Commit 29732ca5 authored by Chris Wilson's avatar Chris Wilson Committed by Greg Kroah-Hartman

drm/i915: Only destroy a constructed mmap offset

commit 7e616158 upstream.

drm_ht_remove_item() does not handle removing an absent item and the hlist
in particular is incorrectly initialised. The easy remedy is simply skip
calling i915_gem_free_mmap_offset() unless we have actually created the
offset and associated ht entry.

This also fixes the mishandling of a partially constructed offset which
leaves pointers initialized after freeing them along the
i915_gem_create_mmap_offset() error paths.

In particular this should fix the oops found here:
https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-intel/+bug/415357/comments/8Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: default avatarEric Anholt <eric@anholt.net>
parent 385c165f
...@@ -3837,7 +3837,8 @@ void i915_gem_free_object(struct drm_gem_object *obj) ...@@ -3837,7 +3837,8 @@ void i915_gem_free_object(struct drm_gem_object *obj)
i915_gem_object_unbind(obj); i915_gem_object_unbind(obj);
i915_gem_free_mmap_offset(obj); if (obj_priv->mmap_offset)
i915_gem_free_mmap_offset(obj);
kfree(obj_priv->page_cpu_valid); kfree(obj_priv->page_cpu_valid);
kfree(obj_priv->bit_17); kfree(obj_priv->bit_17);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment