drm: use after free in drm_queue_vblank_event()

The "e" pointer is either NULL or freed when we call drm_vblank_put(dev, e->pipe) on the error path. Just pass the "pipe" variable directly instead. I changed another caller to use "pipe" as well for consistency. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
author: Dan Carpenter <error27@gmail.com> 2010-12-09 00:35:40 -0500
committer: Dave Airlie <airlied@redhat.com> 2010-12-09 02:27:25 -0500
commit: 6f331623b99e1900e3a664bbe6e95406ff4b27f4 (patch)
tree: b85fe0a40e12e00b6c7881b14ef5fabbc45f7acd
parent: e76116ca9671e2e5239054a40303b94feab585ad (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c
index 722700d5d73e..16d5155edad1 100644
--- a/drivers/gpu/drm/drm_irq.c
+++ b/drivers/gpu/drm/drm_irq.c
@@ -628,7 +628,7 @@ static int drm_queue_vblank_event(struct drm_device *dev, int pipe,
        if ((seq - vblwait->request.sequence) <= (1 << 23)) {
                e->event.tv_sec = now.tv_sec;
                e->event.tv_usec = now.tv_usec;
-                drm_vblank_put(dev, e->pipe);
+                drm_vblank_put(dev, pipe);
                list_add_tail(&e->base.link, &e->base.file_priv->event_list);
                wake_up_interruptible(&e->base.file_priv->event_wait);
                trace_drm_vblank_event_delivered(current->pid, pipe,
@@ -645,7 +645,7 @@ err_unlock:
        spin_unlock_irqrestore(&dev->event_lock, flags);
        kfree(e);
 err_put:
-        drm_vblank_put(dev, e->pipe);
+        drm_vblank_put(dev, pipe);
        return ret;
 }
author	Dan Carpenter <error27@gmail.com>	2010-12-09 00:35:40 -0500
committer	Dave Airlie <airlied@redhat.com>	2010-12-09 02:27:25 -0500
commit	6f331623b99e1900e3a664bbe6e95406ff4b27f4 (patch)
tree	b85fe0a40e12e00b6c7881b14ef5fabbc45f7acd
parent	e76116ca9671e2e5239054a40303b94feab585ad (diff)

diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c index 722700d5d73e..16d5155edad1 100644 --- a/drivers/gpu/drm/drm_irq.c +++ b/drivers/gpu/drm/drm_irq.c
@@ -628,7 +628,7 @@ static int drm_queue_vblank_event(struct drm_device *dev, int pipe,
628	if ((seq - vblwait->request.sequence) <= (1 << 23)) {	628	if ((seq - vblwait->request.sequence) <= (1 << 23)) {
629	e->event.tv_sec = now.tv_sec;	629	e->event.tv_sec = now.tv_sec;
630	e->event.tv_usec = now.tv_usec;	630	e->event.tv_usec = now.tv_usec;
631	drm_vblank_put(dev, e->pipe);	631	drm_vblank_put(dev, pipe);
632	list_add_tail(&e->base.link, &e->base.file_priv->event_list);	632	list_add_tail(&e->base.link, &e->base.file_priv->event_list);
633	wake_up_interruptible(&e->base.file_priv->event_wait);	633	wake_up_interruptible(&e->base.file_priv->event_wait);
634	trace_drm_vblank_event_delivered(current->pid, pipe,	634	trace_drm_vblank_event_delivered(current->pid, pipe,
@@ -645,7 +645,7 @@ err_unlock:
645	spin_unlock_irqrestore(&dev->event_lock, flags);	645	spin_unlock_irqrestore(&dev->event_lock, flags);
646	kfree(e);	646	kfree(e);
647	err_put:	647	err_put:
648	drm_vblank_put(dev, e->pipe);	648	drm_vblank_put(dev, pipe);
649	return ret;	649	return ret;
650	}	650	}
651		651