Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / ad45aa9e6e010283bbd8cf0c6309866233e113f2^! / .
commitad45aa9e6e010283bbd8cf0c6309866233e113f2[log] [tgz]
authorChris Wilson <chris@chris-wilson.co.uk>Mon Feb 09 11:31:41 2009 +0000
committerDave Airlie <airlied@redhat.com>Fri Feb 20 12:21:08 2009 +1000
tree445135f1c9a8e270e6d350404d6ecf57b8f778ef
parent005568be363b90c9333c3bcbc1e7a53922816322 [diff]
drm: Potential use-after-free on error path.

Remove the member from the hash table before we free the structure!

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Dave Airlie <airlied@linux.ie>

diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
index 6915fb8..308fe1e 100644
--- a/drivers/gpu/drm/drm_gem.c
+++ b/drivers/gpu/drm/drm_gem.c

@@ -104,8 +104,8 @@
 
 	if (drm_mm_init(&mm->offset_manager, DRM_FILE_PAGE_OFFSET_START,
 			DRM_FILE_PAGE_OFFSET_SIZE)) {
-		drm_free(mm, sizeof(struct drm_gem_mm), DRM_MEM_MM);
 		drm_ht_remove(&mm->offset_hash);
+		drm_free(mm, sizeof(struct drm_gem_mm), DRM_MEM_MM);
 		return -ENOMEM;
 	}