In host1x_device_init(), the error teardown paths do not check client->ops before dereferencing it, unlike the forward init paths which correctly guard with 'client->ops &&'. This can result in a NULL pointer dereference if client->ops is NULL.
Fix by adding the missing client->ops check in both the teardown and teardown_late labels. Signed-off-by: shayderrr <[email protected]> --- drivers/gpu/host1x/bus.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/host1x/bus.c b/drivers/gpu/host1x/bus.c index f814eb4941c0..43ce048de73a 100644 --- a/drivers/gpu/host1x/bus.c +++ b/drivers/gpu/host1x/bus.c @@ -221,7 +221,7 @@ int host1x_device_init(struct host1x_device *device) teardown: list_for_each_entry_continue_reverse(client, &device->clients, list) - if (client->ops->exit) + if (client->ops && client->ops->exit) client->ops->exit(client); /* reset client to end of list for late teardown */ @@ -229,7 +229,7 @@ int host1x_device_init(struct host1x_device *device) teardown_late: list_for_each_entry_continue_reverse(client, &device->clients, list) - if (client->ops->late_exit) + if (client->ops && client->ops->late_exit) client->ops->late_exit(client); mutex_unlock(&device->clients_lock); -- 2.50.1 (Apple Git-155)
