[ 3.5.y.z extended stable ] Patch "drm/radeon: fix a rare case of double kfree" has been added to staging queue

Herton Ronaldo Krzesinski herton.krzesinski at canonical.com
Thu Jan 31 22:10:59 UTC 2013 

This is a note to let you know that I have just added a patch titled

    drm/radeon: fix a rare case of double kfree

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Herton

------

>From 3c97889eeabb4fa54f77a1cc4b28bc117531257e Mon Sep 17 00:00:00 2001
From: Ilija Hadzic <ihadzic at research.bell-labs.com>
Date: Wed, 23 Jan 2013 13:59:05 -0500
Subject: [PATCH] drm/radeon: fix a rare case of double kfree

commit 1da80cfa8727abf404fcee44d04743febea54069 upstream.

If one (but not both) allocations of p->chunks[].kpage[]
in radeon_cs_parser_init fail, the error path will free
the successfully allocated page, but leave a stale pointer
value in the kpage[] field. This will later cause a
double-free when radeon_cs_parser_fini is called.
This patch fixes the issue by forcing both pointers to NULL
after kfree in the error path.

The circumstances under which the problem happens are very
rare. The card must be AGP and the system must run out of
kmalloc area just at the right time so that one allocation
succeeds, while the other fails.

Signed-off-by: Ilija Hadzic <ihadzic at research.bell-labs.com>
Cc: Herton Ronaldo Krzesinski <herton.krzesinski at canonical.com>
Signed-off-by: Alex Deucher <alexander.deucher at amd.com>
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski at canonical.com>
---
 drivers/gpu/drm/radeon/radeon_cs.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c
index c71652b..a0f3404 100644
--- a/drivers/gpu/drm/radeon/radeon_cs.c
+++ b/drivers/gpu/drm/radeon/radeon_cs.c
@@ -281,6 +281,8 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data)
 			    p->chunks[p->chunk_ib_idx].kpage[1] == NULL) {
 				kfree(p->chunks[p->chunk_ib_idx].kpage[0]);
 				kfree(p->chunks[p->chunk_ib_idx].kpage[1]);
+				p->chunks[p->chunk_ib_idx].kpage[0] = NULL;
+				p->chunks[p->chunk_ib_idx].kpage[1] = NULL;
 				return -ENOMEM;
 			}
 		}
--
1.7.9.5

More information about the kernel-team mailing list