Skip to content

Commit

Permalink
drm/vkms: Fix use after free and double free on init error
Browse files Browse the repository at this point in the history 
[ Upstream commit ed15511 ]

If the driver initialization fails, the vkms_exit() function might
access an uninitialized or freed default_config pointer and it might
double free it.

Fix both possible errors by initializing default_config only when the
driver initialization succeeded.

Reported-by: Louis Chauvet <louis.chauvet@bootlin.com>
Closes: https://lore.kernel.org/all/Z5uDHcCmAwiTsGte@louis-chauvet-laptop/
Fixes: 2df7af9 ("drm/vkms: Add vkms_config type")
Signed-off-by: José Expósito <jose.exposito89@gmail.com>
Reviewed-by: Thomas Zimmermann <tzimmremann@suse.de>
Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250212084912.3196-1-jose.exposito89@gmail.com
Signed-off-by: Louis Chauvet <louis.chauvet@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
  • Loading branch information
José Expósito authored and Greg Kroah-Hartman committed Apr 10, 2025
1 parent e2b3107 commit 561fc0c
Showing 1 changed file with 9 additions and 6 deletions.
15 changes: 9 additions & 6 deletions drivers/gpu/drm/vkms/vkms_drv.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -243,17 +243,19 @@ static int __init vkms_init(void)
if (!config)
return -ENOMEM;

default_config = config;

config->cursor = enable_cursor;
config->writeback = enable_writeback;
config->overlay = enable_overlay;

ret = vkms_create(config);
if (ret)
if (ret) {
kfree(config);
return ret;
}

return ret;
default_config = config;

return 0;
}

static void vkms_destroy(struct vkms_config *config)
Expand All @@ -277,9 +279,10 @@ static void vkms_destroy(struct vkms_config *config)

static void __exit vkms_exit(void)
{
if (default_config->dev)
vkms_destroy(default_config);
if (!default_config)
return;

vkms_destroy(default_config);
kfree(default_config);
}

Expand Down

0 comments on commit 561fc0c

Please sign in to comment.