Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp1533608pxv; Fri, 25 Jun 2021 15:38:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwdt2292Fg/bNRu8YQGMAtpvIXIvh15NB60SUVv2sE/XH66gOcO+3eDZcnNHii1LvfiDYuR X-Received: by 2002:a05:6402:90c:: with SMTP id g12mr12960320edz.371.1624660711036; Fri, 25 Jun 2021 15:38:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624660711; cv=none; d=google.com; s=arc-20160816; b=jCxmZMHs0DXwg4lPY/i5j49ijddVjhgE6DHGdmlxipNVQORs5Lb+fyQdYTWv5wRd+F NKXkOI2txieMS43Qntf6PEo197aTLKNaBJky5QwDCY13kTUJKqV3topEDceSDjuINvC2 qz/CCfxFnoyh4FE42bcAwbj6OIDu5+12IYXN2+P1shkygSArN+eYR7lPY0oRt3kWRzoO FZtpb+npPE796EAOG3Rwh7crOAm8JAp6awMmmP/VcP80o7dbVc+/n25uJZq6tNF8lqxF n1izO+1mUg94BOFGxlWt9NYhRH2JfirOMIIUNePNmza43KPmtqqJdROMDEuiuM8Lba7d CLPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=9NMDPaGNwo9dp++pt7dEDvz6yBvTGcBoymI++g12NOc=; b=fW8pwqE6p6FVsQ/wFWQZAhZImp7YpCnsEtjEHPAchfQ8mhS0ErBAM/JNmlIAn90s4H 8InfxWOEYcF3S+zoN+1/FHHZGBjD/W44Gwm0fwlK1EWEtP0w0HGFCJhynPyEzZBedCbl OJ8b3sY15a2YD+u6+27aB/XdZTIecWBzFHKB9+GPb2ZYUCpLuw731y9BXvoG6wer8J2s ZhHIoEX4xF8svuVqyAdGQxRUh7uNgz0gAnbcTjUg+BmYcjd/qEFqWcZr1YddqXCuredC Wk6u0agqkN8qrlNCYN/tyfdO7OG3TurYy+x7yF9nnrUcqs+jWsrwuhxBsEKsBegcti4v zAaw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XxeooSIo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ze15si5892513ejb.641.2021.06.25.15.38.02; Fri, 25 Jun 2021 15:38:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XxeooSIo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229994AbhFYWgF (ORCPT + 99 others); Fri, 25 Jun 2021 18:36:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52130 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229776AbhFYWgE (ORCPT ); Fri, 25 Jun 2021 18:36:04 -0400 Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 17707C061574; Fri, 25 Jun 2021 15:33:42 -0700 (PDT) Received: by mail-lf1-x131.google.com with SMTP id k10so18730086lfv.13; Fri, 25 Jun 2021 15:33:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=9NMDPaGNwo9dp++pt7dEDvz6yBvTGcBoymI++g12NOc=; b=XxeooSIoZSkGhXTTLzsaf8YXlV0sKShLzgUbVXnUr+3uwjIxtVEAvtn/nLYxqjjS+E 645gOFtwDu27Q2bAAHc1zQcxXFbXxzSxfIZhsikD9NAkQtowjvqVchR1yrMRrcr3yaGc oG89m+lOmnnzs6JW0urF1QbP5OqI5hZg/9Jnz9Zs7O8csPTsI0+1T/sF8vRN4F34ulaO jN0E5IiFX+v3fHdTikeXUT+tPYBiENiOPFZ5MEntFVJJ1mx9Fin/wN/atCa6UNVG1s34 HbD7SNrvdHKSxq1DP43W6eGaSw8NRSBhDXqdrJpu6uhntRQPxAqupsG5Ep8oRmof/4P4 qiPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=9NMDPaGNwo9dp++pt7dEDvz6yBvTGcBoymI++g12NOc=; b=FVvAq50/xWj9AEb5hCPIjXw70LZG6VULZNqlmkcg5Bp17gbqAeCONM2kmS3mhDZuB8 YC9zUUOnPRg2nwaj6FL4XUyeGBdSRPZ/MEscLGL1/YRuh3Z/+OXFByINxRjZ8jzdfHdC wMH/TB/iGge95cpmP99oZSspjM0OuKYFexkN+kV0nbAa3KZ++WQzE/lx28WRDfG9HxDe