diff options
| author | Donald Robson <donald.robson@imgtec.com> | 2023-12-13 14:44:31 +0000 |
|---|---|---|
| committer | Maxime Ripard <mripard@kernel.org> | 2023-12-15 14:04:21 +0100 |
| commit | 8a53e29fe05c56f643eaab285f224c09b9c3dd4c (patch) | |
| tree | 1c544f78b00f29a08567e6c0f6eae7f6621f2d8d /drivers/gpu/drm/imagination | |
| parent | f175498378bdae2ebcf61170a2a866cb96e8a69a (diff) | |
drm/imagination: Fix error path in pvr_vm_create_context
It is possible to double free the vm_ctx->mmu_ctx object in this
function.
630 err_page_table_destroy:
--> 631 pvr_mmu_context_destroy(vm_ctx->mmu_ctx);
The pvr_vm_context_put() function does:
kref_put(&vm_ctx->ref_count, pvr_vm_context_release);
Here the pvr_vm_context_release() will call:
pvr_mmu_context_destroy(vm_ctx->mmu_ctx);
Refactor to an unwind style.
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Donald Robson <donald.robson@imgtec.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Maxime Ripard <mripard@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20231213144431.94956-2-donald.robson@imgtec.com
Diffstat (limited to 'drivers/gpu/drm/imagination')
| -rw-r--r-- | drivers/gpu/drm/imagination/pvr_vm.c | 28 |
1 files changed, 13 insertions, 15 deletions
diff --git a/drivers/gpu/drm/imagination/pvr_vm.c b/drivers/gpu/drm/imagination/pvr_vm.c index 598d79d7c7d0..e59517ba039e 100644 --- a/drivers/gpu/drm/imagination/pvr_vm.c +++ b/drivers/gpu/drm/imagination/pvr_vm.c @@ -556,23 +556,12 @@ pvr_vm_create_context(struct pvr_device *pvr_dev, bool is_userspace_context) if (!vm_ctx) return ERR_PTR(-ENOMEM); - drm_gem_private_object_init(&pvr_dev->base, &vm_ctx->dummy_gem, 0); - vm_ctx->pvr_dev = pvr_dev; - kref_init(&vm_ctx->ref_count); - mutex_init(&vm_ctx->lock); - - drm_gpuvm_init(&vm_ctx->gpuvm_mgr, - is_userspace_context ? "PowerVR-user-VM" : "PowerVR-FW-VM", - 0, &pvr_dev->base, &vm_ctx->dummy_gem, - 0, 1ULL << device_addr_bits, 0, 0, &pvr_vm_gpuva_ops); vm_ctx->mmu_ctx = pvr_mmu_context_create(pvr_dev); err = PTR_ERR_OR_ZERO(vm_ctx->mmu_ctx); - if (err) { - vm_ctx->mmu_ctx = NULL; - goto err_put_ctx; - } + if (err) + goto err_free; if (is_userspace_context) { err = pvr_fw_object_create(pvr_dev, sizeof(struct rogue_fwif_fwmemcontext), @@ -583,13 +572,22 @@ pvr_vm_create_context(struct pvr_device *pvr_dev, bool is_userspace_context) goto err_page_table_destroy; } + drm_gem_private_object_init(&pvr_dev->base, &vm_ctx->dummy_gem, 0); + drm_gpuvm_init(&vm_ctx->gpuvm_mgr, + is_userspace_context ? "PowerVR-user-VM" : "PowerVR-FW-VM", + 0, &pvr_dev->base, &vm_ctx->dummy_gem, + 0, 1ULL << device_addr_bits, 0, 0, &pvr_vm_gpuva_ops); + + mutex_init(&vm_ctx->lock); + kref_init(&vm_ctx->ref_count); + return vm_ctx; err_page_table_destroy: pvr_mmu_context_destroy(vm_ctx->mmu_ctx); -err_put_ctx: - pvr_vm_context_put(vm_ctx); +err_free: + kfree(vm_ctx); return ERR_PTR(err); } |