diff options
author | Dmitry Osipenko <dmitry.osipenko@collabora.com> | 2022-10-30 18:44:12 +0300 |
---|---|---|
committer | Dmitry Osipenko <dmitry.osipenko@collabora.com> | 2022-11-02 13:53:57 +0300 |
commit | 444bbba708e804c13ad757068d1cb31ed6460754 (patch) | |
tree | 14030bfb4b2a36beeb838b3d75766b54b4596aa5 /drivers/gpu | |
parent | d3292daee319581d0a502fcd8ef3c3c285a1750a (diff) | |
download | linux-444bbba708e804c13ad757068d1cb31ed6460754.tar.xz |
drm/client: Prevent NULL dereference in drm_client_buffer_delete()
The drm_gem_vunmap() will crash with a NULL dereference if the passed
object pointer is NULL. It wasn't a problem before we added the locking
support to drm_gem_vunmap function because the mapping argument was always
NULL together with the object. Make drm_client_buffer_delete() to check
whether GEM is NULL before trying to unmap the GEM, it will happen on
framebuffer creation error.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Link: https://lore.kernel.org/dri-devel/Y1kFEGxT8MVlf32V@kili/
Fixes: 79e2cf2e7a19 ("drm/gem: Take reservation lock for vmap/vunmap operations")
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221030154412.8320-3-dmitry.osipenko@collabora.com
Diffstat (limited to 'drivers/gpu')
-rw-r--r-- | drivers/gpu/drm/drm_client.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/gpu/drm/drm_client.c b/drivers/gpu/drm/drm_client.c index 38e1be991caa..fd67efe37c63 100644 --- a/drivers/gpu/drm/drm_client.c +++ b/drivers/gpu/drm/drm_client.c @@ -235,10 +235,10 @@ static void drm_client_buffer_delete(struct drm_client_buffer *buffer) { struct drm_device *dev = buffer->client->dev; - drm_gem_vunmap_unlocked(buffer->gem, &buffer->map); - - if (buffer->gem) + if (buffer->gem) { + drm_gem_vunmap_unlocked(buffer->gem, &buffer->map); drm_gem_object_put(buffer->gem); + } if (buffer->handle) drm_mode_destroy_dumb(dev, buffer->handle, buffer->client->file); |