Skip to content

Commit

Permalink
drm/imagination: Fix error path in pvr_vm_create_context
Browse files Browse the repository at this point in the history
It is possible to double free the vm_ctx->mmu_ctx object in this
function.

    630 err_page_table_destroy:
--> 631         pvr_mmu_context_destroy(vm_ctx->mmu_ctx);

The pvr_vm_context_put() function does:

        kref_put(&vm_ctx->ref_count, pvr_vm_context_release);

Here the pvr_vm_context_release() will call:

        pvr_mmu_context_destroy(vm_ctx->mmu_ctx);

Refactor to an unwind style.

Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Donald Robson <donald.robson@imgtec.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Maxime Ripard <mripard@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20231213144431.94956-2-donald.robson@imgtec.com
  • Loading branch information
Donald Robson authored and Maxime Ripard committed Dec 15, 2023
1 parent f175498 commit 8a53e29
Showing 1 changed file with 13 additions and 15 deletions.
28 changes: 13 additions & 15 deletions drivers/gpu/drm/imagination/pvr_vm.c
Original file line number Diff line number Diff line change
Expand Up @@ -556,23 +556,12 @@ pvr_vm_create_context(struct pvr_device *pvr_dev, bool is_userspace_context)
if (!vm_ctx)
return ERR_PTR(-ENOMEM);

drm_gem_private_object_init(&pvr_dev->base, &vm_ctx->dummy_gem, 0);

vm_ctx->pvr_dev = pvr_dev;
kref_init(&vm_ctx->ref_count);
mutex_init(&vm_ctx->lock);

drm_gpuvm_init(&vm_ctx->gpuvm_mgr,
is_userspace_context ? "PowerVR-user-VM" : "PowerVR-FW-VM",
0, &pvr_dev->base, &vm_ctx->dummy_gem,
0, 1ULL << device_addr_bits, 0, 0, &pvr_vm_gpuva_ops);

vm_ctx->mmu_ctx = pvr_mmu_context_create(pvr_dev);
err = PTR_ERR_OR_ZERO(vm_ctx->mmu_ctx);
if (err) {
vm_ctx->mmu_ctx = NULL;
goto err_put_ctx;
}
if (err)
goto err_free;

if (is_userspace_context) {
err = pvr_fw_object_create(pvr_dev, sizeof(struct rogue_fwif_fwmemcontext),
Expand All @@ -583,13 +572,22 @@ pvr_vm_create_context(struct pvr_device *pvr_dev, bool is_userspace_context)
goto err_page_table_destroy;
}

drm_gem_private_object_init(&pvr_dev->base, &vm_ctx->dummy_gem, 0);
drm_gpuvm_init(&vm_ctx->gpuvm_mgr,
is_userspace_context ? "PowerVR-user-VM" : "PowerVR-FW-VM",
0, &pvr_dev->base, &vm_ctx->dummy_gem,
0, 1ULL << device_addr_bits, 0, 0, &pvr_vm_gpuva_ops);

mutex_init(&vm_ctx->lock);
kref_init(&vm_ctx->ref_count);

return vm_ctx;

err_page_table_destroy:
pvr_mmu_context_destroy(vm_ctx->mmu_ctx);

err_put_ctx:
pvr_vm_context_put(vm_ctx);
err_free:
kfree(vm_ctx);

return ERR_PTR(err);
}
Expand Down

0 comments on commit 8a53e29

Please sign in to comment.