| Message ID | 20170330133253.29500-1-daniel.vetter@ffwll.ch (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Reviewed-by: Harry Wentland <harry.wentland@amd.com> On 2017-03-30 09:32 AM, Daniel Vetter wrote: > With the explicit retry loop static analyzers get confused by the > control flow and believe that e could be accessed after kfree. That's > not possible, but it's non-obvious, so let's clear it to NULL. > > We already cleared e = NULL at the top of the function, so this is all > in line. > > Cc: Julia Lawall <julia.lawall@lip6.fr> > Reported-by: Julia Lawall <julia.lawall@lip6.fr> > Fixes: 29dc0d1de182 ("drm: Roll out acquire context for the page_flip ioctl") > Cc: Harry Wentland <harry.wentland@amd.com> > Cc: Daniel Vetter <daniel.vetter@intel.com> > Cc: Jani Nikula <jani.nikula@linux.intel.com> > Cc: Sean Paul <seanpaul@chromium.org> > Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> > --- > drivers/gpu/drm/drm_plane.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/gpu/drm/drm_plane.c b/drivers/gpu/drm/drm_plane.c > index ec62221d64a9..3a6de27bafed 100644 > --- a/drivers/gpu/drm/drm_plane.c > +++ b/drivers/gpu/drm/drm_plane.c > @@ -922,6 +922,7 @@ int drm_mode_page_flip_ioctl(struct drm_device *dev, > ret = drm_event_reserve_init(dev, file_priv, &e->base, &e->event.base); > if (ret) { > kfree(e); > + e = NULL; > goto out; > } > }
On Thu, Mar 30, 2017 at 10:26:24AM -0400, Harry Wentland wrote: > Reviewed-by: Harry Wentland <harry.wentland@amd.com> Thanks for the quick review, pushed to drm-misc. -Daniel > > On 2017-03-30 09:32 AM, Daniel Vetter wrote: > > With the explicit retry loop static analyzers get confused by the > > control flow and believe that e could be accessed after kfree. That's > > not possible, but it's non-obvious, so let's clear it to NULL. > > > > We already cleared e = NULL at the top of the function, so this is all > > in line. > > > > Cc: Julia Lawall <julia.lawall@lip6.fr> > > Reported-by: Julia Lawall <julia.lawall@lip6.fr> > > Fixes: 29dc0d1de182 ("drm: Roll out acquire context for the page_flip ioctl") > > Cc: Harry Wentland <harry.wentland@amd.com> > > Cc: Daniel Vetter <daniel.vetter@intel.com> > > Cc: Jani Nikula <jani.nikula@linux.intel.com> > > Cc: Sean Paul <seanpaul@chromium.org> > > Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> > > --- > > drivers/gpu/drm/drm_plane.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/drivers/gpu/drm/drm_plane.c b/drivers/gpu/drm/drm_plane.c > > index ec62221d64a9..3a6de27bafed 100644 > > --- a/drivers/gpu/drm/drm_plane.c > > +++ b/drivers/gpu/drm/drm_plane.c > > @@ -922,6 +922,7 @@ int drm_mode_page_flip_ioctl(struct drm_device *dev, > > ret = drm_event_reserve_init(dev, file_priv, &e->base, &e->event.base); > > if (ret) { > > kfree(e); > > + e = NULL; > > goto out; > > } > > } >
diff --git a/drivers/gpu/drm/drm_plane.c b/drivers/gpu/drm/drm_plane.c index ec62221d64a9..3a6de27bafed 100644 --- a/drivers/gpu/drm/drm_plane.c +++ b/drivers/gpu/drm/drm_plane.c @@ -922,6 +922,7 @@ int drm_mode_page_flip_ioctl(struct drm_device *dev, ret = drm_event_reserve_init(dev, file_priv, &e->base, &e->event.base); if (ret) { kfree(e); + e = NULL; goto out; } }
With the explicit retry loop static analyzers get confused by the control flow and believe that e could be accessed after kfree. That's not possible, but it's non-obvious, so let's clear it to NULL. We already cleared e = NULL at the top of the function, so this is all in line. Cc: Julia Lawall <julia.lawall@lip6.fr> Reported-by: Julia Lawall <julia.lawall@lip6.fr> Fixes: 29dc0d1de182 ("drm: Roll out acquire context for the page_flip ioctl") Cc: Harry Wentland <harry.wentland@amd.com> Cc: Daniel Vetter <daniel.vetter@intel.com> Cc: Jani Nikula <jani.nikula@linux.intel.com> Cc: Sean Paul <seanpaul@chromium.org> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> --- drivers/gpu/drm/drm_plane.c | 1 + 1 file changed, 1 insertion(+)