drivers/gpu/drm/drm_gem.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-)
When vmemdup_array_user() fails, 'handles' is set to a negative error
code and no memory is allocated. So the call to kvfree() should not
happen. Instead just return early with the error code.
Fixes: cb77b79abf5f ("drm/gem: Use vmemdup_array_user in drm_gem_objects_lookup")
Signed-off-by: Steven Price <steven.price@arm.com>
---
drivers/gpu/drm/drm_gem.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
index 68168d58a7c8..efc79bbf3c73 100644
--- a/drivers/gpu/drm/drm_gem.c
+++ b/drivers/gpu/drm/drm_gem.c
@@ -798,13 +798,10 @@ int drm_gem_objects_lookup(struct drm_file *filp, void __user *bo_handles,
*objs_out = objs;
handles = vmemdup_array_user(bo_handles, count, sizeof(u32));
- if (IS_ERR(handles)) {
- ret = PTR_ERR(handles);
- goto out;
- }
+ if (IS_ERR(handles))
+ return PTR_ERR(handles);
ret = objects_lookup(filp, handles, count, objs);
-out:
kvfree(handles);
return ret;
--
2.43.0On 24/11/2025 11:20, Steven Price wrote:
> When vmemdup_array_user() fails, 'handles' is set to a negative error
> code and no memory is allocated. So the call to kvfree() should not
> happen. Instead just return early with the error code.
>
> Fixes: cb77b79abf5f ("drm/gem: Use vmemdup_array_user in drm_gem_objects_lookup")
> Signed-off-by: Steven Price <steven.price@arm.com>
Applied to drm-misc-next.
> ---
> drivers/gpu/drm/drm_gem.c | 7 ++-----
> 1 file changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
> index 68168d58a7c8..efc79bbf3c73 100644
> --- a/drivers/gpu/drm/drm_gem.c
> +++ b/drivers/gpu/drm/drm_gem.c
> @@ -798,13 +798,10 @@ int drm_gem_objects_lookup(struct drm_file *filp, void __user *bo_handles,
> *objs_out = objs;
>
> handles = vmemdup_array_user(bo_handles, count, sizeof(u32));
> - if (IS_ERR(handles)) {
> - ret = PTR_ERR(handles);
> - goto out;
> - }
> + if (IS_ERR(handles))
> + return PTR_ERR(handles);
>
> ret = objects_lookup(filp, handles, count, objs);
> -out:
> kvfree(handles);
> return ret;
>
On 24/11/2025 11:20, Steven Price wrote:
> When vmemdup_array_user() fails, 'handles' is set to a negative error
> code and no memory is allocated. So the call to kvfree() should not
> happen. Instead just return early with the error code.
Ah sorry about that. Must have mentally confused the two allocations.
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Regards,
Tvrtko
> Fixes: cb77b79abf5f ("drm/gem: Use vmemdup_array_user in drm_gem_objects_lookup")
> Signed-off-by: Steven Price <steven.price@arm.com>
> ---
> drivers/gpu/drm/drm_gem.c | 7 ++-----
> 1 file changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
> index 68168d58a7c8..efc79bbf3c73 100644
> --- a/drivers/gpu/drm/drm_gem.c
> +++ b/drivers/gpu/drm/drm_gem.c
> @@ -798,13 +798,10 @@ int drm_gem_objects_lookup(struct drm_file *filp, void __user *bo_handles,
> *objs_out = objs;
>
> handles = vmemdup_array_user(bo_handles, count, sizeof(u32));
> - if (IS_ERR(handles)) {
> - ret = PTR_ERR(handles);
> - goto out;
> - }
> + if (IS_ERR(handles))
> + return PTR_ERR(handles);
>
> ret = objects_lookup(filp, handles, count, objs);
> -out:
> kvfree(handles);
> return ret;
>
© 2016 - 2025 Red Hat, Inc.