diff options
author | Dan Carpenter <error27@gmail.com> | 2010-12-09 08:35:40 +0300 |
---|---|---|
committer | Dave Airlie <airlied@redhat.com> | 2010-12-09 17:27:25 +1000 |
commit | 6f331623b99e1900e3a664bbe6e95406ff4b27f4 (patch) | |
tree | b85fe0a40e12e00b6c7881b14ef5fabbc45f7acd /drivers/gpu | |
parent | e76116ca9671e2e5239054a40303b94feab585ad (diff) | |
download | talos-obmc-linux-6f331623b99e1900e3a664bbe6e95406ff4b27f4.tar.gz talos-obmc-linux-6f331623b99e1900e3a664bbe6e95406ff4b27f4.zip |
drm: use after free in drm_queue_vblank_event()
The "e" pointer is either NULL or freed when we call
drm_vblank_put(dev, e->pipe) on the error path. Just pass the "pipe"
variable directly instead.
I changed another caller to use "pipe" as well for consistency.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Diffstat (limited to 'drivers/gpu')
-rw-r--r-- | drivers/gpu/drm/drm_irq.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c index 722700d5d73e..16d5155edad1 100644 --- a/drivers/gpu/drm/drm_irq.c +++ b/drivers/gpu/drm/drm_irq.c @@ -628,7 +628,7 @@ static int drm_queue_vblank_event(struct drm_device *dev, int pipe, if ((seq - vblwait->request.sequence) <= (1 << 23)) { e->event.tv_sec = now.tv_sec; e->event.tv_usec = now.tv_usec; - drm_vblank_put(dev, e->pipe); + drm_vblank_put(dev, pipe); list_add_tail(&e->base.link, &e->base.file_priv->event_list); wake_up_interruptible(&e->base.file_priv->event_wait); trace_drm_vblank_event_delivered(current->pid, pipe, @@ -645,7 +645,7 @@ err_unlock: spin_unlock_irqrestore(&dev->event_lock, flags); kfree(e); err_put: - drm_vblank_put(dev, e->pipe); + drm_vblank_put(dev, pipe); return ret; } |