drm/nouveau/vm: fix memory corruption when pgt allocation fails

If we return freed vm, nouveau_drm_open will happily call nouveau_cli_destroy, which will try to free it again. Reported-by: N Peter Hurley <peter@hurleysoftware.com> Signed-off-by: N Marcin Slusarz <marcin.slusarz@gmail.com> Signed-off-by: N Ben Skeggs <bskeggs@redhat.com>

drm/nouveau/vm: fix memory corruption when pgt allocation fails
If we return freed vm, nouveau_drm_open will happily call nouveau_cli_destroy, which will try to free it again. Reported-by: N Peter Hurley <peter@hurleysoftware.com> Signed-off-by: N Marcin Slusarz <marcin.slusarz@gmail.com> Signed-off-by: N Ben Skeggs <bskeggs@redhat.com>
cfd376b6 · Marcin Slusarz · Ben Skeggs · 4c4101d2 · cfd376b6
隐藏空白更改
内联并排

Showing with 3 addition and 1 deletion

drivers/gpu/drm/nouveau/core/subdev/vm/base.c drivers/gpu/drm/nouveau/core/subdev/vm/base.c +3 -1

未找到文件。
--- a/drivers/gpu/drm/nouveau/core/subdev/vm/base.c
+++ b/drivers/gpu/drm/nouveau/core/subdev/vm/base.c
@@ -352,7 +352,7 @@ nouveau_vm_create(struct nouveau_vmmgr *vmm, u64 offset, u64 length,
 	u64 mm_length = (offset + length) - mm_offset;
 	int ret;

-	vm = *pvm = kzalloc(sizeof(*vm), GFP_KERNEL);
+	vm = kzalloc(sizeof(*vm), GFP_KERNEL);
 	if (!vm)
 		return -ENOMEM;

@@ -376,6 +376,8 @@ nouveau_vm_create(struct nouveau_vmmgr *vmm, u64 offset, u64 length,
 		return ret;
 	}

+	*pvm = vm;
+
 	return 0;
 }