On Wed, Jan 23, 2013 at 1:59 PM, Ilija Hadzic
<ihadzic at research.bell-labs.com> wrote:
> If one (but not both) allocations of p->chunks[].kpage[]
> in radeon_cs_parser_init fail, the error path will free
> the successfully allocated page, but leave a stale pointer
> value in the kpage[] field. This will later cause a
> double-free when radeon_cs_parser_fini is called.
> This patch fixes the issue by forcing both pointers to NULL
> after kfree in the error path.
>
> The circumstances under which the problem happens are very
> rare. The card must be AGP and the system must run out of
> kmalloc area just at the right time so that one allocation
> succeeds, while the other fails.
>
> Signed-off-by: Ilija Hadzic <ihadzic at research.bell-labs.com>
> Cc: Herton Ronaldo Krzesinski <herton.krzesinski at canonical.com>
Thanks, Added to my -fixes queue.
Alex
> ---
> drivers/gpu/drm/radeon/radeon_cs.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_cs.c
> b/drivers/gpu/drm/radeon/radeon_cs.c
> index 469661f..5407459 100644
> --- a/drivers/gpu/drm/radeon/radeon_cs.c
> +++ b/drivers/gpu/drm/radeon/radeon_cs.c
> @@ -286,6 +286,8 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p,
> void *data)
> p->chunks[p->chunk_ib_idx].kpage[1] == NULL) {
> kfree(p->chunks[p->chunk_ib_idx].kpage[0]);
> kfree(p->chunks[p->chunk_ib_idx].kpage[1]);
> + p->chunks[p->chunk_ib_idx].kpage[0] = NULL;
> + p->chunks[p->chunk_ib_idx].kpage[1] = NULL;
> return -ENOMEM;
> }
> }
> --
> 1.8.1
>
> _______________________________________________
> dri-devel mailing list
> dri-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/dri-devel
