diff options
author | Alex Waterman <alexw@nvidia.com> | 2016-12-16 13:40:56 -0500 |
---|---|---|
committer | mobile promotions <svcmobile_promotions@nvidia.com> | 2016-12-20 19:46:33 -0500 |
commit | 22ffbaf6f94f5bdb86e3bf2080ed44062ce4a8b6 (patch) | |
tree | 5f28264f46ae4ba1c4ddcd125682d24977994a24 /drivers | |
parent | a918003694984b6fca9e6b6c07fd7cdf3503055e (diff) |
gpu: nvgpu: Fix coverity defect in page allocator
Fix use-after-free overity defect in page allocator. The alloc struct
was getting used after a call for __gk20a_free_pages() which frees
the alloc struct passed in.
Coverity ID: 468942
Bug 200192125
Change-Id: I4f5d32f245efae967050f93c7806290b4bf3591c
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: http://git-master/r/1272730
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/gpu/nvgpu/gk20a/gk20a_allocator_page.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/drivers/gpu/nvgpu/gk20a/gk20a_allocator_page.c b/drivers/gpu/nvgpu/gk20a/gk20a_allocator_page.c index 06c33a8c..9717a726 100644 --- a/drivers/gpu/nvgpu/gk20a/gk20a_allocator_page.c +++ b/drivers/gpu/nvgpu/gk20a/gk20a_allocator_page.c | |||
@@ -734,19 +734,20 @@ static void gk20a_page_free_fixed(struct gk20a_allocator *__a, | |||
734 | alloc = (struct gk20a_page_alloc *) (uintptr_t) base; | 734 | alloc = (struct gk20a_page_alloc *) (uintptr_t) base; |
735 | } | 735 | } |
736 | 736 | ||
737 | palloc_dbg(a, "Free [fixed] 0x%010llx + 0x%llx\n", | ||
738 | alloc->base, alloc->length); | ||
739 | |||
740 | a->nr_fixed_frees++; | ||
741 | a->pages_freed += (alloc->length >> a->page_shift); | ||
742 | |||
737 | /* | 743 | /* |
738 | * This works for the time being since the buddy allocator | 744 | * This works for the time being since the buddy allocator |
739 | * uses the same free function for both fixed and regular | 745 | * uses the same free function for both fixed and regular |
740 | * allocs. This would have to be updated if the underlying | 746 | * allocs. This would have to be updated if the underlying |
741 | * allocator were to change. | 747 | * allocator were to change. |
742 | */ | 748 | */ |
743 | palloc_dbg(a, "Free [fixed] 0x%010llx + 0x%llx\n", | ||
744 | alloc->base, alloc->length); | ||
745 | __gk20a_free_pages(a, alloc, true); | 749 | __gk20a_free_pages(a, alloc, true); |
746 | 750 | ||
747 | a->nr_fixed_frees++; | ||
748 | a->pages_freed += (alloc->length >> a->page_shift); | ||
749 | |||
750 | done: | 751 | done: |
751 | alloc_unlock(__a); | 752 | alloc_unlock(__a); |
752 | } | 753 | } |