If it failed in kzalloc, vma will be freed in nvkm_vmm_node_merge.
The later use of vma will casue use after free.
Reported-by: Zheng Wang <hackerzheng666@xxxxxxxxx>
Reported-by: Zhuorao Yang <alex000young@xxxxxxxxx>
Fix it by returning to upper caller as soon as error occurs.
Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
---
drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
index ae793f400ba1..04befd28f80b 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
@@ -1272,8 +1272,7 @@ nvkm_vmm_pfn_map(struct nvkm_vmm *vmm, u8 shift, u64 addr, u64 size, u64 *pfn)
page -
vmm->func->page, map);
if (WARN_ON(!tmp)) {
- ret = -ENOMEM;
- goto next;
+ return -ENOMEM;
}
if ((tmp->mapped = map))
--
2.25.1
