On Tue, Feb 24, 2026 at 10:12:28PM +0000, Jonathan Cavitt wrote:
> 'modes' in drm_client_modeset_probe may fail to kcalloc. If this
> occurs, we jump to 'out', calling modes_destroy on it, which
> dereferences it. This may result in a NULL pointer dereference in the
> error case. Prevent that.
>
> Fixes: 3039cc0c0653 ("drm/client: Make copies of modes")
> Signed-off-by: Jonathan Cavitt <[email protected]>
> Cc: Ville Syrjälä <[email protected]>
Thanks. Pushed to drm-misc-fixes.
> ---
> drivers/gpu/drm/drm_client_modeset.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_client_modeset.c
> b/drivers/gpu/drm/drm_client_modeset.c
> index 262b1b8773c5..bb49b8361271 100644
> --- a/drivers/gpu/drm/drm_client_modeset.c
> +++ b/drivers/gpu/drm/drm_client_modeset.c
> @@ -930,7 +930,8 @@ int drm_client_modeset_probe(struct drm_client_dev
> *client, unsigned int width,
> mutex_unlock(&client->modeset_mutex);
> out:
> kfree(crtcs);
> - modes_destroy(dev, modes, connector_count);
> + if (modes)
> + modes_destroy(dev, modes, connector_count);
> kfree(modes);
> kfree(offsets);
> kfree(enabled);
> --
> 2.43.0
--
Ville Syrjälä
Intel
