Commit 47a72834 authored Jul 02, 2024 by Konrad Dybcio Committed by Xiongfeng Wang Jul 02, 2024

drm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails

mainline inclusion
from mainline-v6.10-rc1
commit 46d4efcccc688cbacdd70a238bedca510acaa8e4
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D2C
CVE: CVE-2024-38390

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=46d4efcccc688cbacdd70a238bedca510acaa8e4



--------------------------------

Calling a6xx_destroy() before adreno_gpu_init() leads to a null pointer
dereference on:

msm_gpu_cleanup() : platform_set_drvdata(gpu->pdev, NULL);

as gpu->pdev is only assigned in:

a6xx_gpu_init()
|_ adreno_gpu_init
    |_ msm_gpu_init()

Instead of relying on handwavy null checks down the cleanup chain,
explicitly de-allocate the LLC data and free a6xx_gpu instead.

Fixes: 76efc245 ("drm/msm/gpu: Fix crash during system suspend after unbind")
Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Patchwork: https://patchwork.freedesktop.org/patch/588919/


Signed-off-by: Rob Clark <robdclark@chromium.org>
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>

parent e03ea5d6

drivers/gpu/drm/msm/adreno/a6xx_gpu.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -2343,7 +2343,8 @@ struct msm_gpu a6xx_gpu_init(struct drm_device dev)

		ret = a6xx_set_supported_hw(&pdev->dev, config->info);
		if (ret) {
		a6xx_destroy(&(a6xx_gpu->base.base));
		a6xx_llc_slices_destroy(a6xx_gpu);
		kfree(a6xx_gpu);
		return ERR_PTR(ret);
		}