[patch 1/2] drm/radeon: use after free in radeon_vm_bo_add()
Dan Carpenter
dan.carpenter at oracle.com
Mon Jan 9 04:44:50 PST 2012
"bo_va" is dereferenced in the error message.
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
diff --git a/drivers/gpu/drm/radeon/radeon_gart.c b/drivers/gpu/drm/radeon/radeon_gart.c
index 3ef58ca..2944c78 100644
--- a/drivers/gpu/drm/radeon/radeon_gart.c
+++ b/drivers/gpu/drm/radeon/radeon_gart.c
@@ -486,10 +486,10 @@ int radeon_vm_bo_add(struct radeon_device *rdev,
}
if (bo_va->soffset >= tmp->soffset && bo_va->soffset < tmp->eoffset) {
/* bo and tmp overlap, invalid offset */
- kfree(bo_va);
dev_err(rdev->dev, "bo %p va 0x%08X conflict with (bo %p 0x%08X 0x%08X)\n",
bo, (unsigned)bo_va->soffset, tmp->bo,
(unsigned)tmp->soffset, (unsigned)tmp->eoffset);
+ kfree(bo_va);
mutex_unlock(&vm->mutex);
return -EINVAL;
}
More information about the dri-devel
mailing list