drm/msm: Fix potential invalid ptr free

[ Upstream commit 8a86f213f4426f19511a16d886871805b35c3acf ]

The error path cleanup expects that chain and syncobj are either NULL or
valid pointers.  But post_deps was not allocated with __GFP_ZERO.

Fixes: ab723b7a992a ("drm/msm: Add syncobj support.")
Signed-off-by: Rob Clark <robdclark@chromium.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Patchwork: https://patchwork.freedesktop.org/patch/523051/
Link: https://lore.kernel.org/r/20230215235048.1166484-1-robdclark@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
index 83e6ccad77286f297e2b214ffc96865368e8cdc8..fc2fb1019ea1c0bdd93a2e5e80b77c89a972320a 100644 (file)
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -640,8 +640,8 @@ static struct msm_submit_post_dep *msm_parse_post_deps(struct drm_device *dev,
        int ret = 0;
        uint32_t i, j;
 
-       post_deps = kmalloc_array(nr_syncobjs, sizeof(*post_deps),
-                                 GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY);
+       post_deps = kcalloc(nr_syncobjs, sizeof(*post_deps),
+                           GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY);
        if (!post_deps)
                return ERR_PTR(-ENOMEM);
 
@@ -656,7 +656,6 @@ static struct msm_submit_post_dep *msm_parse_post_deps(struct drm_device *dev,
                }
 
                post_deps[i].point = syncobj_desc.point;
-               post_deps[i].chain = NULL;
 
                if (syncobj_desc.flags) {
                        ret = -EINVAL;