[PATCH] drm/radeon: fix a rare case of double kfree
On Wed, Jan 23, 2013 at 1:59 PM, Ilija Hadzic
wrote:
> If one (but not both) allocations of p->chunks[].kpage[]
> in radeon_cs_parser_init fail, the error path will free
> the successfully allocated page, but leave a stale pointer
> value in the kpage[] field. This will later cause a
> double-free when radeon_cs_parser_fini is called.
> This patch fixes the issue by forcing both pointers to NULL
> after kfree in the error path.
>
> The circumstances under which the problem happens are very
> rare. The card must be AGP and the system must run out of
> kmalloc area just at the right time so that one allocation
> succeeds, while the other fails.
>
> Signed-off-by: Ilija Hadzic
> Cc: Herton Ronaldo Krzesinski
Thanks, Added to my -fixes queue.
Alex
> ---
> drivers/gpu/drm/radeon/radeon_cs.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_cs.c
> b/drivers/gpu/drm/radeon/radeon_cs.c
> index 469661f..5407459 100644
> --- a/drivers/gpu/drm/radeon/radeon_cs.c
> +++ b/drivers/gpu/drm/radeon/radeon_cs.c
> @@ -286,6 +286,8 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p,
> void *data)
> p->chunks[p->chunk_ib_idx].kpage[1] == NULL) {
> kfree(p->chunks[p->chunk_ib_idx].kpage[0]);
> kfree(p->chunks[p->chunk_ib_idx].kpage[1]);
> + p->chunks[p->chunk_ib_idx].kpage[0] = NULL;
> + p->chunks[p->chunk_ib_idx].kpage[1] = NULL;
> return -ENOMEM;
> }
> }
> --
> 1.8.1
>
> ___
> dri-devel mailing list
> dri-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/dri-devel
[PATCH] drm/radeon: fix a rare case of double kfree
If one (but not both) allocations of p->chunks[].kpage[]
in radeon_cs_parser_init fail, the error path will free
the successfully allocated page, but leave a stale pointer
value in the kpage[] field. This will later cause a
double-free when radeon_cs_parser_fini is called.
This patch fixes the issue by forcing both pointers to NULL
after kfree in the error path.
The circumstances under which the problem happens are very
rare. The card must be AGP and the system must run out of
kmalloc area just at the right time so that one allocation
succeeds, while the other fails.
Signed-off-by: Ilija Hadzic
Cc: Herton Ronaldo Krzesinski
---
drivers/gpu/drm/radeon/radeon_cs.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/radeon/radeon_cs.c
b/drivers/gpu/drm/radeon/radeon_cs.c
index 469661f..5407459 100644
--- a/drivers/gpu/drm/radeon/radeon_cs.c
+++ b/drivers/gpu/drm/radeon/radeon_cs.c
@@ -286,6 +286,8 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void
*data)
p->chunks[p->chunk_ib_idx].kpage[1] == NULL) {
kfree(p->chunks[p->chunk_ib_idx].kpage[0]);
kfree(p->chunks[p->chunk_ib_idx].kpage[1]);
+ p->chunks[p->chunk_ib_idx].kpage[0] = NULL;
+ p->chunks[p->chunk_ib_idx].kpage[1] = NULL;
return -ENOMEM;
}
}
--
1.8.1
Re: [PATCH] drm/radeon: fix a rare case of double kfree
On Wed, Jan 23, 2013 at 1:59 PM, Ilija Hadzic
wrote:
> If one (but not both) allocations of p->chunks[].kpage[]
> in radeon_cs_parser_init fail, the error path will free
> the successfully allocated page, but leave a stale pointer
> value in the kpage[] field. This will later cause a
> double-free when radeon_cs_parser_fini is called.
> This patch fixes the issue by forcing both pointers to NULL
> after kfree in the error path.
>
> The circumstances under which the problem happens are very
> rare. The card must be AGP and the system must run out of
> kmalloc area just at the right time so that one allocation
> succeeds, while the other fails.
>
> Signed-off-by: Ilija Hadzic
> Cc: Herton Ronaldo Krzesinski
Thanks, Added to my -fixes queue.
Alex
> ---
> drivers/gpu/drm/radeon/radeon_cs.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_cs.c
> b/drivers/gpu/drm/radeon/radeon_cs.c
> index 469661f..5407459 100644
> --- a/drivers/gpu/drm/radeon/radeon_cs.c
> +++ b/drivers/gpu/drm/radeon/radeon_cs.c
> @@ -286,6 +286,8 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p,
> void *data)
> p->chunks[p->chunk_ib_idx].kpage[1] == NULL) {
> kfree(p->chunks[p->chunk_ib_idx].kpage[0]);
> kfree(p->chunks[p->chunk_ib_idx].kpage[1]);
> + p->chunks[p->chunk_ib_idx].kpage[0] = NULL;
> + p->chunks[p->chunk_ib_idx].kpage[1] = NULL;
> return -ENOMEM;
> }
> }
> --
> 1.8.1
>
> ___
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/dri-devel
___
dri-devel mailing list
dri-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dri-devel
[PATCH] drm/radeon: fix a rare case of double kfree
If one (but not both) allocations of p->chunks[].kpage[]
in radeon_cs_parser_init fail, the error path will free
the successfully allocated page, but leave a stale pointer
value in the kpage[] field. This will later cause a
double-free when radeon_cs_parser_fini is called.
This patch fixes the issue by forcing both pointers to NULL
after kfree in the error path.
The circumstances under which the problem happens are very
rare. The card must be AGP and the system must run out of
kmalloc area just at the right time so that one allocation
succeeds, while the other fails.
Signed-off-by: Ilija Hadzic
Cc: Herton Ronaldo Krzesinski
---
drivers/gpu/drm/radeon/radeon_cs.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/radeon/radeon_cs.c
b/drivers/gpu/drm/radeon/radeon_cs.c
index 469661f..5407459 100644
--- a/drivers/gpu/drm/radeon/radeon_cs.c
+++ b/drivers/gpu/drm/radeon/radeon_cs.c
@@ -286,6 +286,8 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void
*data)
p->chunks[p->chunk_ib_idx].kpage[1] == NULL) {
kfree(p->chunks[p->chunk_ib_idx].kpage[0]);
kfree(p->chunks[p->chunk_ib_idx].kpage[1]);
+ p->chunks[p->chunk_ib_idx].kpage[0] = NULL;
+ p->chunks[p->chunk_ib_idx].kpage[1] = NULL;
return -ENOMEM;
}
}
--
1.8.1
___
dri-devel mailing list
dri-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dri-devel
