From: Yang Yingliang <yangyingliang@huawei.com>
Date: Sat, 26 Nov 2022 07:33:14 +0000 (+0800)
Subject: gpu: host1x: Fix potential double free if IOMMU is disabled
X-Git-Tag: v6.1.37~1827
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=b81cfee96703614eb383348e6d6d751d7c6f689e;p=platform%2Fkernel%2Flinux-starfive.git

gpu: host1x: Fix potential double free if IOMMU is disabled

[ Upstream commit 8466ff24a37a9a18fb935e90dda64f049131ae28 ]

If context device has no IOMMU, the 'cdl->devs' is freed in
error path, but host1x_memory_context_list_init() doesn't
return an error code, so the module can be loaded successfully,
when it's unloading, the host1x_memory_context_list_free() is
called in host1x_remove(), it will cause double free. Set the
'cdl->devs' to NULL after freeing it to avoid double free.

Fixes: 8aa5bcb61612 ("gpu: host1x: Add context device management code")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/drivers/gpu/host1x/context.c b/drivers/gpu/host1x/context.c
index b08cf11..291f345 100644
--- a/drivers/gpu/host1x/context.c
+++ b/drivers/gpu/host1x/context.c
@@ -87,6 +87,7 @@ del_devices:
 		device_del(&cdl->devs[i].dev);
 
 	kfree(cdl->devs);
+	cdl->devs = NULL;
 	cdl->len = 0;
 
 	return err;