* [patch] drm/gma500: double free in psbfb_create()
@ 2015-03-19 10:17 Dan Carpenter
2015-03-19 12:20 ` Alan Cox
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2015-03-19 10:17 UTC (permalink / raw)
To: David Airlie, Alan Cox
Cc: Daniel Vetter, kernel-janitors, dri-devel, Fabian Frederick,
Alex Deucher, Dave Airlie, Thierry Reding
The psb_gtt_free_range() frees "backing" so calling it twice is a double
free bug. I have fixed this by removing the first call.
Fixes: 4d8d096e9ae8 ('gma500: introduce the framebuffer support code')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/gpu/drm/gma500/framebuffer.c b/drivers/gpu/drm/gma500/framebuffer.c
index 2d42ce6..89d5646 100644
--- a/drivers/gpu/drm/gma500/framebuffer.c
+++ b/drivers/gpu/drm/gma500/framebuffer.c
@@ -479,9 +479,7 @@ static int psbfb_create(struct psb_fbdev *fbdev,
mutex_unlock(&dev->struct_mutex);
return 0;
out_unref:
- if (backing->stolen)
- psb_gtt_free_range(dev, backing);
- else
+ if (!backing->stolen)
drm_gem_object_unreference(&backing->gem);
out_err1:
mutex_unlock(&dev->struct_mutex);
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [patch] drm/gma500: double free in psbfb_create()
2015-03-19 10:17 [patch] drm/gma500: double free in psbfb_create() Dan Carpenter
@ 2015-03-19 12:20 ` Alan Cox
0 siblings, 0 replies; 2+ messages in thread
From: Alan Cox @ 2015-03-19 12:20 UTC (permalink / raw)
To: Dan Carpenter
Cc: David Airlie, Daniel Vetter, Thierry Reding, Dave Airlie,
Alex Deucher, Fabian Frederick, dri-devel, kernel-janitors
On Thu, 2015-03-19 at 13:17 +0300, Dan Carpenter wrote:
> The psb_gtt_free_range() frees "backing" so calling it twice is a double
> free bug. I have fixed this by removing the first call.
>
> Fixes: 4d8d096e9ae8 ('gma500: introduce the framebuffer support code')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
#facepalm
Acked-by: Alan Cox <alan@linux.intel.com>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-03-19 12:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-03-19 10:17 [patch] drm/gma500: double free in psbfb_create() Dan Carpenter
2015-03-19 12:20 ` Alan Cox
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).