On 03/12/2021 10:09, Liviu Dudau wrote:
> If drm_universal_plane_init() fails early we jump to the common cleanup code
> that calls komeda_plane_destroy() which in turn could access the uninitalised
> drm_plane and crash. Return early if an error is detected without going through
> the common code.
>
> Reported-by: Steven Price <steven.price@xxxxxxx>
> Signed-off-by: Liviu Dudau <liviu.dudau@xxxxxxx>
Reviewed-by: Steven Price <steven.price@xxxxxxx>
Looks correct, although I note there is a path in
__drm_universal_plane_init() which doesn't clean up properly. I'll send
a patch for that too.
Thanks,
Steve
> ---
> drivers/gpu/drm/arm/display/komeda/komeda_plane.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
> index aa193c58f4bf6d9..517b94c3bcaf966 100644
> --- a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
> +++ b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
> @@ -279,8 +279,10 @@ static int komeda_plane_add(struct komeda_kms_dev *kms,
>
> komeda_put_fourcc_list(formats);
>
> - if (err)
> - goto cleanup;
> + if (err) {
> + kfree(kplane);
> + return err;
> + }
>
> drm_plane_helper_add(plane, &komeda_plane_helper_funcs);
>
>