CCo+GpJsoHpHMf6L9hqgqSu5T9jzomrU/wj7HyWntKDtJcG0rLSG7JoPFAUKuni/3yyI XazgQpE/jVwA3hQjcSHHuAoRqJET4rjdCqW6BthsOupIWZtiUkpKddNws/1ALNvUmclp MraQ== X-Gm-Message-State: AOAM532B8OwUB7Px7clKTjYM3ZH0ucKvxoD8rmbqBsFGvUyXtYYPoXP+ ZNSiHsUdmufcu++qx//hlUM= X-Received: by 2002:ac2:4281:: with SMTP id m1mr9344466lfh.164.1624660420338; Fri, 25 Jun 2021 15:33:40 -0700 (PDT) Received: from localhost.localdomain ([94.103.225.155]) by smtp.gmail.com with ESMTPSA id p26sm707610ljn.94.2021.06.25.15.33.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Jun 2021 15:33:39 -0700 (PDT) From: Pavel Skripkin To: gustavoars@kernel.org, sam@ravnborg.org, tomi.valkeinen@ti.com Cc: linux-omap@vger.kernel.org, linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, linux-kernel-mentees@lists.linuxfoundation.org, Pavel Skripkin Subject: [PATCH] OMAP: DSS2: OMAPFB: fix potential GPF Date: Sat, 26 Jun 2021 01:33:23 +0300 Message-Id: <20210625223323.13930-1-paskripkin@gmail.com> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In case of allocation failures, all code paths was jumping to this code: err: kfree(fbi); kfree(var); kfree(fbops); return r; Since all 3 pointers placed on stack and don't initialized, they will be filled with some random values, which leads to deferencing random pointers in kfree(). Fix it by rewriting error handling path. Fixes: 897044e99e43 ("OMAP: DSS2: OMAPFB: Reduce stack usage") Signed-off-by: Pavel Skripkin --- .../video/fbdev/omap2/omapfb/omapfb-main.c | 21 +++++++++---------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-main.c b/drivers/video/fbdev/omap2/omapfb/omapfb-main.c index a3decc7fadde..6a302138ebeb 100644 --- a/drivers/video/fbdev/omap2/omapfb/omapfb-main.c +++ b/drivers/video/fbdev/omap2/omapfb/omapfb-main.c @@ -2025,21 +2025,19 @@ static int omapfb_mode_to_timings(const char *mode_str, fbops = NULL; fbi = kzalloc(sizeof(*fbi), GFP_KERNEL); - if (fbi == NULL) { - r = -ENOMEM; - goto err; - } + if (fbi == NULL) + return -ENOMEM; var = kzalloc(sizeof(*var), GFP_KERNEL); if (var == NULL) { r = -ENOMEM; - goto err; + goto err_var; } fbops = kzalloc(sizeof(*fbops), GFP_KERNEL); if (fbops == NULL) { r = -ENOMEM; - goto err; + goto err_fbops; } fbi->fbops = fbops; @@ -2047,7 +2045,7 @@ static int omapfb_mode_to_timings(const char *mode_str, r = fb_find_mode(var, fbi, mode_str, NULL, 0, NULL, 24); if (r == 0) { r = -EINVAL; - goto err; + goto err_find; } if (display->driver->get_timings) { @@ -2088,11 +2086,12 @@ static int omapfb_mode_to_timings(const char *mode_str, r = 0; -err: - kfree(fbi); - kfree(var); +err_find: kfree(fbops); - +err_fbops: + kfree(var); +err_var: + kfree(fbi); return r; } -- 2.32.0