Commit cfd376b6 authored by Marcin Slusarz's avatar Marcin Slusarz Committed by Ben Skeggs

drm/nouveau/vm: fix memory corruption when pgt allocation fails

If we return freed vm, nouveau_drm_open will happily call nouveau_cli_destroy,
which will try to free it again.
Reported-by: default avatarPeter Hurley <peter@hurleysoftware.com>
Signed-off-by: default avatarMarcin Slusarz <marcin.slusarz@gmail.com>
Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
parent 4c4101d2
...@@ -352,7 +352,7 @@ nouveau_vm_create(struct nouveau_vmmgr *vmm, u64 offset, u64 length, ...@@ -352,7 +352,7 @@ nouveau_vm_create(struct nouveau_vmmgr *vmm, u64 offset, u64 length,
u64 mm_length = (offset + length) - mm_offset; u64 mm_length = (offset + length) - mm_offset;
int ret; int ret;
vm = *pvm = kzalloc(sizeof(*vm), GFP_KERNEL); vm = kzalloc(sizeof(*vm), GFP_KERNEL);
if (!vm) if (!vm)
return -ENOMEM; return -ENOMEM;
...@@ -376,6 +376,8 @@ nouveau_vm_create(struct nouveau_vmmgr *vmm, u64 offset, u64 length, ...@@ -376,6 +376,8 @@ nouveau_vm_create(struct nouveau_vmmgr *vmm, u64 offset, u64 length,
return ret; return ret;
} }
*pvm = vm;
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment