This is a note to let you know that I've just added the patch titled drm/msm: don't deref error pointer in the msm_fbdev_create error path to the 4.16-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: drm-msm-don-t-deref-error-pointer-in-the-msm_fbdev_create-error-path.patch and it can be found in the queue-4.16 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Sun Jun 17 12:07:33 CEST 2018 From: Emil Velikov <emil.velikov@xxxxxxxxxxxxx> Date: Wed, 28 Mar 2018 17:22:16 +0100 Subject: drm/msm: don't deref error pointer in the msm_fbdev_create error path From: Emil Velikov <emil.velikov@xxxxxxxxxxxxx> [ Upstream commit 789d4c300e10eb2096ee83c3497118e67ccc951e ] Currently the error pointer returned by msm_alloc_stolen_fb gets passed to drm_framebuffer_remove. The latter handles only NULL pointers, thus a nasty crash will occur. Drop the unnecessary fail label and the associated checks - both err and fb will be set at this stage. Cc: Rob Clark <robdclark@xxxxxxxxx> Cc: linux-arm-msm@xxxxxxxxxxxxxxx Cc: dri-devel@xxxxxxxxxxxxxxxxxxxxx Cc: freedreno@xxxxxxxxxxxxxxxxxxxxx Signed-off-by: Emil Velikov <emil.velikov@xxxxxxxxxxxxx> Signed-off-by: Rob Clark <robdclark@xxxxxxxxx> Signed-off-by: Sasha Levin <alexander.levin@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/gpu/drm/msm/msm_fbdev.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) --- a/drivers/gpu/drm/msm/msm_fbdev.c +++ b/drivers/gpu/drm/msm/msm_fbdev.c @@ -92,8 +92,7 @@ static int msm_fbdev_create(struct drm_f if (IS_ERR(fb)) { dev_err(dev->dev, "failed to allocate fb\n"); - ret = PTR_ERR(fb); - goto fail; + return PTR_ERR(fb); } bo = msm_framebuffer_bo(fb, 0); @@ -151,13 +150,7 @@ static int msm_fbdev_create(struct drm_f fail_unlock: mutex_unlock(&dev->struct_mutex); -fail: - - if (ret) { - if (fb) - drm_framebuffer_remove(fb); - } - + drm_framebuffer_remove(fb); return ret; } Patches currently in stable-queue which might be from emil.velikov@xxxxxxxxxxxxx are queue-4.16/drm-omap-fix-possible-null-ref-issue-in-tiler_reserve_2d.patch queue-4.16/drm-omap-fix-uninitialized-ret-variable.patch queue-4.16/drm-msm-don-t-deref-error-pointer-in-the-msm_fbdev_create-error-path.patch _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/dri-devel