]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/commitdiff
drm: fix error routines in drm_open_helper
authorSeung-Woo Kim <sw0312.kim@samsung.com>
Tue, 2 Jul 2013 00:53:28 +0000 (09:53 +0900)
committerDave Airlie <airlied@redhat.com>
Thu, 4 Jul 2013 00:53:37 +0000 (10:53 +1000)
There are missing parts to handle error in drm_open_helper().
The priv->minor, assigned by idr_find() which can return NULL,
should be checked whether it is NULL or not before referencing it.
put_pid(), drm_gem_release(), and drm_prime_destory_file_private()
should be called when error happens after their pair functions are
called. If an error occurs after executing dev->driver->open()
which allocates driver specific per-file private data, then the
private data should be released.

Signed-off-by: YoungJun Cho <yj44.cho@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Reviewed-by: Chris Wilson <chris-wilson.co.uk>
Signed-off-by: Dave Airlie <airlied@redhat.com>
drivers/gpu/drm/drm_fops.c

index 429e07d0b0f147f2c9f672d65a18849f0c57f0f4..3a24385e03686faebb4fa413809136bce9d60917 100644 (file)
@@ -271,6 +271,11 @@ static int drm_open_helper(struct inode *inode, struct file *filp,
        priv->uid = current_euid();
        priv->pid = get_pid(task_pid(current));
        priv->minor = idr_find(&drm_minors_idr, minor_id);
+       if (!priv->minor) {
+               ret = -ENODEV;
+               goto out_put_pid;
+       }
+
        priv->ioctl_count = 0;
        /* for compatibility root is always authenticated */
        priv->authenticated = capable(CAP_SYS_ADMIN);
@@ -292,7 +297,7 @@ static int drm_open_helper(struct inode *inode, struct file *filp,
        if (dev->driver->open) {
                ret = dev->driver->open(dev, priv);
                if (ret < 0)
-                       goto out_free;
+                       goto out_prime_destroy;
        }
 
 
@@ -304,7 +309,7 @@ static int drm_open_helper(struct inode *inode, struct file *filp,
                if (!priv->minor->master) {
                        mutex_unlock(&dev->struct_mutex);
                        ret = -ENOMEM;
-                       goto out_free;
+                       goto out_close;
                }
 
                priv->is_master = 1;
@@ -322,7 +327,7 @@ static int drm_open_helper(struct inode *inode, struct file *filp,
                                drm_master_put(&priv->minor->master);
                                drm_master_put(&priv->master);
                                mutex_unlock(&dev->struct_mutex);
-                               goto out_free;
+                               goto out_close;
                        }
                }
                mutex_lock(&dev->struct_mutex);
@@ -333,7 +338,7 @@ static int drm_open_helper(struct inode *inode, struct file *filp,
                                drm_master_put(&priv->minor->master);
                                drm_master_put(&priv->master);
                                mutex_unlock(&dev->struct_mutex);
-                               goto out_free;
+                               goto out_close;
                        }
                }
                mutex_unlock(&dev->struct_mutex);
@@ -367,7 +372,17 @@ static int drm_open_helper(struct inode *inode, struct file *filp,
 #endif
 
        return 0;
-      out_free:
+
+out_close:
+       if (dev->driver->postclose)
+               dev->driver->postclose(dev, priv);
+out_prime_destroy:
+       if (drm_core_check_feature(dev, DRIVER_PRIME))
+               drm_prime_destroy_file_private(&priv->prime);
+       if (dev->driver->driver_features & DRIVER_GEM)
+               drm_gem_release(dev, priv);
+out_put_pid:
+       put_pid(priv->pid);
        kfree(priv);
        filp->private_data = NULL;
        return ret;