Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp3080028imm; Sun, 1 Jul 2018 11:48:32 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIsrguNU3R1jWp3BnFAx4AsEHsEgJ2EImqKovrIkSI2q61rDmqWVMzrzvnS9E5E4+YEq0XG X-Received: by 2002:a17:902:d716:: with SMTP id w22-v6mr22838607ply.98.1530470912630; Sun, 01 Jul 2018 11:48:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530470912; cv=none; d=google.com; s=arc-20160816; b=Jslbbd7U+sll0PkNZ9fMaa3wTTS5GzkPze1ZR0u/411XOjafuFVRitrfQMVk+nvPcg ZYTM8uCp1J1de6FD/6l3z1V/d0UOk5dMkD8zyS9jYvpOJ6gcICNMdQW/tL+EiAWtKyWa CYxAhMgj5X9k2/Xedl3UvO+5/8u22eZr7r4ezLzGqddUXtAu/7DFFiOkqp5/N8E99pNI bIOsqloDRcvV7b9teWRf8cQ+aL1KKYn0RGOp8a/kaOuKkBJlCQ3h6WJFrWvKwDIDf+bI MuYutTlQS29X2D5/QVdi40TWlvR19BiiI2KoCdu5OMsoFsaEeRP98sgFYlF4gldZ6uKo XrPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=D1ZZRUxuJKXeZl03XpOjZRHUBxJnaujRsIxEoSW6ak0=; b=DmsCM63/7r9SY+EfkWk5FH0XympDevtInoB2i7U6yuIMheSAub7zQ58EOwv1cBEn0Y eKzMkRbS7x8eCLC6eWES+ssv57xSVvKg5YQSh4HqTs9kUrnXN+Ekw4BYTsIr+rgl4Nph hTxuqA+al68kQ/nIkPeNpuA3zjDqHWmsmTODu39n8L5LElYBdgy/ZOZ7AzSDSRjS0LrG EYDjJ59r/VPQ2uBhMV2jYBMwvueAAyJvM3bhWADkSZ6Ohh4Bgze3HCPqoiLw+44wGSWe TepfSxWi/fX+0UVDzGw8rym/U8x+P5YKxmKUb/7RlmEZLwmi4GZI20iboL/Mw+2gkIuv 87Vw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t19-v6si12909837pgb.196.2018.07.01.11.48.18; Sun, 01 Jul 2018 11:48:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752732AbeGAQLn (ORCPT + 99 others); Sun, 1 Jul 2018 12:11:43 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:59756 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752670AbeGAQLi (ORCPT ); Sun, 1 Jul 2018 12:11:38 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 2F37FAD8; Sun, 1 Jul 2018 16:11:37 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ben Hutchings , Jordan Crouse , Rob Clark , Sasha Levin Subject: [PATCH 3.18 09/85] drm/msm: Fix possible null dereference on failure of get_pages() Date: Sun, 1 Jul 2018 18:01:27 +0200 Message-Id: <20180701153122.731952098@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180701153122.365061142@linuxfoundation.org> References: <20180701153122.365061142@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ben Hutchings [ Upstream commit 3976626ea3d2011f8fd3f3a47070a8b792018253 ] Commit 62e3a3e342af changed get_pages() to initialise msm_gem_object::pages before trying to initialise msm_gem_object::sgt, so that put_pages() would properly clean up pages in the failure case. However, this means that put_pages() now needs to check that msm_gem_object::sgt is not null before trying to clean it up, and this check was only applied to part of the cleanup code. Move it all into the conditional block. (Strictly speaking we don't need to make the kfree() conditional, but since we can't avoid checking for null ourselves we may as well do so.) Fixes: 62e3a3e342af ("drm/msm: fix leak in failed get_pages") Signed-off-by: Ben Hutchings Reviewed-by: Jordan Crouse Signed-off-by: Rob Clark Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/msm/msm_gem.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) --- a/drivers/gpu/drm/msm/msm_gem.c +++ b/drivers/gpu/drm/msm/msm_gem.c @@ -110,17 +110,19 @@ static void put_pages(struct drm_gem_obj struct msm_gem_object *msm_obj = to_msm_bo(obj); if (msm_obj->pages) { - /* For non-cached buffers, ensure the new pages are clean - * because display controller, GPU, etc. are not coherent: - */ - if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED)) - dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl, - msm_obj->sgt->nents, DMA_BIDIRECTIONAL); + if (msm_obj->sgt) { + /* For non-cached buffers, ensure the new + * pages are clean because display controller, + * GPU, etc. are not coherent: + */ + if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED)) + dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl, + msm_obj->sgt->nents, + DMA_BIDIRECTIONAL); - if (msm_obj->sgt) sg_free_table(msm_obj->sgt); - - kfree(msm_obj->sgt); + kfree(msm_obj->sgt); + } if (iommu_present(&platform_bus_type)) drm_gem_put_pages(obj, msm_obj->pages, true, false);