diff options
author | Tuomas Tynkkynen <ttynkkynen@nvidia.com> | 2012-08-16 19:56:51 +0300 |
---|---|---|
committer | Simone Willett <swillett@nvidia.com> | 2012-08-22 12:03:07 -0700 |
commit | 6c679d9b3285f60df9acc335b19c1478f8ee92e3 (patch) | |
tree | 49f49056364ae06a4d4c8d1a4bbc508f4b3684eb /drivers | |
parent | 71824364492283119d1a18dd179718f85ec810c2 (diff) |
video: tegra: host: Fix crash if allocation fails
nvhost_module_remove_client assumes that a client structure
to be freed exists in the linked list. However, if an allocation fails
in nvhost_module_add_client, no client structure is allocated, and
during cleanup, nvhost_module_remove_client would then attempt
to free an invalid pointer.
Bug 1034729
Change-Id: Ie1a641071b86f8246951e9be824a6003f14b04b6
Signed-off-by: Tuomas Tynkkynen <ttynkkynen@nvidia.com>
Reviewed-on: http://git-master/r/124096
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-by: Juha Tukkinen <jtukkinen@nvidia.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/video/tegra/host/bus_client.c | 3 | ||||
-rw-r--r-- | drivers/video/tegra/host/nvhost_acm.c | 4 |
2 files changed, 5 insertions, 2 deletions
diff --git a/drivers/video/tegra/host/bus_client.c b/drivers/video/tegra/host/bus_client.c index 0137793b39ee..aaa038221971 100644 --- a/drivers/video/tegra/host/bus_client.c +++ b/drivers/video/tegra/host/bus_client.c @@ -159,7 +159,8 @@ static int nvhost_channelopen(struct inode *inode, struct file *filp) } filp->private_data = priv; priv->ch = ch; - nvhost_module_add_client(ch->dev, priv); + if(nvhost_module_add_client(ch->dev, priv)) + goto fail; if (ch->ctxhandler && ch->ctxhandler->alloc) { priv->hwctx = ch->ctxhandler->alloc(ch->ctxhandler, ch); diff --git a/drivers/video/tegra/host/nvhost_acm.c b/drivers/video/tegra/host/nvhost_acm.c index 06005c423a21..76304d6e8fa6 100644 --- a/drivers/video/tegra/host/nvhost_acm.c +++ b/drivers/video/tegra/host/nvhost_acm.c @@ -343,15 +343,17 @@ void nvhost_module_remove_client(struct nvhost_device *dev, void *priv) { int i; struct nvhost_module_client *m; + int found = 0; mutex_lock(&client_list_lock); list_for_each_entry(m, &dev->client_list, node) { if (priv == m->priv) { list_del(&m->node); + found = 1; break; } } - if (m) { + if (found) { kfree(m); for (i = 0; i < dev->num_clks; i++) nvhost_module_update_rate(dev, i); |