From a5691ea7c3342146e89c63cd1b5669d5577149be Mon Sep 17 00:00:00 2001 From: Wang Yu Date: Tue, 9 Jun 2026 16:08:16 +0800 Subject: [PATCH] types/linux_dmabuf: fix use-after-free of device node name The name pointer points into the drmDevice structure, which is freed by drmFreeDevice(). The error log was using name after the free, which is undefined behavior. Move the error log before drmFreeDevice() so name is still valid when used in the log message. Signed-off-by: Wang Yu --- types/wlr_linux_dmabuf_v1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/types/wlr_linux_dmabuf_v1.c b/types/wlr_linux_dmabuf_v1.c index 3165e8805..0b2e908fb 100644 --- a/types/wlr_linux_dmabuf_v1.c +++ b/types/wlr_linux_dmabuf_v1.c @@ -901,9 +901,9 @@ static bool set_default_feedback(struct wlr_linux_dmabuf_v1 *linux_dmabuf, if (device->available_nodes & (1 << DRM_NODE_RENDER)) { const char *name = device->nodes[DRM_NODE_RENDER]; main_device_fd = open(name, O_RDWR | O_CLOEXEC); - drmFreeDevice(&device); if (main_device_fd < 0) { wlr_log_errno(WLR_ERROR, "Failed to open DRM device %s", name); + drmFreeDevice(&device); goto error_compiled; } } else { @@ -913,8 +913,8 @@ static bool set_default_feedback(struct wlr_linux_dmabuf_v1 *linux_dmabuf, assert(device->available_nodes & (1 << DRM_NODE_PRIMARY)); wlr_log(WLR_DEBUG, "DRM device %s has no render node, " "skipping DMA-BUF import checks", device->nodes[DRM_NODE_PRIMARY]); - drmFreeDevice(&device); } + drmFreeDevice(&device); size_t tranches_len = feedback->tranches.size / sizeof(struct wlr_linux_dmabuf_feedback_v1_tranche);