From cf19fa2cfa4e9b5458b6f3503c5317dd1a2bfbae Mon Sep 17 00:00:00 2001 From: Noralf Trønnes Date: Thu, 12 Jul 2018 17:04:14 +0200 Subject: drm/client: Fix double free in error path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes a static checker warning: drivers/gpu/drm/drm_client.c:289 drm_client_buffer_create() error: double free of 'buffer' Extend drm_client_buffer_delete() to handle the case when there's no dumb buffer attached and drop the extra kfree. Fixes: c76f0f7cb546 ("drm: Begin an API for in-kernel clients") Reported-by: Dan Carpenter Cc: Daniel Vetter Signed-off-by: Noralf Trønnes Reviewed-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20180712150414.46908-1-noralf@tronnes.org --- drivers/gpu/drm/drm_client.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'drivers/gpu/drm/drm_client.c') diff --git a/drivers/gpu/drm/drm_client.c b/drivers/gpu/drm/drm_client.c index 9b142f58d489..baff50a4c234 100644 --- a/drivers/gpu/drm/drm_client.c +++ b/drivers/gpu/drm/drm_client.c @@ -218,7 +218,9 @@ static void drm_client_buffer_delete(struct drm_client_buffer *buffer) if (buffer->gem) drm_gem_object_put_unlocked(buffer->gem); - drm_mode_destroy_dumb(dev, buffer->handle, buffer->client->file); + if (buffer->handle) + drm_mode_destroy_dumb(dev, buffer->handle, buffer->client->file); + kfree(buffer); } @@ -243,7 +245,7 @@ drm_client_buffer_create(struct drm_client_dev *client, u32 width, u32 height, u dumb_args.bpp = drm_format_plane_cpp(format, 0) * 8; ret = drm_mode_create_dumb(dev, &dumb_args, client->file); if (ret) - goto err_free; + goto err_delete; buffer->handle = dumb_args.handle; buffer->pitch = dumb_args.pitch; @@ -276,8 +278,6 @@ drm_client_buffer_create(struct drm_client_dev *client, u32 width, u32 height, u err_delete: drm_client_buffer_delete(buffer); -err_free: - kfree(buffer); return ERR_PTR(ret); } -- cgit v1.2.3