drm/exynos: Fix (more) freeing issues in exynos_drm_drv.c

Commit Message

Daniel Kurtz March 17, 2014, 3:28 a.m. UTC

The following commit [0] fixed a use-after-free, but left the subdrv open
in the error path.

[0] commit 6ca605f7c70895a35737435f17ae9cc5e36f1466
drm/exynos: Fix freeing issues in exynos_drm_drv.c

Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
---
Hi, I noticed this when reviewing some recent patches.
I am only able to compile test this patch.

 drivers/gpu/drm/exynos/exynos_drm_drv.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

Comments

Sachin Kamat March 17, 2014, 4:15 a.m. UTC | #1

Hi Daniel,

Thanks for the patch.

On 17 March 2014 08:58, Daniel Kurtz <djkurtz@chromium.org> wrote:
> The following commit [0] fixed a use-after-free, but left the subdrv open
> in the error path.
>
> [0] commit 6ca605f7c70895a35737435f17ae9cc5e36f1466
> drm/exynos: Fix freeing issues in exynos_drm_drv.c
>
> Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>

Acked-by: Sachin Kamat <sachin.kamat@linaro.org>

Patch

diff --git a/drivers/gpu/drm/exynos/exynos_drm_drv.c b/drivers/gpu/drm/exynos/exynos_drm_drv.c
index 215131a..c204b4e 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_drv.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_drv.c
@@ -172,20 +172,24 @@  static int exynos_drm_open(struct drm_device *dev, struct drm_file *file)
 
 	ret = exynos_drm_subdrv_open(dev, file);
 	if (ret)
-		goto out;
+		goto err_file_priv_free;
 
 	anon_filp = anon_inode_getfile("exynos_gem", &exynos_drm_gem_fops,
 					NULL, 0);
 	if (IS_ERR(anon_filp)) {
 		ret = PTR_ERR(anon_filp);
-		goto out;
+		goto err_subdrv_close;
 	}
 
 	anon_filp->f_mode = FMODE_READ | FMODE_WRITE;
 	file_priv->anon_filp = anon_filp;
 
 	return ret;
-out:
+
+err_subdrv_close:
+	exynos_drm_subdrv_close(dev, file);
+
+err_file_priv_free:
 	kfree(file_priv);
 	file->driver_priv = NULL;
 	return ret;