| Message ID | 20211203100946.2706922-1-liviu.dudau@arm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm/komeda: return early if drm_universal_plane_init() fails. | expand |
On 03/12/2021 10:09, Liviu Dudau wrote: > If drm_universal_plane_init() fails early we jump to the common cleanup code > that calls komeda_plane_destroy() which in turn could access the uninitalised > drm_plane and crash. Return early if an error is detected without going through > the common code. > > Reported-by: Steven Price <steven.price@arm.com> > Signed-off-by: Liviu Dudau <liviu.dudau@arm.com> Reviewed-by: Steven Price <steven.price@arm.com> Looks correct, although I note there is a path in __drm_universal_plane_init() which doesn't clean up properly. I'll send a patch for that too. Thanks, Steve > --- > drivers/gpu/drm/arm/display/komeda/komeda_plane.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c > index aa193c58f4bf6d9..517b94c3bcaf966 100644 > --- a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c > +++ b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c > @@ -279,8 +279,10 @@ static int komeda_plane_add(struct komeda_kms_dev *kms, > > komeda_put_fourcc_list(formats); > > - if (err) > - goto cleanup; > + if (err) { > + kfree(kplane); > + return err; > + } > > drm_plane_helper_add(plane, &komeda_plane_helper_funcs); > >
On 12/3/21 10:09, Liviu Dudau wrote: > If drm_universal_plane_init() fails early we jump to the common cleanup code > that calls komeda_plane_destroy() which in turn could access the uninitalised > drm_plane and crash. Return early if an error is detected without going through > the common code. > > Reported-by: Steven Price <steven.price@arm.com> > Signed-off-by: Liviu Dudau <liviu.dudau@arm.com> > --- > drivers/gpu/drm/arm/display/komeda/komeda_plane.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c > index aa193c58f4bf6d9..517b94c3bcaf966 100644 > --- a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c > +++ b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c > @@ -279,8 +279,10 @@ static int komeda_plane_add(struct komeda_kms_dev *kms, > > komeda_put_fourcc_list(formats); > > - if (err) > - goto cleanup; > + if (err) { > + kfree(kplane); > + return err; > + } > > drm_plane_helper_add(plane, &komeda_plane_helper_funcs); > > Ummm... can I disagree here? this goto cleanup I think is just fine because plane has been set before drm_universal_plane_init() is called which is before the if (err) here. komeda_plane_destroy() in cleanup: does all the right things, so this patch isn't needed. I think it's less clean as it adds a new "handle error" path special-case instance where a special case is not needed. The fix to Zhou's original patch was needed for exactly the reason Liviu said - but not this one... ?
On 12/3/21 14:15, Carsten Haitzler wrote: > On 12/3/21 10:09, Liviu Dudau wrote: >> If drm_universal_plane_init() fails early we jump to the common >> cleanup code >> that calls komeda_plane_destroy() which in turn could access the >> uninitalised >> drm_plane and crash. Return early if an error is detected without >> going through >> the common code. >> >> Reported-by: Steven Price <steven.price@arm.com> >> Signed-off-by: Liviu Dudau <liviu.dudau@arm.com> >> --- >> drivers/gpu/drm/arm/display/komeda/komeda_plane.c | 6 ++++-- >> 1 file changed, 4 insertions(+), 2 deletions(-) >> >> diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c >> b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c >> index aa193c58f4bf6d9..517b94c3bcaf966 100644 >> --- a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c >> +++ b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c >> @@ -279,8 +279,10 @@ static int komeda_plane_add(struct komeda_kms_dev >> *kms, >> komeda_put_fourcc_list(formats); >> - if (err) >> - goto cleanup; >> + if (err) { >> + kfree(kplane); >> + return err; >> + } >> drm_plane_helper_add(plane, &komeda_plane_helper_funcs); >> > > Ummm... can I disagree here? this goto cleanup I think is just fine > because plane has been set before drm_universal_plane_init() is called > which is before the if (err) here. komeda_plane_destroy() in cleanup: > does all the right things, so this patch isn't needed. I think it's less > clean as it adds a new "handle error" path special-case instance where a > special case is not needed. The fix to Zhou's original patch was needed > for exactly the reason Liviu said - but not this one... ? Let me take that back - it seems an init fail shouldn't call cleanup but the init fail doesn't quite cleanup properly. Steven found this and already sent a patch.
diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c index aa193c58f4bf6d9..517b94c3bcaf966 100644 --- a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c +++ b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c @@ -279,8 +279,10 @@ static int komeda_plane_add(struct komeda_kms_dev *kms, komeda_put_fourcc_list(formats); - if (err) - goto cleanup; + if (err) { + kfree(kplane); + return err; + } drm_plane_helper_add(plane, &komeda_plane_helper_funcs);
If drm_universal_plane_init() fails early we jump to the common cleanup code that calls komeda_plane_destroy() which in turn could access the uninitalised drm_plane and crash. Return early if an error is detected without going through the common code. Reported-by: Steven Price <steven.price@arm.com> Signed-off-by: Liviu Dudau <liviu.dudau@arm.com> --- drivers/gpu/drm/arm/display/komeda/komeda_plane.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)