From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sudip Mukherjee Subject: Re: [PATCH v3] drm/gma500: fix double freeing Date: Wed, 9 Dec 2015 17:23:04 +0530 Message-ID: <20151209115304.GC24852@sudip-pc> References: <1444146539-5698-1-git-send-email-sudipm.mukherjee@gmail.com> <1444308468-8910-1-git-send-email-sudipm.mukherjee@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from mail-pa0-f41.google.com (mail-pa0-f41.google.com [209.85.220.41]) by gabe.freedesktop.org (Postfix) with ESMTPS id 585E46E8E9 for ; Wed, 9 Dec 2015 03:53:10 -0800 (PST) Received: by pacdm15 with SMTP id dm15so28947143pac.3 for ; Wed, 09 Dec 2015 03:53:09 -0800 (PST) Content-Disposition: inline In-Reply-To: <1444308468-8910-1-git-send-email-sudipm.mukherjee@gmail.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: David Airlie , Daniel Vetter , patrik.r.jakobsson@gmail.com Cc: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org List-Id: dri-devel@lists.freedesktop.org T24gVGh1LCBPY3QgMDgsIDIwMTUgYXQgMDY6MTc6NDhQTSArMDUzMCwgU3VkaXAgTXVraGVyamVl IHdyb3RlOgo+IFdlIGFyZSBhbGxvY2F0aW5nIGJhY2tpbmcgdXNpbmcgcHNiZmJfYWxsb2MoKSBh bmQgc28KPiBiYWNraW5nLT5zdG9sZW4gaXMgYWx3YXlzIHRydWUuIFNvIHdlIHdlcmUgZnJlZWlu ZyBiYWNraW5nIHR3byB0aW1lcy4KPiBNb3Jlb3ZlciBpZiB3ZSBmb2xsb3cgdGhlIGV4ZWN1dGlv biBwYXRoIHRoZW4gd2Ugc2hvdWxkIGJlIGZyZWVpbmcKPiBiYWNraW5nIGFmdGVyIHdlIGhhdmUg cmVsZWFzZWQgdGhlIGhlbHBlci4gU28gcmVtb3ZlIHRoZSBvbmUgd2hpY2ggZnJlZXMKPiBiYWNr aW5nIGJlZm9yZSB0aGUgaGVscGVyIGlzIHJlbGVhc2VkLgo+IFdoaWxlIGF0IGl0IHRoZSBlcnJv ciBsYWJlbHMgYXJlIGFsc28gcmVuYW1lZCB0byBnaXZlIGEgbWVhbmluZ2Z1bAo+IG5hbWUuCj4g Cj4gU2lnbmVkLW9mZi1ieTogU3VkaXAgTXVraGVyamVlIDxzdWRpcEB2ZWN0b3JpbmRpYS5vcmc+ Cj4gUmV2aWV3ZWQtYnk6IFBhdHJpayBKYWtvYnNzb24gPHBhdHJpay5yLmpha29ic3NvbkBnbWFp bC5jb20+Cj4gLS0tCgpUaGlzIHBhdGNoIHdhcyBuZXZlciBwaWNrZWQgdXAuIEl0IHdpbGwgbm90 IGFwcGx5IG5vdy4KCkRhbmllbCwgcGxlYXNlIGxldCBtZSBrbm93IGlmIHlvdSB3YW50IG1lIHRv IHJlc2VuZCBhZnRlciBtYWtpbmcKbmVjZXNzYXJ5IGNoYW5nZXMuCgpyZWdhcmRzCnN1ZGlwCgo+ ICBkcml2ZXJzL2dwdS9kcm0vZ21hNTAwL2ZyYW1lYnVmZmVyLmMgfCAxMyArKysrLS0tLS0tLS0t Cj4gIDEgZmlsZSBjaGFuZ2VkLCA0IGluc2VydGlvbnMoKyksIDkgZGVsZXRpb25zKC0pCj4gCj4g ZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L2RybS9nbWE1MDAvZnJhbWVidWZmZXIuYyBiL2RyaXZl cnMvZ3B1L2RybS9nbWE1MDAvZnJhbWVidWZmZXIuYwo+IGluZGV4IDJlYWYxYjMuLjUyZTJiZjMg MTAwNjQ0Cj4gLS0tIGEvZHJpdmVycy9ncHUvZHJtL2dtYTUwMC9mcmFtZWJ1ZmZlci5jCj4gKysr IGIvZHJpdmVycy9ncHUvZHJtL2dtYTUwMC9mcmFtZWJ1ZmZlci5jCj4gQEAgLTQxMSw3ICs0MTEs NyBAQCBzdGF0aWMgaW50IHBzYmZiX2NyZWF0ZShzdHJ1Y3QgcHNiX2ZiZGV2ICpmYmRldiwKPiAg CWluZm8gPSBkcm1fZmJfaGVscGVyX2FsbG9jX2ZiaSgmZmJkZXYtPnBzYl9mYl9oZWxwZXIpOwo+ ICAJaWYgKElTX0VSUihpbmZvKSkgewo+ICAJCXJldCA9IFBUUl9FUlIoaW5mbyk7Cj4gLQkJZ290 byBvdXRfZXJyMTsKPiArCQlnb3RvIGVycl91bmxvY2s7Cj4gIAl9Cj4gIAlpbmZvLT5wYXIgPSBm YmRldjsKPiAgCj4gQEAgLTQxOSw3ICs0MTksNyBAQCBzdGF0aWMgaW50IHBzYmZiX2NyZWF0ZShz dHJ1Y3QgcHNiX2ZiZGV2ICpmYmRldiwKPiAgCj4gIAlyZXQgPSBwc2JfZnJhbWVidWZmZXJfaW5p dChkZXYsIHBzYmZiLCAmbW9kZV9jbWQsIGJhY2tpbmcpOwo+ICAJaWYgKHJldCkKPiAtCQlnb3Rv IG91dF91bnJlZjsKPiArCQlnb3RvIGVycl9yZWxlYXNlOwo+ICAKPiAgCWZiID0gJnBzYmZiLT5i YXNlOwo+ICAJcHNiZmItPmZiZGV2ID0gaW5mbzsKPiBAQCAtNDY1LDE0ICs0NjUsOSBAQCBzdGF0 aWMgaW50IHBzYmZiX2NyZWF0ZShzdHJ1Y3QgcHNiX2ZiZGV2ICpmYmRldiwKPiAgCj4gIAltdXRl eF91bmxvY2soJmRldi0+c3RydWN0X211dGV4KTsKPiAgCXJldHVybiAwOwo+IC1vdXRfdW5yZWY6 Cj4gLQlpZiAoYmFja2luZy0+c3RvbGVuKQo+IC0JCXBzYl9ndHRfZnJlZV9yYW5nZShkZXYsIGJh