From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754119AbbLIMUa (ORCPT <rfc822;w@1wt.eu>);
	Wed, 9 Dec 2015 07:20:30 -0500
Received: from mail-lb0-f179.google.com ([209.85.217.179]:33447 "EHLO
	mail-lb0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753968AbbLIMUD (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 9 Dec 2015 07:20:03 -0500
MIME-Version: 1.0
In-Reply-To: <20151209115304.GC24852@sudip-pc>
References: <1444146539-5698-1-git-send-email-sudipm.mukherjee@gmail.com>
	<1444308468-8910-1-git-send-email-sudipm.mukherjee@gmail.com>
	<20151209115304.GC24852@sudip-pc>
Date: Wed, 9 Dec 2015 13:20:01 +0100
Message-ID: <CAMeQTsaPPh5m1rHtPLYP85N6hVH-KRvcyf+XhP8TrZiqhmDE=w@mail.gmail.com>
Subject: Re: [PATCH v3] drm/gma500: fix double freeing
From: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
To: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Cc: David Airlie <airlied@linux.ie>, Daniel Vetter <daniel.vetter@ffwll.ch>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        dri-devel <dri-devel@lists.freedesktop.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Dec 9, 2015 at 12:53 PM, Sudip Mukherjee
<sudipm.mukherjee@gmail.com> wrote:
> On Thu, Oct 08, 2015 at 06:17:48PM +0530, Sudip Mukherjee wrote:
>> We are allocating backing using psbfb_alloc() and so
>> backing->stolen is always true. So we were freeing backing two times.
>> Moreover if we follow the execution path then we should be freeing
>> backing after we have released the helper. So remove the one which frees
>> backing before the helper is released.
>> While at it the error labels are also renamed to give a meaningful
>> name.
>>
>> Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org>
>> Reviewed-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
>> ---
>
> This patch was never picked up. It will not apply now.
>
> Daniel, please let me know if you want me to resend after making
> necessary changes.

I will pick this up and pass it along to Dave. Sorry for the delay.

-Patrik

>
> regards
> sudip
>
>>  drivers/gpu/drm/gma500/framebuffer.c | 13 ++++---------
>>  1 file changed, 4 insertions(+), 9 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/gma500/framebuffer.c b/drivers/gpu/drm/gma500/framebuffer.c
>> index 2eaf1b3..52e2bf3 100644
>> --- a/drivers/gpu/drm/gma500/framebuffer.c
>> +++ b/drivers/gpu/drm/gma500/framebuffer.c
>> @@ -411,7 +411,7 @@ static int psbfb_create(struct psb_fbdev *fbdev,
>>       info = drm_fb_helper_alloc_fbi(&fbdev->psb_fb_helper);
>>       if (IS_ERR(info)) {
>>               ret = PTR_ERR(info);
>> -             goto out_err1;
>> +             goto err_unlock;
>>       }
>>       info->par = fbdev;
>>
>> @@ -419,7 +419,7 @@ static int psbfb_create(struct psb_fbdev *fbdev,
>>
>>       ret = psb_framebuffer_init(dev, psbfb, &mode_cmd, backing);
>>       if (ret)
>> -             goto out_unref;
>> +             goto err_release;
>>
>>       fb = &psbfb->base;
>>       psbfb->fbdev = info;
>> @@ -465,14 +465,9 @@ static int psbfb_create(struct psb_fbdev *fbdev,
>>
>>       mutex_unlock(&dev->struct_mutex);
>>       return 0;
>> -out_unref:
>> -     if (backing->stolen)
>> -             psb_gtt_free_range(dev, backing);
>> -     else
>> -             drm_gem_object_unreference(&backing->gem);
>> -
>> +err_release:
>>       drm_fb_helper_release_fbi(&fbdev->psb_fb_helper);
>> -out_err1:
>> +err_unlock:
>>       mutex_unlock(&dev->struct_mutex);
>>       psb_gtt_free_range(dev, backing);
>>       return ret;
>> --
>> 1.9.1
>>