drm/radeon: fix a rare case of double kfree
authorIlija Hadzic <ihadzic@research.bell-labs.com>
Wed, 23 Jan 2013 18:59:05 +0000 (13:59 -0500)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 4 Feb 2013 00:27:06 +0000 (18:27 -0600)
commit710c8f51c857395ea1bf708144768b305800789e
tree0e19b3ed4c561d90f6bfafd3676ac651152ef1ee
parentc140fec351af47d648819b3ab20e30522e1493c7
drm/radeon: fix a rare case of double kfree

commit 1da80cfa8727abf404fcee44d04743febea54069 upstream.

If one (but not both) allocations of p->chunks[].kpage[]
in radeon_cs_parser_init fail, the error path will free
the successfully allocated page, but leave a stale pointer
value in the kpage[] field. This will later cause a
double-free when radeon_cs_parser_fini is called.
This patch fixes the issue by forcing both pointers to NULL
after kfree in the error path.

The circumstances under which the problem happens are very
rare. The card must be AGP and the system must run out of
kmalloc area just at the right time so that one allocation
succeeds, while the other fails.

Signed-off-by: Ilija Hadzic <ihadzic@research.bell-labs.com>
Cc: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/gpu/drm/radeon/radeon_cs.c