From: Konrad Dybcio konrad.dybcio@linaro.org
mainline inclusion from mainline-v6.10-rc1 commit 46d4efcccc688cbacdd70a238bedca510acaa8e4 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D2C CVE: CVE-2024-38390
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id...
--------------------------------
Calling a6xx_destroy() before adreno_gpu_init() leads to a null pointer dereference on:
msm_gpu_cleanup() : platform_set_drvdata(gpu->pdev, NULL);
as gpu->pdev is only assigned in:
a6xx_gpu_init() |_ adreno_gpu_init |_ msm_gpu_init()
Instead of relying on handwavy null checks down the cleanup chain, explicitly de-allocate the LLC data and free a6xx_gpu instead.
Fixes: 76efc2453d0e ("drm/msm/gpu: Fix crash during system suspend after unbind") Signed-off-by: Konrad Dybcio konrad.dybcio@linaro.org Patchwork: https://patchwork.freedesktop.org/patch/588919/ Signed-off-by: Rob Clark robdclark@chromium.org Signed-off-by: Xiongfeng Wang wangxiongfeng2@huawei.com --- drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c index 522ca7fe6762..3664c1476a83 100644 --- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c +++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c @@ -2343,7 +2343,8 @@ struct msm_gpu *a6xx_gpu_init(struct drm_device *dev)
ret = a6xx_set_supported_hw(&pdev->dev, config->info); if (ret) { - a6xx_destroy(&(a6xx_gpu->base.base)); + a6xx_llc_slices_destroy(a6xx_gpu); + kfree(a6xx_gpu); return ERR_PTR(ret); }