From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753936AbbLILxN (ORCPT ); Wed, 9 Dec 2015 06:53:13 -0500 Received: from mail-pa0-f47.google.com ([209.85.220.47]:33770 "EHLO mail-pa0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753881AbbLILxK (ORCPT ); Wed, 9 Dec 2015 06:53:10 -0500 Date: Wed, 9 Dec 2015 17:23:04 +0530 From: Sudip Mukherjee To: David Airlie , Daniel Vetter , patrik.r.jakobsson@gmail.com Cc: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org Subject: Re: [PATCH v3] drm/gma500: fix double freeing Message-ID: <20151209115304.GC24852@sudip-pc> References: <1444146539-5698-1-git-send-email-sudipm.mukherjee@gmail.com> <1444308468-8910-1-git-send-email-sudipm.mukherjee@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1444308468-8910-1-git-send-email-sudipm.mukherjee@gmail.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 08, 2015 at 06:17:48PM +0530, Sudip Mukherjee wrote: > We are allocating backing using psbfb_alloc() and so > backing->stolen is always true. So we were freeing backing two times. > Moreover if we follow the execution path then we should be freeing > backing after we have released the helper. So remove the one which frees > backing before the helper is released. > While at it the error labels are also renamed to give a meaningful > name. > > Signed-off-by: Sudip Mukherjee > Reviewed-by: Patrik Jakobsson > --- This patch was never picked up. It will not apply now. Daniel, please let me know if you want me to resend after making necessary changes. regards sudip > drivers/gpu/drm/gma500/framebuffer.c | 13 ++++--------- > 1 file changed, 4 insertions(+), 9 deletions(-) > > diff --git a/drivers/gpu/drm/gma500/framebuffer.c b/drivers/gpu/drm/gma500/framebuffer.c > index 2eaf1b3..52e2bf3 100644 > --- a/drivers/gpu/drm/gma500/framebuffer.c > +++ b/drivers/gpu/drm/gma500/framebuffer.c > @@ -411,7 +411,7 @@ static int psbfb_create(struct psb_fbdev *fbdev, > info = drm_fb_helper_alloc_fbi(&fbdev->psb_fb_helper); > if (IS_ERR(info)) { > ret = PTR_ERR(info); > - goto out_err1; > + goto err_unlock; > } > info->par = fbdev; > > @@ -419,7 +419,7 @@ static int psbfb_create(struct psb_fbdev *fbdev, > > ret = psb_framebuffer_init(dev, psbfb, &mode_cmd, backing); > if (ret) > - goto out_unref; > + goto err_release; > > fb = &psbfb->base; > psbfb->fbdev = info; > @@ -465,14 +465,9 @@ static int psbfb_create(struct psb_fbdev *fbdev, > > mutex_unlock(&dev->struct_mutex); > return 0; > -out_unref: > - if (backing->stolen) > - psb_gtt_free_range(dev, backing); > - else > - drm_gem_object_unreference(&backing->gem); > - > +err_release: > drm_fb_helper_release_fbi(&fbdev->psb_fb_helper); > -out_err1: > +err_unlock: > mutex_unlock(&dev->struct_mutex); > psb_gtt_free_range(dev, backing); > return ret; > -- > 1.9.1 >