Patch "drm/radeon: fix a rare case of double kfree" has been added to the 3.7-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    drm/radeon: fix a rare case of double kfree

to the 3.7-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     drm-radeon-fix-a-rare-case-of-double-kfree.patch
and it can be found in the queue-3.7 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 1da80cfa8727abf404fcee44d04743febea54069 Mon Sep 17 00:00:00 2001
From: Ilija Hadzic <ihad...@research.bell-labs.com>
Date: Wed, 23 Jan 2013 13:59:05 -0500
Subject: drm/radeon: fix a rare case of double kfree

From: Ilija Hadzic <ihad...@research.bell-labs.com>

commit 1da80cfa8727abf404fcee44d04743febea54069 upstream.

If one (but not both) allocations of p->chunks[].kpage[]
in radeon_cs_parser_init fail, the error path will free
the successfully allocated page, but leave a stale pointer
value in the kpage[] field. This will later cause a
double-free when radeon_cs_parser_fini is called.
This patch fixes the issue by forcing both pointers to NULL
after kfree in the error path.

The circumstances under which the problem happens are very
rare. The card must be AGP and the system must run out of
kmalloc area just at the right time so that one allocation
succeeds, while the other fails.

Signed-off-by: Ilija Hadzic <ihad...@research.bell-labs.com>
Cc: Herton Ronaldo Krzesinski <herton.krzesin...@canonical.com>
Signed-off-by: Alex Deucher <alexander.deuc...@amd.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/radeon_cs.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/gpu/drm/radeon/radeon_cs.c
+++ b/drivers/gpu/drm/radeon/radeon_cs.c
@@ -273,6 +273,8 @@ int radeon_cs_parser_init(struct radeon_
                            p->chunks[p->chunk_ib_idx].kpage[1] == NULL) {
                                kfree(p->chunks[p->chunk_ib_idx].kpage[0]);
                                kfree(p->chunks[p->chunk_ib_idx].kpage[1]);
+                               p->chunks[p->chunk_ib_idx].kpage[0] = NULL;
+                               p->chunks[p->chunk_ib_idx].kpage[1] = NULL;
                                return -ENOMEM;
                        }
                }


Patches currently in stable-queue which might be from 
ihad...@research.bell-labs.com are

queue-3.7/drm-radeon-fix-a-rare-case-of-double-kfree.patch
queue-3.7/drm-radeon-fix-error-path-in-kpage-allocation.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html