From: Wen Yang <wen.yang99@xxxxxxxxxx>
This patch fixes a possible use-after-free in nvmet_rdma_cm_handler,
detected by the semantic patch kfree.cocci, with the following reports:
./drivers/gpu/drm/drm_crtc.c:708:18-31: ERROR: reference preceded by free on line 723
./drivers/gpu/drm/drm_crtc.c:719:7-20: ERROR: reference preceded by free on line 723
./drivers/gpu/drm/drm_crtc.c:723:7-20: ERROR: reference preceded by free on line 723
The following code has potential use-after-free:
585 retry:
586 ret = drm_modeset_lock_all_ctx(crtc->dev, &ctx);
587 if (ret)
588 goto out;
...
713 out:
714 if (fb)
715 drm_framebuffer_put(fb);
716
717 if (connector_set) {
718 for (i = 0; i < crtc_req->count_connectors; i++) {
719 if (connector_set[i])
720 drm_connector_put(connector_set[i]);
721 }
722 }
723 kfree(connector_set);
725 drm_mode_destroy(dev, mode);
726 if (ret == -EDEADLK) {
727 ret = drm_modeset_backoff(&ctx);
728 if (!ret)
729 goto retry;
730 }
Signed-off-by: Wen Yang <wen.yang99@xxxxxxxxxx>
CC: Julia Lawall <julia.lawall@xxxxxxx>
CC: Gustavo Padovan <gustavo@xxxxxxxxxxx>
CC: Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxxxx>
CC: Sean Paul <seanpaul@xxxxxxxxxxxx>
CC: David Airlie <airlied@xxxxxxxx>
CC: dri-devel@xxxxxxxxxxxxxxxxxxxxx
CC: linux-kernel@xxxxxxxxxxxxxxx
---
drivers/gpu/drm/drm_crtc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index 0358388..6315c39 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -721,6 +721,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
}
}
kfree(connector_set);
+ connector_set = NULL;
drm_mode_destroy(dev, mode);
if (ret == -EDEADLK) {
ret = drm_modeset_backoff(&ctx);
--
2.7.4
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel
