On Wed, Jan 30, 2013 at 10:21:22AM +0100, [email protected] wrote: > > The patch below does not apply to the 3.7-stable tree. > If someone wants it applied there, or to any other stable or longterm > tree, then please email the backport, including the original git commit > id to <[email protected]>.
To apply the patch below you must first cherry-pick the following one for 3.7: commit 25d8999780f8c1f53928f4a24a09c01550423109 Author: Ilija Hadzic <[email protected]> Date: Mon Jan 7 18:21:59 2013 -0500 drm/radeon: fix error path in kpage allocation > > thanks, > > greg k-h > > ------------------ original commit in Linus's tree ------------------ > > From 1da80cfa8727abf404fcee44d04743febea54069 Mon Sep 17 00:00:00 2001 > From: Ilija Hadzic <[email protected]> > Date: Wed, 23 Jan 2013 13:59:05 -0500 > Subject: [PATCH] drm/radeon: fix a rare case of double kfree > > If one (but not both) allocations of p->chunks[].kpage[] > in radeon_cs_parser_init fail, the error path will free > the successfully allocated page, but leave a stale pointer > value in the kpage[] field. This will later cause a > double-free when radeon_cs_parser_fini is called. > This patch fixes the issue by forcing both pointers to NULL > after kfree in the error path. > > The circumstances under which the problem happens are very > rare. The card must be AGP and the system must run out of > kmalloc area just at the right time so that one allocation > succeeds, while the other fails. > > Signed-off-by: Ilija Hadzic <[email protected]> > Cc: Herton Ronaldo Krzesinski <[email protected]> > Signed-off-by: Alex Deucher <[email protected]> > Cc: [email protected] > > diff --git a/drivers/gpu/drm/radeon/radeon_cs.c > b/drivers/gpu/drm/radeon/radeon_cs.c > index 469661f..5407459 100644 > --- a/drivers/gpu/drm/radeon/radeon_cs.c > +++ b/drivers/gpu/drm/radeon/radeon_cs.c > @@ -286,6 +286,8 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, > void *data) > p->chunks[p->chunk_ib_idx].kpage[1] == NULL) { > kfree(p->chunks[p->chunk_ib_idx].kpage[0]); > kfree(p->chunks[p->chunk_ib_idx].kpage[1]); > + p->chunks[p->chunk_ib_idx].kpage[0] = NULL; > + p->chunks[p->chunk_ib_idx].kpage[1] = NULL; > return -ENOMEM; > } > } > -- []'s Herton -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
