From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Ben Hutchings <ben.hutchings@codethink.co.uk>,
Jordan Crouse <jcrouse@codeaurora.org>,
Rob Clark <robdclark@gmail.com>,
Guenter Roeck <linux@roeck-us.net>
Subject: [PATCH 4.4 48/48] drm/msm: Fix possible null dereference on failure of get_pages()
Date: Mon, 1 Jun 2020 19:53:58 +0200 [thread overview]
Message-ID: <20200601174005.784720752@linuxfoundation.org> (raw)
In-Reply-To: <20200601173952.175939894@linuxfoundation.org>
From: Ben Hutchings <ben.hutchings@codethink.co.uk>
commit 3976626ea3d2011f8fd3f3a47070a8b792018253 upstream.
Commit 62e3a3e342af changed get_pages() to initialise
msm_gem_object::pages before trying to initialise msm_gem_object::sgt,
so that put_pages() would properly clean up pages in the failure
case.
However, this means that put_pages() now needs to check that
msm_gem_object::sgt is not null before trying to clean it up, and
this check was only applied to part of the cleanup code. Move
it all into the conditional block. (Strictly speaking we don't
need to make the kfree() conditional, but since we can't avoid
checking for null ourselves we may as well do so.)
Fixes: 62e3a3e342af ("drm/msm: fix leak in failed get_pages")
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Reviewed-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/msm/msm_gem.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
--- a/drivers/gpu/drm/msm/msm_gem.c
+++ b/drivers/gpu/drm/msm/msm_gem.c
@@ -116,17 +116,19 @@ static void put_pages(struct drm_gem_obj
struct msm_gem_object *msm_obj = to_msm_bo(obj);
if (msm_obj->pages) {
- /* For non-cached buffers, ensure the new pages are clean
- * because display controller, GPU, etc. are not coherent:
- */
- if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED))
- dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl,
- msm_obj->sgt->nents, DMA_BIDIRECTIONAL);
+ if (msm_obj->sgt) {
+ /* For non-cached buffers, ensure the new
+ * pages are clean because display controller,
+ * GPU, etc. are not coherent:
+ */
+ if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED))
+ dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl,
+ msm_obj->sgt->nents,
+ DMA_BIDIRECTIONAL);
- if (msm_obj->sgt)
sg_free_table(msm_obj->sgt);
-
- kfree(msm_obj->sgt);
+ kfree(msm_obj->sgt);
+ }
if (use_pages(obj))
drm_gem_put_pages(obj, msm_obj->pages, true, false);
next prev parent reply other threads:[~2020-06-01 18:59 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-01 17:53 [PATCH 4.4 00/48] 4.4.226-rc1 review Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 01/48] ax25: fix setsockopt(SO_BINDTODEVICE) Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 02/48] net: revert "net: get rid of an signed integer overflow in ip_idents_reserve()" Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 03/48] sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 04/48] net/mlx5: Add command entry handling completion Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 05/48] net: sun: fix missing release regions in cas_init_one() Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 06/48] net/mlx4_core: fix a memory leak bug Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 07/48] uapi: fix linux/if_pppol2tp.h userspace compilation errors Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 08/48] IB/cma: Fix reference count leak when no ipv4 addresses are set Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 09/48] gfs2: dont call quota_unhold if quotas are not locked Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 10/48] cachefiles: Fix race between read_waiter and read_copier involving op->to_do Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 11/48] usb: gadget: legacy: fix redundant initialization warnings Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 12/48] cifs: Fix null pointer check in cifs_read Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 13/48] Input: usbtouchscreen - add support for BonXeon TP Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 14/48] Input: i8042 - add ThinkPad S230u to i8042 nomux list Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 15/48] Input: evdev - call input_flush_device() on release(), not flush() Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 16/48] Input: xpad - add custom init packet for Xbox One S controllers Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 17/48] Input: i8042 - add ThinkPad S230u to i8042 reset list Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 18/48] IB/qib: Call kobject_put() when kobject_init_and_add() fails Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 19/48] ALSA: hwdep: fix a left shifting 1 by 31 UB bug Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 20/48] ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 21/48] exec: Always set cap_ambient in cap_bprm_set_creds Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 22/48] fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 23/48] include/asm-generic/topology.h: guard cpumask_of_node() macro argument Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 24/48] iommu: Fix reference count leak in iommu_group_alloc Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 25/48] parisc: Fix kernel panic in mem_init() Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 26/48] x86/dma: Fix max PFN arithmetic overflow on 32 bit systems Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 27/48] xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 28/48] xfrm: fix a warning in xfrm_policy_insert_list Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 29/48] xfrm: fix a NULL-ptr deref in xfrm_local_error Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 30/48] vti4: eliminated some duplicate code Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 31/48] ip_vti: receive ipip packet by calling ip_tunnel_rcv Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 32/48] netfilter: nft_reject_bridge: enable reject with bridge vlan Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 33/48] netfilter: ipset: Fix subcounter update skip Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 34/48] netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 35/48] qlcnic: fix missing release in qlcnic_83xx_interrupt_test Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 36/48] bonding: Fix reference count leak in bond_sysfs_slave_add Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 37/48] Revert "Input: i8042 - add ThinkPad S230u to i8042 nomux list" Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 38/48] netfilter: nf_conntrack_pptp: fix compilation warning with W=1 build Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 39/48] mm: remove VM_BUG_ON(PageSlab()) from page_mapcount() Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 40/48] drm/fb-helper: Use proper plane mask for fb cleanup Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 41/48] genirq/generic_pending: Do not lose pending affinity update Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 42/48] usb: renesas_usbhs: gadget: fix spin_lock_init() for &uep->lock Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 43/48] mac80211: fix memory leak Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 44/48] net: rtnl_configure_link: fix dev flags changes arg to __dev_notify_flags Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 45/48] mm/vmalloc.c: dont dereference possible NULL pointer in __vunmap() Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 46/48] asm-prototypes: Clear any CPP defines before declaring the functions Greg Kroah-Hartman
2020-06-01 17:53 ` [PATCH 4.4 47/48] sc16is7xx: move label err_spi to correct section Greg Kroah-Hartman
2020-06-01 17:53 ` Greg Kroah-Hartman [this message]
2020-06-01 22:14 ` [PATCH 4.4 00/48] 4.4.226-rc1 review Chris Paterson
2020-06-02 2:06 ` Sasha Levin
2020-06-02 9:07 ` Chris Paterson
2020-06-02 10:24 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200601174005.784720752@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ben.hutchings@codethink.co.uk \
--cc=jcrouse@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=robdclark@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).