[1/2] drm/imx: Fix error handling for a kmemdup() call in imx_pd_bind()

Submitted by Markus Elfring on Oct. 12, 2019, 9:07 a.m.

Details

Message ID 3fd6aa8b-2529-7ff5-3e19-05267101b2a4@web.de
State New
Headers show
Series "drm/imx: fix memory leak in imx_pd_bind" ( rev: 2 ) in DRI devel

Not browsing as part of any series.

Commit Message

Markus Elfring Oct. 12, 2019, 9:07 a.m.
From: Markus Elfring <elfring@users.sourceforge.net>
Date: Sat, 12 Oct 2019 10:30:21 +0200

The return value from a call of the function “kmemdup” was not checked
in this function implementation. Thus add the corresponding error handling.

Fixes: 19022aaae677dfa171a719e9d1ff04823ce65a65 ("staging: drm/imx: Add parallel display support")
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
---
 drivers/gpu/drm/imx/parallel-display.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--
2.23.0

Patch hide | download patch | download mbox

diff --git a/drivers/gpu/drm/imx/parallel-display.c b/drivers/gpu/drm/imx/parallel-display.c
index 35518e5de356..39c4798f56b6 100644
--- a/drivers/gpu/drm/imx/parallel-display.c
+++ b/drivers/gpu/drm/imx/parallel-display.c
@@ -210,8 +210,13 @@  static int imx_pd_bind(struct device *dev, struct device *master, void *data)
 		return -ENOMEM;

 	edidp = of_get_property(np, "edid", &imxpd->edid_len);
-	if (edidp)
+	if (edidp) {
 		imxpd->edid = kmemdup(edidp, imxpd->edid_len, GFP_KERNEL);
+		if (!imxpd->edid) {
+			devm_kfree(dev, imxpd);
+			return -ENOMEM;
+		}
+	}

 	ret = of_property_read_string(np, "interface-pix-fmt", &fmt);
 	if (!ret) {

Comments

On Sat, Oct 12, 2019 at 4:07 AM Markus Elfring <Markus.Elfring@web.de> wrote:
>
> From: Markus Elfring <elfring@users.sourceforge.net>
> Date: Sat, 12 Oct 2019 10:30:21 +0200
>
> The return value from a call of the function “kmemdup” was not checked
> in this function implementation. Thus add the corresponding error handling.
>
> Fixes: 19022aaae677dfa171a719e9d1ff04823ce65a65 ("staging: drm/imx: Add parallel display support")
> Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
> ---
>  drivers/gpu/drm/imx/parallel-display.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/imx/parallel-display.c b/drivers/gpu/drm/imx/parallel-display.c
> index 35518e5de356..39c4798f56b6 100644
> --- a/drivers/gpu/drm/imx/parallel-display.c
> +++ b/drivers/gpu/drm/imx/parallel-display.c
> @@ -210,8 +210,13 @@ static int imx_pd_bind(struct device *dev, struct device *master, void *data)
>                 return -ENOMEM;
>
>         edidp = of_get_property(np, "edid", &imxpd->edid_len);
> -       if (edidp)
> +       if (edidp) {
>                 imxpd->edid = kmemdup(edidp, imxpd->edid_len, GFP_KERNEL);
> +               if (!imxpd->edid) {
> +                       devm_kfree(dev, imxpd);

You should not try to free imxpd here as it is a resource-managed
allocation via devm_kzalloc(). It means memory allocated with this
function is
 automatically freed on driver detach. So, this patch introduces a double-free.

> +                       return -ENOMEM;
> +               }
> +       }
>
>         ret = of_property_read_string(np, "interface-pix-fmt", &fmt);
>         if (!ret) {
> --
> 2.23.0
>