In cdns_mhdp_atomic_enable(), there is an error return on failure of
drm_mode_duplicate() which leads to the mutex remaining locked.
Add a mutex unlock call.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 935a92a1c400 ("drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference")
Signed-off-by: Aleksandr Mishin <[email protected]>
---
This patch is against drm-misc-next branch of drm-misc repo.
drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
index 8a91ef0ae065..65a4bd09d9c6 100644
--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
+++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
@@ -2059,8 +2059,10 @@ static void cdns_mhdp_atomic_enable(struct drm_bridge *bridge,
mhdp_state = to_cdns_mhdp_bridge_state(new_state);
mhdp_state->current_mode = drm_mode_duplicate(bridge->dev, mode);
- if (!mhdp_state->current_mode)
- return;
+ if (!mhdp_state->current_mode) {
+ ret = -EINVAL;
+ goto out;
+ }
drm_mode_set_name(mhdp_state->current_mode);
--
2.30.2
On Fri, Apr 19, 2024 at 02:36:37PM +0300, Aleksandr Mishin wrote:
> In cdns_mhdp_atomic_enable(), there is an error return on failure of
> drm_mode_duplicate() which leads to the mutex remaining locked.
> Add a mutex unlock call.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 935a92a1c400 ("drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference")
> Signed-off-by: Aleksandr Mishin <[email protected]>
> ---
> This patch is against drm-misc-next branch of drm-misc repo.
>
> drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
>
Reviewed-by: Dmitry Baryshkov <[email protected]>
--
With best wishes
Dmitry
…
> Add a mutex unlock call.
How do you think about a wording variant like the following?
Extend the exception handling so that the missed mutex_unlock() call
will be performed finally.
Regards,
Markus