From 22ffbaf6f94f5bdb86e3bf2080ed44062ce4a8b6 Mon Sep 17 00:00:00 2001 From: Alex Waterman Date: Fri, 16 Dec 2016 10:40:56 -0800 Subject: gpu: nvgpu: Fix coverity defect in page allocator Fix use-after-free overity defect in page allocator. The alloc struct was getting used after a call for __gk20a_free_pages() which frees the alloc struct passed in. Coverity ID: 468942 Bug 200192125 Change-Id: I4f5d32f245efae967050f93c7806290b4bf3591c Signed-off-by: Alex Waterman Reviewed-on: http://git-master/r/1272730 GVS: Gerrit_Virtual_Submit Reviewed-by: Terje Bergstrom --- drivers/gpu/nvgpu/gk20a/gk20a_allocator_page.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/nvgpu/gk20a/gk20a_allocator_page.c b/drivers/gpu/nvgpu/gk20a/gk20a_allocator_page.c index 06c33a8c..9717a726 100644 --- a/drivers/gpu/nvgpu/gk20a/gk20a_allocator_page.c +++ b/drivers/gpu/nvgpu/gk20a/gk20a_allocator_page.c @@ -734,19 +734,20 @@ static void gk20a_page_free_fixed(struct gk20a_allocator *__a, alloc = (struct gk20a_page_alloc *) (uintptr_t) base; } + palloc_dbg(a, "Free [fixed] 0x%010llx + 0x%llx\n", + alloc->base, alloc->length); + + a->nr_fixed_frees++; + a->pages_freed += (alloc->length >> a->page_shift); + /* * This works for the time being since the buddy allocator * uses the same free function for both fixed and regular * allocs. This would have to be updated if the underlying * allocator were to change. */ - palloc_dbg(a, "Free [fixed] 0x%010llx + 0x%llx\n", - alloc->base, alloc->length); __gk20a_free_pages(a, alloc, true); - a->nr_fixed_frees++; - a->pages_freed += (alloc->length >> a->page_shift); - done: alloc_unlock(__a); } -- cgit v1.2.2