summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorIlija Hadzic <ihadzic@research.bell-labs.com>2013-01-23 13:59:05 -0500
committerAlex Deucher <alexander.deucher@amd.com>2013-01-23 14:50:05 -0500
commit1da80cfa8727abf404fcee44d04743febea54069 (patch)
treec3247c490a8182b54945036efbe7996a6446aea0
parentb2f4b03f8a378cd626d2ea67d19e7470c050a098 (diff)
downloadlinux-1da80cfa8727abf404fcee44d04743febea54069.tar.gz
linux-1da80cfa8727abf404fcee44d04743febea54069.tar.bz2
linux-1da80cfa8727abf404fcee44d04743febea54069.zip
drm/radeon: fix a rare case of double kfree
If one (but not both) allocations of p->chunks[].kpage[] in radeon_cs_parser_init fail, the error path will free the successfully allocated page, but leave a stale pointer value in the kpage[] field. This will later cause a double-free when radeon_cs_parser_fini is called. This patch fixes the issue by forcing both pointers to NULL after kfree in the error path. The circumstances under which the problem happens are very rare. The card must be AGP and the system must run out of kmalloc area just at the right time so that one allocation succeeds, while the other fails. Signed-off-by: Ilija Hadzic <ihadzic@research.bell-labs.com> Cc: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Cc: stable@vger.kernel.org
-rw-r--r--drivers/gpu/drm/radeon/radeon_cs.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c
index 469661fd1903..5407459e56d2 100644
--- a/drivers/gpu/drm/radeon/radeon_cs.c
+++ b/drivers/gpu/drm/radeon/radeon_cs.c
@@ -286,6 +286,8 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data)
p->chunks[p->chunk_ib_idx].kpage[1] == NULL) {
kfree(p->chunks[p->chunk_ib_idx].kpage[0]);
kfree(p->chunks[p->chunk_ib_idx].kpage[1]);
+ p->chunks[p->chunk_ib_idx].kpage[0] = NULL;
+ p->chunks[p->chunk_ib_idx].kpage[1] = NULL;
return -ENOMEM;
}
}