[PATCH 02/10] vmwgfx: Fix an error path causing an oops.

Wed, 13 Jan 2010 13:28:46 -0800 

An error happening before the snooper.image member had been set up
would cause a kfree of an arbitrary pointer. Set up the snooper.image
member early.

Signed-off-by: Thomas Hellstrom <thellst...@vmware.com>
---
 drivers/gpu/drm/vmwgfx/vmwgfx_resource.c |   39 ++++++++++++++++-------------
 1 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c 
b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
index c012d59..125c2f4 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
@@ -599,6 +599,27 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void 
*data,
        if (unlikely(ret != 0))
                goto out_err1;
 
+
+       if (srf->flags & (1 << 9) &&
+           srf->num_sizes == 1 &&
+           srf->sizes[0].width == 64 &&
+           srf->sizes[0].height == 64 &&
+           srf->format == SVGA3D_A8R8G8B8) {
+
+               srf->snooper.image = kmalloc(64 * 64 * 4, GFP_KERNEL);
+               /* clear the image */
+               if (srf->snooper.image) {
+                       memset(srf->snooper.image, 0x00, 64 * 64 * 4);
+               } else {
+                       DRM_ERROR("Failed to allocate cursor_image\n");
+                       ret = -ENOMEM;
+                       goto out_err1;
+               }
+       } else {
+               srf->snooper.image = NULL;
+       }
+       srf->snooper.crtc = NULL;
+
        user_srf->base.shareable = false;
        user_srf->base.tfile = NULL;
 
@@ -622,24 +643,6 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void 
*data,
                return ret;
        }
 
-       if (srf->flags & (1 << 9) &&
-           srf->num_sizes == 1 &&
-           srf->sizes[0].width == 64 &&
-           srf->sizes[0].height == 64 &&
-           srf->format == SVGA3D_A8R8G8B8) {
-
-               srf->snooper.image = kmalloc(64 * 64 * 4, GFP_KERNEL);
-               /* clear the image */
-               if (srf->snooper.image)
-                       memset(srf->snooper.image, 0x00, 64 * 64 * 4);
-               else
-                       DRM_ERROR("Failed to allocate cursor_image\n");
-
-       } else {
-               srf->snooper.image = NULL;
-       }
-       srf->snooper.crtc = NULL;
-
        rep->sid = user_srf->base.hash.key;
        if (rep->sid == SVGA3D_INVALID_ID)
                DRM_ERROR("Created bad Surface ID.\n");
-- 
1.6.2.5


------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev 
--
_______________________________________________
Dri-devel mailing list
Dri-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dri-devel

Reply via email to