drm/i915: Fix use after free when printing load failure

Commit d15d7538c6d2 ("drm/i915: Tune down init error message due
to failure injection") added i915_load_error message to failure
path on device initialization. The message is printed
after the device is freed. And as the message printing helper
uses the device structure, this leads to use after free.

Spotted by Kasan.

Cc: Imre Deak <imre.deak@intel.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Mika Kuoppala <mika.kuoppala@intel.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Link: http://patchwork.freedesktop.org/patch/msgid/1458721906-10625-1-git-send-email-mika.kuoppala@intel.com

diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c
index a3458fcd83dc9c9e9aa15d85b8381d8abd64a052..fc8ac98c12d74c1a2eefdc5d59c8f88cac9a06c1 100644 (file)
--- a/drivers/gpu/drm/i915/i915_dma.c
+++ b/drivers/gpu/drm/i915/i915_dma.c
@@ -1398,10 +1398,10 @@ out_runtime_pm_put:
        intel_runtime_pm_put(dev_priv);
        i915_driver_cleanup_early(dev_priv);
 out_free_priv:
-       kfree(dev_priv);
-
        i915_load_error(dev_priv, "Device initialization failed (%d)\n", ret);
 
+       kfree(dev_priv);
+
        return ret;
 }