summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChris Wilson <chris@chris-wilson.co.uk>2009-09-10 11:53:04 +0400
committerEric Anholt <eric@anholt.net>2009-09-11 22:40:39 +0400
commit7e61615857c6fb3afbcb43f5c4e97511a923f5a8 (patch)
treea837ceb558c806ea68314b34a41c1685d15bc1ee
parente517a5e97080bbe52857bd0d7df9b66602d53c4d (diff)
downloadlinux-7e61615857c6fb3afbcb43f5c4e97511a923f5a8.tar.xz
drm/i915: Only destroy a constructed mmap offset
drm_ht_remove_item() does not handle removing an absent item and the hlist in particular is incorrectly initialised. The easy remedy is simply skip calling i915_gem_free_mmap_offset() unless we have actually created the offset and associated ht entry. This also fixes the mishandling of a partially constructed offset which leaves pointers initialized after freeing them along the i915_gem_create_mmap_offset() error paths. In particular this should fix the oops found here: https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-intel/+bug/415357/comments/8 Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Signed-off-by: Eric Anholt <eric@anholt.net> Cc: stable@kernel.org
-rw-r--r--drivers/gpu/drm/i915/i915_gem.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index 30ea4b6b0219..e0da98602eed 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -3834,7 +3834,8 @@ void i915_gem_free_object(struct drm_gem_object *obj)
i915_gem_object_unbind(obj);
- i915_gem_free_mmap_offset(obj);
+ if (obj_priv->mmap_offset)
+ i915_gem_free_mmap_offset(obj);
kfree(obj_priv->page_cpu_valid);
kfree(obj_priv->bit_17);