summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorDonald Robson <donald.robson@imgtec.com>2023-12-08 16:30:19 +0000
committerMaxime Ripard <mripard@kernel.org>2023-12-15 14:04:08 +0100
commitf1f55ed3ffe4212f5c96106bf6396c461a2bf223 (patch)
tree30da1df3ec62865810378db6309d0f94d13a65d7 /drivers
parentb39610c773431ac7991cf6235e26d693ccabd9e9 (diff)
downloadlinux-stable-f1f55ed3ffe4212f5c96106bf6396c461a2bf223.tar.gz
linux-stable-f1f55ed3ffe4212f5c96106bf6396c461a2bf223.tar.bz2
linux-stable-f1f55ed3ffe4212f5c96106bf6396c461a2bf223.zip
drm/imagination: Fixed oops when misusing ioctl CREATE_HWRT_DATASET
While writing the matching IGT suite I discovered that it's possible to cause a kernel oops when using DRM_IOCTL_PVR_CREATE_HWRT_DATASET when the call to hwrt_init_common_fw_structure() fails. Use an unwind-type error path to avoid cleaning up the object using the the release function before it is fully resolved. Signed-off-by: Donald Robson <donald.robson@imgtec.com> Signed-off-by: Maxime Ripard <mripard@kernel.org> Link: https://patchwork.freedesktop.org/patch/msgid/20231208163019.95913-1-donald.robson@imgtec.com
Diffstat (limited to 'drivers')
-rw-r--r--drivers/gpu/drm/imagination/pvr_hwrt.c27
1 files changed, 14 insertions, 13 deletions
diff --git a/drivers/gpu/drm/imagination/pvr_hwrt.c b/drivers/gpu/drm/imagination/pvr_hwrt.c
index c4213c18489e..54f88d6c01e5 100644
--- a/drivers/gpu/drm/imagination/pvr_hwrt.c
+++ b/drivers/gpu/drm/imagination/pvr_hwrt.c
@@ -458,7 +458,7 @@ pvr_hwrt_dataset_create(struct pvr_file *pvr_file,
struct drm_pvr_ioctl_create_hwrt_dataset_args *args)
{
struct pvr_hwrt_dataset *hwrt;
- int err;
+ int err, i = 0;
/* Create and fill out the kernel structure */
hwrt = kzalloc(sizeof(*hwrt), GFP_KERNEL);
@@ -466,35 +466,36 @@ pvr_hwrt_dataset_create(struct pvr_file *pvr_file,
if (!hwrt)
return ERR_PTR(-ENOMEM);
- kref_init(&hwrt->ref_count);
-
err = hwrt_init_kernel_structure(pvr_file, args, hwrt);
if (err < 0)
goto err_free;
err = hwrt_init_common_fw_structure(pvr_file, args, hwrt);
if (err < 0)
- goto err_free;
+ goto err_fini_kernel_structure;
- for (int i = 0; i < ARRAY_SIZE(hwrt->data); i++) {
+ for (; i < ARRAY_SIZE(hwrt->data); i++) {
err = hwrt_data_init_fw_structure(pvr_file, hwrt, args,
&args->rt_data_args[i],
&hwrt->data[i]);
- if (err < 0) {
- i--;
- /* Destroy already created structures. */
- for (; i >= 0; i--)
- hwrt_data_fini_fw_structure(hwrt, i);
- goto err_free;
- }
+ if (err < 0)
+ goto err_fini_data_structures;
hwrt->data[i].hwrt_dataset = hwrt;
}
+ kref_init(&hwrt->ref_count);
return hwrt;
+err_fini_data_structures:
+ while (--i >= 0)
+ hwrt_data_fini_fw_structure(hwrt, i);
+
+err_fini_kernel_structure:
+ hwrt_fini_kernel_structure(hwrt);
+
err_free:
- pvr_hwrt_dataset_put(hwrt);
+ kfree(hwrt);
return ERR_PTR(err);
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-03 16:10:33 +0000