On 2019-03-25 10:05 p.m., Kangjie Lu wrote:
> In case alloc_workqueue fails, the fix frees memory and
> returns -ENOMEM to avoid potential NULL pointer dereference.
>
> Signed-off-by: Kangjie Lu <kjlu@xxxxxxx>
> ---
> v2: use radeon_crtc_destroy to properly clean up resources as
> suggested by Michel Dänzer <michel@xxxxxxxxxxx>
>
> [...]
>
> @@ -671,13 +671,18 @@ static void radeon_crtc_init(struct drm_device *dev, int index)
>
> radeon_crtc = kzalloc(sizeof(struct radeon_crtc) + (RADEONFB_CONN_LIMIT * sizeof(struct drm_connector *)), GFP_KERNEL);
> if (radeon_crtc == NULL)
> - return;
> + return -ENOMEM;
>
> drm_crtc_init(dev, &radeon_crtc->base, &radeon_crtc_funcs);
>
> drm_mode_crtc_set_gamma_size(&radeon_crtc->base, 256);
> radeon_crtc->crtc_id = index;
> radeon_crtc->flip_queue = alloc_workqueue("radeon-crtc", WQ_HIGHPRI, 0);
> + if (!radeon_crtc->flip_queue) {
> + DRM_ERROR("failed to allocate the flip queue\n");
> + radeon_crtc_destroy(&radeon_crtc->base);
> + return -ENOMEM;
> + }
radeon_crtc_destroy currently unconditionally calls:
destroy_workqueue(radeon_crtc->flip_queue);
AFAICT destroy_workqueue will blow up if NULL is passed to it, so
radeon_crtc_destroy needs to check for that.
--
Earthling Michel Dänzer | https://www.amd.com
Libre software enthusiast | Mesa and X developer
_______________________________________________
amd-gfx mailing list
amd-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
