From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Carpenter Date: Thu, 19 Mar 2015 10:17:04 +0000 Subject: [patch] drm/gma500: double free in psbfb_create() Message-Id: <20150319101704.GA13330@mwanda> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: David Airlie , Alan Cox Cc: Daniel Vetter , kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org, Fabian Frederick , Alex Deucher , Dave Airlie , Thierry Reding The psb_gtt_free_range() frees "backing" so calling it twice is a double free bug. I have fixed this by removing the first call. Fixes: 4d8d096e9ae8 ('gma500: introduce the framebuffer support code') Signed-off-by: Dan Carpenter diff --git a/drivers/gpu/drm/gma500/framebuffer.c b/drivers/gpu/drm/gma500/framebuffer.c index 2d42ce6..89d5646 100644 --- a/drivers/gpu/drm/gma500/framebuffer.c +++ b/drivers/gpu/drm/gma500/framebuffer.c @@ -479,9 +479,7 @@ static int psbfb_create(struct psb_fbdev *fbdev, mutex_unlock(&dev->struct_mutex); return 0; out_unref: - if (backing->stolen) - psb_gtt_free_range(dev, backing); - else + if (!backing->stolen) drm_gem_object_unreference(&backing->gem); out_err1: mutex_unlock(&dev->struct_mutex); From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Carpenter Subject: [patch] drm/gma500: double free in psbfb_create() Date: Thu, 19 Mar 2015 13:17:04 +0300 Message-ID: <20150319101704.GA13330@mwanda> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by gabe.freedesktop.org (Postfix) with ESMTP id C53EF6E255 for ; Thu, 19 Mar 2015 03:17:36 -0700 (PDT) Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: David Airlie , Alan Cox Cc: Daniel Vetter , kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org, Fabian Frederick , Alex Deucher , Dave Airlie , Thierry Reding List-Id: dri-devel@lists.freedesktop.org VGhlIHBzYl9ndHRfZnJlZV9yYW5nZSgpIGZyZWVzICJiYWNraW5nIiBzbyBjYWxsaW5nIGl0IHR3 aWNlIGlzIGEgZG91YmxlCmZyZWUgYnVnLiAgSSBoYXZlIGZpeGVkIHRoaXMgYnkgcmVtb3Zpbmcg dGhlIGZpcnN0IGNhbGwuCgpGaXhlczogNGQ4ZDA5NmU5YWU4ICAoJ2dtYTUwMDogaW50cm9kdWNl IHRoZSBmcmFtZWJ1ZmZlciBzdXBwb3J0IGNvZGUnKQpTaWduZWQtb2ZmLWJ5OiBEYW4gQ2FycGVu dGVyIDxkYW4uY2FycGVudGVyQG9yYWNsZS5jb20+CgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9ncHUv ZHJtL2dtYTUwMC9mcmFtZWJ1ZmZlci5jIGIvZHJpdmVycy9ncHUvZHJtL2dtYTUwMC9mcmFtZWJ1 ZmZlci5jCmluZGV4IDJkNDJjZTYuLjg5ZDU2NDYgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvZ3B1L2Ry bS9nbWE1MDAvZnJhbWVidWZmZXIuYworKysgYi9kcml2ZXJzL2dwdS9kcm0vZ21hNTAwL2ZyYW1l YnVmZmVyLmMKQEAgLTQ3OSw5ICs0NzksNyBAQCBzdGF0aWMgaW50IHBzYmZiX2NyZWF0ZShzdHJ1 Y3QgcHNiX2ZiZGV2ICpmYmRldiwKIAltdXRleF91bmxvY2soJmRldi0+c3RydWN0X211dGV4KTsK IAlyZXR1cm4gMDsKIG91dF91bnJlZjoKLQlpZiAoYmFja2luZy0+c3RvbGVuKQotCQlwc2JfZ3R0 X2ZyZWVfcmFuZ2UoZGV2LCBiYWNraW5nKTsKLQllbHNlCisJaWYgKCFiYWNraW5nLT5zdG9sZW4p CiAJCWRybV9nZW1fb2JqZWN0X3VucmVmZXJlbmNlKCZiYWNraW5nLT5nZW0pOwogb3V0X2VycjE6 CiAJbXV0ZXhfdW5sb2NrKCZkZXYtPnN0cnVjdF9tdXRleCk7Cl9fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fCmRyaS1kZXZlbCBtYWlsaW5nIGxpc3QKZHJpLWRl dmVsQGxpc3RzLmZyZWVkZXNrdG9wLm9yZwpodHRwOi8vbGlzdHMuZnJlZWRlc2t0b3Aub3JnL21h aWxtYW4vbGlzdGluZm8vZHJpLWRldmVsCg==