From: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Date: Wed, 23 Mar 2016 08:31:46 +0000 (+0200)
Subject: drm/i915: Fix use after free when printing load failure
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=2dc10cd8bc2662d0311224d92fb82f34be0424bc;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git

drm/i915: Fix use after free when printing load failure

Commit d15d7538c6d2 ("drm/i915: Tune down init error message due
to failure injection") added i915_load_error message to failure
path on device initialization. The message is printed
after the device is freed. And as the message printing helper
uses the device structure, this leads to use after free.

Spotted by Kasan.

Cc: Imre Deak <imre.deak@intel.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Mika Kuoppala <mika.kuoppala@intel.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Link: http://patchwork.freedesktop.org/patch/msgid/1458721906-10625-1-git-send-email-mika.kuoppala@intel.com
---

diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c
index a3458fcd83dc..fc8ac98c12d7 100644
--- a/drivers/gpu/drm/i915/i915_dma.c
+++ b/drivers/gpu/drm/i915/i915_dma.c
@@ -1398,10 +1398,10 @@ out_runtime_pm_put:
 	intel_runtime_pm_put(dev_priv);
 	i915_driver_cleanup_early(dev_priv);
 out_free_priv:
-	kfree(dev_priv);
-
 	i915_load_error(dev_priv, "Device initialization failed (%d)\n", ret);
 
+	kfree(dev_priv);
+
 	return ret;
 }