smatch report warning as follows:
drivers/gpu/drm/drm_bufs.c:365 drm_addmap_core() warn:
'&list->head' not removed from list
If drm_map_handle() fails in drm_addmap_core(), the list will be
freed, but the list->head will not be removed from dev->maplist,
then list traversal may cause UAF.
Fix by removeing it from list->head before free().
Fixes: 9a298b2acd77 ("drm: Remove memory debugging infrastructure.")
Signed-off-by: Yi Yang <yiyang13@xxxxxxxxxx>
---
drivers/gpu/drm/drm_bufs.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c
index fcca21e8efac..e739e577902c 100644
--- a/drivers/gpu/drm/drm_bufs.c
+++ b/drivers/gpu/drm/drm_bufs.c
@@ -362,6 +362,7 @@ static int drm_addmap_core(struct drm_device *dev, resource_size_t offset,
if (map->type == _DRM_REGISTERS)
iounmap(map->handle);
kfree(map);
+ list_del(&list->head);
kfree(list);
mutex_unlock(&dev->struct_mutex);
return ret;
--
2.17.1
