drm: Potential use-after-free on error path.
authorChris Wilson <chris@chris-wilson.co.uk>
Mon, 9 Feb 2009 11:31:41 +0000 (11:31 +0000)
committerDave Airlie <airlied@redhat.com>
Fri, 20 Feb 2009 02:21:08 +0000 (12:21 +1000)
Remove the member from the hash table before we free the structure!

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Dave Airlie <airlied@linux.ie>
drivers/gpu/drm/drm_gem.c

index 6915fb82d0b0ea6aaa4a5c82b1ac5cf61b572e74..308fe1e207f53df2a5c3b48e439f9db500ebb202 100644 (file)
@@ -104,8 +104,8 @@ drm_gem_init(struct drm_device *dev)
 
        if (drm_mm_init(&mm->offset_manager, DRM_FILE_PAGE_OFFSET_START,
                        DRM_FILE_PAGE_OFFSET_SIZE)) {
-               drm_free(mm, sizeof(struct drm_gem_mm), DRM_MEM_MM);
                drm_ht_remove(&mm->offset_hash);
+               drm_free(mm, sizeof(struct drm_gem_mm), DRM_MEM_MM);
                return -ENOMEM;
        }