Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3728339imm; Mon, 18 Jun 2018 03:05:36 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLJ0ACKTyT3C+C8JA2BSs56O5cQ5GB5HZM/yQNyaE069Ywrm7saX0qwjT4AlkRNmBBinWR1 X-Received: by 2002:a17:902:b410:: with SMTP id x16-v6mr13222254plr.324.1529316336703; Mon, 18 Jun 2018 03:05:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529316336; cv=none; d=google.com; s=arc-20160816; b=lBxAAWFFF7/rU9AABj6BpEXXKUUfUcMjieTpaE243WbsgGBPHENSD69/a43yiSptQm RaZdLjAGe7gXgHd71dF4u6IEznVlwE5JnCAPrvPhBZl5H+oZgCz+EoErIB2O4oHsk/nc K47V3inDf/b5RWuTsHBeMXooADpmQCR20VEuilN2oMRhYR6TCYXAwVpA6GKceAlq26dE mMUaLCcpYCUDWqrNYwyTEkaiZTzIyx56gn8lMDF4yP8RCr/dXbOSMisaZs46wfNhX6Pj hlY+ln8Bi2kyAqf3hyq2+wNdrzq+YZKGLKxAkzXiOSb1BkpRIpSUdAy2ECEBQVwJElTr sbYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=l0cAq/HnUIJuMv9WtSxumH4GG0EJCR7ROq3+LMy1/vQ=; b=it5hgmZzBsctcIZU6lDLOwB0BWFMGdIoqcR3YvCzUXMTO1qQ4O4UpNA3HRbNqiEKy7 3Nxo5BqyeezsLTgjELDUP108FAiwz12UHv5LlU1Vj4mt+WpPn9iDCT4MsX++ezS86M0R gLc2I4x6mNXJXqYJjCRSlMLxcZ0/O1uEvowOYwB9ZrfXlpFsSTrsvs+KTNwzjURQvLmS Vn8wNgoW7f7eU1Tc78+1MZjhthjOMoSmshPqPFO9F6ybzuzFOxi6HedVA029jDlHTNM7 PUGIjQ3pxEyRP3qmmC8X0Tub+591dsxvtztlWFNpGUNf49DmjIlqWhml165kPPHw+QK0 L3JA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y10-v6si12096907pgq.54.2018.06.18.03.05.23; Mon, 18 Jun 2018 03:05:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965729AbeFRKDc (ORCPT + 99 others); Mon, 18 Jun 2018 06:03:32 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:54548 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935052AbeFRIST (ORCPT ); Mon, 18 Jun 2018 04:18:19 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 00553C7F; Mon, 18 Jun 2018 08:18:18 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ben Hutchings , Jordan Crouse , Rob Clark , Sasha Levin Subject: [PATCH 4.16 057/279] drm/msm: Fix possible null dereference on failure of get_pages() Date: Mon, 18 Jun 2018 10:10:42 +0200 Message-Id: <20180618080611.195804843@linuxfoundation.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180618080608.851973560@linuxfoundation.org> References: <20180618080608.851973560@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ben Hutchings [ Upstream commit 3976626ea3d2011f8fd3f3a47070a8b792018253 ] Commit 62e3a3e342af changed get_pages() to initialise msm_gem_object::pages before trying to initialise msm_gem_object::sgt, so that put_pages() would properly clean up pages in the failure case. However, this means that put_pages() now needs to check that msm_gem_object::sgt is not null before trying to clean it up, and this check was only applied to part of the cleanup code. Move it all into the conditional block. (Strictly speaking we don't need to make the kfree() conditional, but since we can't avoid checking for null ourselves we may as well do so.) Fixes: 62e3a3e342af ("drm/msm: fix leak in failed get_pages") Signed-off-by: Ben Hutchings Reviewed-by: Jordan Crouse Signed-off-by: Rob Clark Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/msm/msm_gem.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) --- a/drivers/gpu/drm/msm/msm_gem.c +++ b/drivers/gpu/drm/msm/msm_gem.c @@ -132,17 +132,19 @@ static void put_pages(struct drm_gem_obj struct msm_gem_object *msm_obj = to_msm_bo(obj); if (msm_obj->pages) { - /* For non-cached buffers, ensure the new pages are clean - * because display controller, GPU, etc. are not coherent: - */ - if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED)) - dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl, - msm_obj->sgt->nents, DMA_BIDIRECTIONAL); + if (msm_obj->sgt) { + /* For non-cached buffers, ensure the new + * pages are clean because display controller, + * GPU, etc. are not coherent: + */ + if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED)) + dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl, + msm_obj->sgt->nents, + DMA_BIDIRECTIONAL); - if (msm_obj->sgt) sg_free_table(msm_obj->sgt); - - kfree(msm_obj->sgt); + kfree(msm_obj->sgt); + } if (use_pages(obj)) drm_gem_put_pages(obj, msm_obj->pages, true, false);