From 5c42b5e36a4a02e579ec5dcdc3a95ce58538224c Mon Sep 17 00:00:00 2001
From: Mathias Tillman <master.homer@gmail.com>
Date: Mon, 24 Aug 2015 11:56:13 +0800
Subject: [PATCH] drm: fix the usage after free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

For readdir_r(), the next directory entry is returned in caller-allocted
buffer (pointered by pent here).

https://bugs.freedesktop.org/show_bug.cgi?id=91704

Signed-off-by: Mathias Tillman <master.homer@gmail.com>
Signed-off-by: Jammy Zhou <Jammy.Zhou@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
---
 xf86drm.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/xf86drm.c b/xf86drm.c
index 5e029694..a7cc6438 100644
--- a/xf86drm.c
+++ b/xf86drm.c
@@ -2803,11 +2803,12 @@ static char *drmGetMinorNameForFD(int fd, int type)
 
 	while (readdir_r(sysdir, pent, &ent) == 0 && ent != NULL) {
 		if (strncmp(ent->d_name, name, len) == 0) {
+			snprintf(dev_name, sizeof(dev_name), DRM_DIR_NAME "/%s",
+				 ent->d_name);
+
 			free(pent);
 			closedir(sysdir);
 
-			snprintf(dev_name, sizeof(dev_name), DRM_DIR_NAME "/%s",
-				 ent->d_name);
 			return strdup(dev_name);
 		}
 	}