Skip to content

Commit d133036

Browse files
Ben SkeggsDanilo Krummrich
Ben Skeggs
authored and
Danilo Krummrich
committed
drm/nouveau/gsp: fix potential leak of memory used during acpi init
If any of the ACPI calls fail, memory allocated for the input buffer would be leaked. Fix failure paths to free allocated memory. Also add checks to ensure the allocations succeeded in the first place. Reported-by: Danilo Krummrich <[email protected]> Fixes: 176fdcb ("drm/nouveau/gsp/r535: add support for booting GSP-RM") Signed-off-by: Ben Skeggs <[email protected]> Signed-off-by: Danilo Krummrich <[email protected]> Link: https://lore.kernel.org/r/[email protected]
1 parent 3d44147 commit d133036

File tree

1 file changed

+14
-6
lines changed
  • drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535

1 file changed

+14
-6
lines changed

drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/gsp.c

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -719,25 +719,29 @@ r535_gsp_acpi_caps(acpi_handle handle, CAPS_METHOD_DATA *caps)
719719
union acpi_object argv4 = {
720720
.buffer.type = ACPI_TYPE_BUFFER,
721721
.buffer.length = 4,
722-
.buffer.pointer = kmalloc(argv4.buffer.length, GFP_KERNEL),
723722
}, *obj;
724723

725724
caps->status = 0xffff;
726725

727726
if (!acpi_check_dsm(handle, &NVOP_DSM_GUID, NVOP_DSM_REV, BIT_ULL(0x1a)))
728727
return;
729728

729+
argv4.buffer.pointer = kmalloc(argv4.buffer.length, GFP_KERNEL);
730+
if (!argv4.buffer.pointer)
731+
return;
732+
730733
obj = acpi_evaluate_dsm(handle, &NVOP_DSM_GUID, NVOP_DSM_REV, 0x1a, &argv4);
731734
if (!obj)
732-
return;
735+
goto done;
733736

734737
if (WARN_ON(obj->type != ACPI_TYPE_BUFFER) ||
735738
WARN_ON(obj->buffer.length != 4))
736-
return;
739+
goto done;
737740

738741
caps->status = 0;
739742
caps->optimusCaps = *(u32 *)obj->buffer.pointer;
740743

744+
done:
741745
ACPI_FREE(obj);
742746

743747
kfree(argv4.buffer.pointer);
@@ -754,24 +758,28 @@ r535_gsp_acpi_jt(acpi_handle handle, JT_METHOD_DATA *jt)
754758
union acpi_object argv4 = {
755759
.buffer.type = ACPI_TYPE_BUFFER,
756760
.buffer.length = sizeof(caps),
757-
.buffer.pointer = kmalloc(argv4.buffer.length, GFP_KERNEL),
758761
}, *obj;
759762

760763
jt->status = 0xffff;
761764

765+
argv4.buffer.pointer = kmalloc(argv4.buffer.length, GFP_KERNEL);
766+
if (!argv4.buffer.pointer)
767+
return;
768+
762769
obj = acpi_evaluate_dsm(handle, &JT_DSM_GUID, JT_DSM_REV, 0x1, &argv4);
763770
if (!obj)
764-
return;
771+
goto done;
765772

766773
if (WARN_ON(obj->type != ACPI_TYPE_BUFFER) ||
767774
WARN_ON(obj->buffer.length != 4))
768-
return;
775+
goto done;
769776

770777
jt->status = 0;
771778
jt->jtCaps = *(u32 *)obj->buffer.pointer;
772779
jt->jtRevId = (jt->jtCaps & 0xfff00000) >> 20;
773780
jt->bSBIOSCaps = 0;
774781

782+
done:
775783
ACPI_FREE(obj);
776784

777785
kfree(argv4.buffer.pointer);

0 commit comments

Comments
 (0)