drm/gma500: double free in psbfb_create()

Message ID	20150319101704.GA13330@mwanda (mailing list archive)
State	New, archived
Headers	show Return-Path: <dri-devel-bounces@lists.freedesktop.org> Date: Thu, 19 Mar 2015 13:17:04 +0300 From: Dan Carpenter <dan.carpenter@oracle.com> To: David Airlie <airlied@linux.ie>, Alan Cox <alan@linux.intel.com> Subject: [patch] drm/gma500: double free in psbfb_create() Message-ID: <20150319101704.GA13330@mwanda> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) Cc: Daniel Vetter <daniel.vetter@ffwll.ch>, kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org, Fabian Frederick <fabf@skynet.be>, Alex Deucher <alexander.deucher@amd.com>, Dave Airlie <airlied@redhat.com>, Thierry Reding <treding@nvidia.com> Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Message ID

20150319101704.GA13330@mwanda (mailing list archive)

State

New, archived

Headers

Date: Thu, 19 Mar 2015 13:17:04 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: David Airlie <airlied@linux.ie>, Alan Cox <alan@linux.intel.com>
Subject: [patch] drm/gma500: double free in psbfb_create()
Message-ID: <20150319101704.GA13330@mwanda>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>, kernel-janitors@vger.kernel.org, 
	dri-devel@lists.freedesktop.org, Fabian Frederick <fabf@skynet.be>,
	Alex Deucher <alexander.deucher@amd.com>,
	Dave Airlie <airlied@redhat.com>, Thierry Reding <treding@nvidia.com>
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Commit Message

Dan Carpenter March 19, 2015, 10:17 a.m. UTC

The psb_gtt_free_range() frees "backing" so calling it twice is a double
free bug.  I have fixed this by removing the first call.

Fixes: 4d8d096e9ae8  ('gma500: introduce the framebuffer support code')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Comments

Alan Cox March 19, 2015, 12:20 p.m. UTC | #1

On Thu, 2015-03-19 at 13:17 +0300, Dan Carpenter wrote:
> The psb_gtt_free_range() frees "backing" so calling it twice is a double
> free bug.  I have fixed this by removing the first call.
> 
> Fixes: 4d8d096e9ae8  ('gma500: introduce the framebuffer support code')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

#facepalm

Acked-by: Alan Cox <alan@linux.intel.com>

diff --git a/drivers/gpu/drm/gma500/framebuffer.c b/drivers/gpu/drm/gma500/framebuffer.c
index 2d42ce6..89d5646 100644
--- a/drivers/gpu/drm/gma500/framebuffer.c
+++ b/drivers/gpu/drm/gma500/framebuffer.c
@@ -479,9 +479,7 @@  static int psbfb_create(struct psb_fbdev *fbdev,
 	mutex_unlock(&dev->struct_mutex);
 	return 0;
 out_unref:
-	if (backing->stolen)
-		psb_gtt_free_range(dev, backing);
-	else
+	if (!backing->stolen)
 		drm_gem_object_unreference(&backing->gem);
 out_err1:
 	mutex_unlock(&dev->struct_mutex);

drm/gma500: double free in psbfb_create()

Commit Message

Comments

Patch