diff options
author | Chris Wilson <chris@chris-wilson.co.uk> | 2016-01-05 09:42:30 +0000 |
---|---|---|
committer | Daniel Vetter <daniel.vetter@ffwll.ch> | 2016-01-05 16:22:58 +0100 |
commit | 9649399e918f61788a6302a0f7d3c5ed34c2930c (patch) | |
tree | 4d369e2f20b13caad5c3ed0b78e0c01addc51a58 /drivers/gpu/drm/drm_gem.c | |
parent | df7d678bea8ba8904bdb293c8e96aa9488f7dbee (diff) |
drm: Do not set outparam on error during GEM handle allocation
Good practice dictates that we do not leak stale information to our
callers, and should avoid overwriting an outparam on an error path.
Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1451986951-3703-1-git-send-email-chris@chris-wilson.co.uk
Reviewed-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Diffstat (limited to 'drivers/gpu/drm/drm_gem.c')
-rw-r--r-- | drivers/gpu/drm/drm_gem.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index 1b0c2c127072..eeee320e406b 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -331,6 +331,7 @@ drm_gem_handle_create_tail(struct drm_file *file_priv, u32 *handlep) { struct drm_device *dev = obj->dev; + u32 handle; int ret; WARN_ON(!mutex_is_locked(&dev->object_name_lock)); @@ -353,7 +354,7 @@ drm_gem_handle_create_tail(struct drm_file *file_priv, if (ret < 0) goto err_unref; - *handlep = ret; + handle = ret; ret = drm_vma_node_allow(&obj->vma_node, file_priv->filp); if (ret) @@ -365,13 +366,14 @@ drm_gem_handle_create_tail(struct drm_file *file_priv, goto err_revoke; } + *handlep = handle; return 0; err_revoke: drm_vma_node_revoke(&obj->vma_node, file_priv->filp); err_remove: spin_lock(&file_priv->table_lock); - idr_remove(&file_priv->object_idr, *handlep); + idr_remove(&file_priv->object_idr, handle); spin_unlock(&file_priv->table_lock); err_unref: drm_gem_object_handle_unreference_unlocked(obj); |