It's dangerous to call drm_crtc_init_with_planes() whose second argument is allocated with devm_kzalloc() [1][2]. Use drmm_kzalloc instead to avoid UAF. [1] https://lore.kernel.org/all/a830685d8b10a00cfe0a86db1ee9fb13@xxxxxxxxx [2] https://lore.kernel.org/all/2111196.TG1k3f53YQ@avalon Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") Signed-off-by: Zhang Kunbo <zhangkunbo@xxxxxxxxxx> --- drivers/gpu/drm/meson/meson_crtc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/meson/meson_crtc.c b/drivers/gpu/drm/meson/meson_crtc.c index d70616da8ce2..603022554a48 100644 --- a/drivers/gpu/drm/meson/meson_crtc.c +++ b/drivers/gpu/drm/meson/meson_crtc.c @@ -17,6 +17,7 @@ #include <drm/drm_print.h> #include <drm/drm_probe_helper.h> #include <drm/drm_vblank.h> +#include <drm/drm_managed.h> #include "meson_crtc.h" #include "meson_plane.h" @@ -72,7 +73,6 @@ static void meson_crtc_disable_vblank(struct drm_crtc *crtc) static const struct drm_crtc_funcs meson_crtc_funcs = { .atomic_destroy_state = drm_atomic_helper_crtc_destroy_state, .atomic_duplicate_state = drm_atomic_helper_crtc_duplicate_state, - .destroy = drm_crtc_cleanup, .page_flip = drm_atomic_helper_page_flip, .reset = drm_atomic_helper_crtc_reset, .set_config = drm_atomic_helper_set_config, @@ -677,14 +677,14 @@ int meson_crtc_create(struct meson_drm *priv) struct drm_crtc *crtc; int ret; - meson_crtc = devm_kzalloc(priv->drm->dev, sizeof(*meson_crtc), + meson_crtc = drmm_kzalloc(priv->drm, sizeof(*meson_crtc), GFP_KERNEL); if (!meson_crtc) return -ENOMEM; meson_crtc->priv = priv; crtc = &meson_crtc->base; - ret = drm_crtc_init_with_planes(priv->drm, crtc, + ret = drmm_crtc_init_with_planes(priv->drm, crtc, priv->primary_plane, NULL, &meson_crtc_funcs, "meson_crtc"); if (ret) { -- 2.34.1