Y2tpbmcpOwo+IC0JZWxzZQo+IC0JCWRybV9nZW1fb2JqZWN0X3VucmVmZXJlbmNlKCZiYWNraW5n LT5nZW0pOwo+IC0KPiArZXJyX3JlbGVhc2U6Cj4gIAlkcm1fZmJfaGVscGVyX3JlbGVhc2VfZmJp KCZmYmRldi0+cHNiX2ZiX2hlbHBlcik7Cj4gLW91dF9lcnIxOgo+ICtlcnJfdW5sb2NrOgo+ICAJ bXV0ZXhfdW5sb2NrKCZkZXYtPnN0cnVjdF9tdXRleCk7Cj4gIAlwc2JfZ3R0X2ZyZWVfcmFuZ2Uo ZGV2LCBiYWNraW5nKTsKPiAgCXJldHVybiByZXQ7Cj4gLS0gCj4gMS45LjEKPiAKX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KZHJpLWRldmVsIG1haWxpbmcg bGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHA6Ly9saXN0cy5mcmVlZGVz a3RvcC5vcmcvbWFpbG1hbi9saXN0aW5mby9kcmktZGV2ZWwK From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753936AbbLILxN (ORCPT ); Wed, 9 Dec 2015 06:53:13 -0500 Received: from mail-pa0-f47.google.com ([209.85.220.47]:33770 "EHLO mail-pa0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753881AbbLILxK (ORCPT ); Wed, 9 Dec 2015 06:53:10 -0500 Date: Wed, 9 Dec 2015 17:23:04 +0530 From: Sudip Mukherjee To: David Airlie , Daniel Vetter , patrik.r.jakobsson@gmail.com Cc: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org Subject: Re: [PATCH v3] drm/gma500: fix double freeing Message-ID: <20151209115304.GC24852@sudip-pc> References: <1444146539-5698-1-git-send-email-sudipm.mukherjee@gmail.com> <1444308468-8910-1-git-send-email-sudipm.mukherjee@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1444308468-8910-1-git-send-email-sudipm.mukherjee@gmail.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 08, 2015 at 06:17:48PM +0530, Sudip Mukherjee wrote: > We are allocating backing using psbfb_alloc() and so > backing->stolen is always true. So we were freeing backing two times. > Moreover if we follow the execution path then we should be freeing > backing after we have released the helper. So remove the one which frees > backing before the helper is released. > While at it the error labels are also renamed to give a meaningful > name. > > Signed-off-by: Sudip Mukherjee > Reviewed-by: Patrik Jakobsson > --- This patch was never picked up. It will not apply now. Daniel, please let me know if you want me to resend after making necessary changes. regards sudip > drivers/gpu/drm/gma500/framebuffer.c | 13 ++++--------- > 1 file changed, 4 insertions(+), 9 deletions(-) > > diff --git a/drivers/gpu/drm/gma500/framebuffer.c b/drivers/gpu/drm/gma500/framebuffer.c > index 2eaf1b3..52e2bf3 100644 > --- a/drivers/gpu/drm/gma500/framebuffer.c > +++ b/drivers/gpu/drm/gma500/framebuffer.c > @@ -411,7 +411,7 @@ static int psbfb_create(struct psb_fbdev *fbdev, > info = drm_fb_helper_alloc_fbi(&fbdev->psb_fb_helper); > if (IS_ERR(info)) { > ret = PTR_ERR(info); > - goto out_err1; > + goto err_unlock; > } > info->par = fbdev; > > @@ -419,7 +419,7 @@ static int psbfb_create(struct psb_fbdev *fbdev, > > ret = psb_framebuffer_init(dev, psbfb, &mode_cmd, backing); > if (ret) > - goto out_unref; > + goto err_release; > > fb = &psbfb->base; > psbfb->fbdev = info; > @@ -465,14 +465,9 @@ static int psbfb_create(struct psb_fbdev *fbdev, > > mutex_unlock(&dev->struct_mutex); > return 0; > -out_unref: > - if (backing->stolen) > - psb_gtt_free_range(dev, backing); > - else > - drm_gem_object_unreference(&backing->gem); > - > +err_release: > drm_fb_helper_release_fbi(&fbdev->psb_fb_helper); > -out_err1: > +err_unlock: > mutex_unlock(&dev->struct_mutex); > psb_gtt_free_range(dev, backing); > return ret; > -- > 1.9.1 >