On Wed, Jan 30, 2013 at 10:21:22AM +0100, [email protected] wrote:
> 
> The patch below does not apply to the 3.7-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <[email protected]>.

To apply the patch below you must first cherry-pick the following one
for 3.7:

commit 25d8999780f8c1f53928f4a24a09c01550423109
Author: Ilija Hadzic <[email protected]>
Date:   Mon Jan 7 18:21:59 2013 -0500

    drm/radeon: fix error path in kpage allocation

> 
> thanks,
> 
> greg k-h
> 
> ------------------ original commit in Linus's tree ------------------
> 
> From 1da80cfa8727abf404fcee44d04743febea54069 Mon Sep 17 00:00:00 2001
> From: Ilija Hadzic <[email protected]>
> Date: Wed, 23 Jan 2013 13:59:05 -0500
> Subject: [PATCH] drm/radeon: fix a rare case of double kfree
> 
> If one (but not both) allocations of p->chunks[].kpage[]
> in radeon_cs_parser_init fail, the error path will free
> the successfully allocated page, but leave a stale pointer
> value in the kpage[] field. This will later cause a
> double-free when radeon_cs_parser_fini is called.
> This patch fixes the issue by forcing both pointers to NULL
> after kfree in the error path.
> 
> The circumstances under which the problem happens are very
> rare. The card must be AGP and the system must run out of
> kmalloc area just at the right time so that one allocation
> succeeds, while the other fails.
> 
> Signed-off-by: Ilija Hadzic <[email protected]>
> Cc: Herton Ronaldo Krzesinski <[email protected]>
> Signed-off-by: Alex Deucher <[email protected]>
> Cc: [email protected]
> 
> diff --git a/drivers/gpu/drm/radeon/radeon_cs.c 
> b/drivers/gpu/drm/radeon/radeon_cs.c
> index 469661f..5407459 100644
> --- a/drivers/gpu/drm/radeon/radeon_cs.c
> +++ b/drivers/gpu/drm/radeon/radeon_cs.c
> @@ -286,6 +286,8 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, 
> void *data)
>                           p->chunks[p->chunk_ib_idx].kpage[1] == NULL) {
>                               kfree(p->chunks[p->chunk_ib_idx].kpage[0]);
>                               kfree(p->chunks[p->chunk_ib_idx].kpage[1]);
> +                             p->chunks[p->chunk_ib_idx].kpage[0] = NULL;
> +                             p->chunks[p->chunk_ib_idx].kpage[1] = NULL;
>                               return -ENOMEM;
>                       }
>               }
> 

-- 
[]'s
Herton
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to