6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: José Expósito jose.exposito89@gmail.com
[ Upstream commit ed15511a773df86205bda66c37193569575ae828 ]
If the driver initialization fails, the vkms_exit() function might access an uninitialized or freed default_config pointer and it might double free it.
Fix both possible errors by initializing default_config only when the driver initialization succeeded.
Reported-by: Louis Chauvet louis.chauvet@bootlin.com Closes: https://lore.kernel.org/all/Z5uDHcCmAwiTsGte@louis-chauvet-laptop/ Fixes: 2df7af93fdad ("drm/vkms: Add vkms_config type") Signed-off-by: José Expósito jose.exposito89@gmail.com Reviewed-by: Thomas Zimmermann tzimmremann@suse.de Reviewed-by: Louis Chauvet louis.chauvet@bootlin.com Link: https://patchwork.freedesktop.org/patch/msgid/20250212084912.3196-1-jose.exp... Signed-off-by: Louis Chauvet louis.chauvet@bootlin.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/vkms/vkms_drv.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/vkms/vkms_drv.c b/drivers/gpu/drm/vkms/vkms_drv.c index f716c5796f5fc..09025ff3b1961 100644 --- a/drivers/gpu/drm/vkms/vkms_drv.c +++ b/drivers/gpu/drm/vkms/vkms_drv.c @@ -226,17 +226,19 @@ static int __init vkms_init(void) if (!config) return -ENOMEM;
- default_config = config; - config->cursor = enable_cursor; config->writeback = enable_writeback; config->overlay = enable_overlay;
ret = vkms_create(config); - if (ret) + if (ret) { kfree(config); + return ret; + }
- return ret; + default_config = config; + + return 0; }
static void vkms_destroy(struct vkms_config *config) @@ -260,9 +262,10 @@ static void vkms_destroy(struct vkms_config *config)
static void __exit vkms_exit(void) { - if (default_config->dev) - vkms_destroy(default_config); + if (!default_config) + return;
+ vkms_destroy(default_config); kfree(default_config); }