drm/imagination: Fix error path in pvr_vm_create_context

It is possible to double free the vm_ctx->mmu_ctx object in this
function.

    630 err_page_table_destroy:
--> 631         pvr_mmu_context_destroy(vm_ctx->mmu_ctx);

The pvr_vm_context_put() function does:

        kref_put(&vm_ctx->ref_count, pvr_vm_context_release);

Here the pvr_vm_context_release() will call:

        pvr_mmu_context_destroy(vm_ctx->mmu_ctx);

Refactor to an unwind style.

Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Donald Robson <donald.robson@imgtec.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Maxime Ripard <mripard@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20231213144431.94956-2-donald.robson@imgtec.com

diff --git a/drivers/gpu/drm/imagination/pvr_vm.c b/drivers/gpu/drm/imagination/pvr_vm.c
index 598d79d7c7d08d96674539b917ecc595c5f4a9cc..e59517ba039efdafc3f41fa1a39f65349588a367 100644 (file)
--- a/drivers/gpu/drm/imagination/pvr_vm.c
+++ b/drivers/gpu/drm/imagination/pvr_vm.c
@@ -556,23 +556,12 @@ pvr_vm_create_context(struct pvr_device *pvr_dev, bool is_userspace_context)
        if (!vm_ctx)
                return ERR_PTR(-ENOMEM);
 
-       drm_gem_private_object_init(&pvr_dev->base, &vm_ctx->dummy_gem, 0);
-
        vm_ctx->pvr_dev = pvr_dev;
-       kref_init(&vm_ctx->ref_count);
-       mutex_init(&vm_ctx->lock);
-
-       drm_gpuvm_init(&vm_ctx->gpuvm_mgr,
-                      is_userspace_context ? "PowerVR-user-VM" : "PowerVR-FW-VM",
-                      0, &pvr_dev->base, &vm_ctx->dummy_gem,
-                      0, 1ULL << device_addr_bits, 0, 0, &pvr_vm_gpuva_ops);
 
        vm_ctx->mmu_ctx = pvr_mmu_context_create(pvr_dev);
        err = PTR_ERR_OR_ZERO(vm_ctx->mmu_ctx);
-       if (err) {
-               vm_ctx->mmu_ctx = NULL;
-               goto err_put_ctx;
-       }
+       if (err)
+               goto err_free;
 
        if (is_userspace_context) {
                err = pvr_fw_object_create(pvr_dev, sizeof(struct rogue_fwif_fwmemcontext),
@@ -583,13 +572,22 @@ pvr_vm_create_context(struct pvr_device *pvr_dev, bool is_userspace_context)
                        goto err_page_table_destroy;
        }
 
+       drm_gem_private_object_init(&pvr_dev->base, &vm_ctx->dummy_gem, 0);
+       drm_gpuvm_init(&vm_ctx->gpuvm_mgr,
+                      is_userspace_context ? "PowerVR-user-VM" : "PowerVR-FW-VM",
+                      0, &pvr_dev->base, &vm_ctx->dummy_gem,
+                      0, 1ULL << device_addr_bits, 0, 0, &pvr_vm_gpuva_ops);
+
+       mutex_init(&vm_ctx->lock);
+       kref_init(&vm_ctx->ref_count);
+
        return vm_ctx;
 
 err_page_table_destroy:
        pvr_mmu_context_destroy(vm_ctx->mmu_ctx);
 
-err_put_ctx:
-       pvr_vm_context_put(vm_ctx);
+err_free:
+       kfree(vm_ctx);
 
        return ERR_PTR(err);
 }