<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body>
      <p>
        <div>
            <b><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - [-next] nouveau corrupts kernel mm allocator"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=58087#c2">Comment # 2</a>
              on <a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - [-next] nouveau corrupts kernel mm allocator"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=58087">bug 58087</a>
              from <span class="vcard"><a class="email" href="mailto:peter@hurleysoftware.com" title="Peter Hurley <peter@hurleysoftware.com>"> <span class="fn">Peter Hurley</span></a>
</span></b>
        <pre>(In reply to <a href="show_bug.cgi?id=58087#c1">comment #1</a>)
<span class="quote">> Created <span class=""><a href="attachment.cgi?id=71290" name="attach_71290" title="fix">attachment 71290</a> <a href="attachment.cgi?id=71290&action=edit" title="fix">[details]</a></span> <a href='page.cgi?id=splinter.html&bug=58087&attachment=71290'>[review]</a> [review]
> fix</span >

-    vm = *pvm = kzalloc(sizeof(*vm), GFP_KERNEL);
+    vm = kzalloc(sizeof(*vm), GFP_KERNEL);

How/why *not* setting cli->base.vm to NULL fixes this?

Also, this assignment idiom is common in the nouveau driver code. Is the above
fix just one of many necessary?

core/subdev/vm/base.c:    vm = *pvm = kzalloc(sizeof(*vm), GFP_KERNEL);
core/core/object.c:    object = *pobject = kzalloc(size, GFP_KERNEL);
core/core/ramht.c:    co = ho = nouveau_ramht_hash(ramht, chid, handle);
core/core/handle.c:    handle = *phandle = kzalloc(sizeof(*handle),
GFP_KERNEL);
nouveau_abi16.c:        cli->abi16 = abi16 = kzalloc(sizeof(*abi16),
GFP_KERNEL);
nouveau_bo.c:    struct nouveau_channel *chan = chan = drm->channel;  /*
COMMENT: THIS ONE IS INTERESTING */
nouveau_chan.c:    chan = *pchan = kzalloc(sizeof(*chan), GFP_KERNEL);
nouveau_display.c:    disp = drm->display = kzalloc(sizeof(*disp), GFP_KERNEL);
nouveau_pm.c:    pm = drm->pm = kzalloc(sizeof(*pm), GFP_KERNEL);
nv04_fence.c:    priv = drm->fence = kzalloc(sizeof(*priv), GFP_KERNEL);
nv10_fence.c:    fctx = chan->fence = kzalloc(sizeof(*fctx), GFP_KERNEL);
nv10_fence.c:    priv = drm->fence = kzalloc(sizeof(*priv), GFP_KERNEL);
nv50_fence.c:    fctx = chan->fence = kzalloc(sizeof(*fctx), GFP_KERNEL);
nv50_fence.c:    priv = drm->fence = kzalloc(sizeof(*priv), GFP_KERNEL);
nv84_fence.c:    fctx = chan->fence = kzalloc(sizeof(*fctx), GFP_KERNEL);
nv84_fence.c:    priv = drm->fence = kzalloc(sizeof(*priv), GFP_KERNEL);
nvc0_fence.c:    fctx = chan->fence = kzalloc(sizeof(*fctx), GFP_KERNEL);
nvc0_fence.c:    priv = drm->fence = kzalloc(sizeof(*priv), GFP_KERNEL);</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>