %ux%ux%u not supported\n", info->var.xres, info->var.yres, info->var.bits_per_pixel);
- framebuffer_release(info);
return -ENODEV;
}
@@ -1453,14 +1452,11 @@ static int init_imstt(struct fb_info *info)
FBINFO_HWACCEL_FILLRECT |
FBINFO_HWACCEL_YPAN;
- if (fb_alloc_cmap(&info->cmap, 0, 0)) {
- framebuffer_release(info);
+ if (fb_alloc_cmap(&info->cmap, 0, 0))
return -ENODEV;
- }
if (register_framebuffer(info) < 0) {
fb_dealloc_cmap(&info->cmap);
- framebuffer_release(info);
return -ENODEV;
}
--
2.42.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] fbdev/imsttfb: fix a resource leak in probe
2023-10-27 12:04 [PATCH 1/2] fbdev/imsttfb: fix double free in probe() Dan Carpenter
@ 2023-10-27 12:05 ` Dan Carpenter
2023-11-05 18:22 ` [PATCH 1/2] fbdev/imsttfb: fix double free in probe() Helge Deller
1 sibling, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2023-10-27 12:05 UTC (permalink / raw)
To: Zheng Wang
Cc: Helge Deller, Thomas Zimmermann, Javier Martinez Canillas,
Sam Ravnborg, linux-fbdev, dri-devel, kernel-janitors
I've re-written the error handling but the bug is that if init_imstt()
fails we need to call iounmap(par->cmap_regs).
Fixes: c75f5a550610 ("fbdev: imsttfb: Fix use after free bug in imsttfb_probe")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
drivers/video/fbdev/imsttfb.c | 29 ++++++++++++++++-------------
1 file changed, 16 insertions(+), 13 deletions(-)
diff --git a/drivers/video/fbdev/imsttfb.c b/drivers/video/fbdev/imsttfb.c
index acb943f85700..660499260f46 100644
--- a/drivers/video/fbdev/imsttfb.c
+++ b/drivers/video/fbdev/imsttfb.c
@@ -1496,8 +1496,8 @@ static int imsttfb_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
if (!request_mem_region(addr, size, "imsttfb")) {
printk(KERN_ERR "imsttfb: Can't reserve memory region\n");
- framebuffer_release(info);
- return -ENODEV;
+ ret = -ENODEV;
+ goto release_info;
}
switch (pdev->device) {
@@ -1514,36 +1514,39 @@ static int imsttfb_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
printk(KERN_INFO "imsttfb: Device 0x%x unknown, "
"contact maintainer.\n", pdev->device);
ret = -ENODEV;
- goto error;
+ goto release_mem_region;
}
info->fix.smem_start = addr;
info->screen_base = (__u8 *)ioremap(addr, par->ramdac == IBM ?
0x400000 : 0x800000);
if (!info->screen_base)
- goto error;
+ goto release_mem_region;
info->fix.mmio_start = addr + 0x800000;
par->dc_regs = ioremap(addr + 0x800000, 0x1000);
if (!par->dc_regs)
- goto error;
+ goto unmap_screen_base;
par->cmap_regs_phys = addr + 0x840000;
par->cmap_regs = (__u8 *)ioremap(addr + 0x840000, 0x1000);
if (!par->cmap_regs)
- goto error;
+ goto unmap_dc_regs;
info->pseudo_palette = par->palette;
ret = init_imstt(info);
if (ret)
- goto error;
+ goto unmap_cmap_regs;
pci_set_drvdata(pdev, info);
- return ret;
+ return 0;
-error:
- if (par->dc_regs)
- iounmap(par->dc_regs);
- if (info->screen_base)
- iounmap(info->screen_base);
+unmap_cmap_regs:
+ iounmap(par->cmap_regs);
+unmap_dc_regs:
+ iounmap(par->dc_regs);
+unmap_screen_base:
+ iounmap(info->screen_base);
+release_mem_region:
release_mem_region(addr, size);
+release_info:
framebuffer_release(info);
return ret;
}
--
2.42.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 1/2] fbdev/imsttfb: fix double free in probe()
2023-10-27 12:04 [PATCH 1/2] fbdev/imsttfb: fix double free in probe() Dan Carpenter
2023-10-27 12:05 ` [PATCH 2/2] fbdev/imsttfb: fix a resource leak in probe Dan Carpenter
@ 2023-11-05 18:22 ` Helge Deller
1 sibling, 0 replies; 3+ messages in thread
From: Helge Deller @ 2023-11-05 18:22 UTC (permalink / raw)
To: Dan Carpenter
Cc: Thomas Zimmermann, Javier Martinez Canillas, Sam Ravnborg,
Zheng Wang, linux-fbdev, dri-devel, kernel-janitors
On 10/27/23 14:04, Dan Carpenter wrote:
> The init_imstt() function calls framebuffer_release() on error and then
> the probe() function calls it again. It should only be done in probe.
>
> Fixes: 518ecb6a209f ("fbdev: imsttfb: Fix error path of imsttfb_probe()")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Both patches applied.
Thanks!
Helge
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-11-05 18:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-27 12:04 [PATCH 1/2] fbdev/imsttfb: fix double free in probe() Dan Carpenter
2023-10-27 12:05 ` [PATCH 2/2] fbdev/imsttfb: fix a resource leak in probe Dan Carpenter
2023-11-05 18:22 ` [PATCH 1/2] fbdev/imsttfb: fix double free in probe() Helge Deller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox