Commit 3c5844f3 authored by Dave Jones's avatar Dave Jones Committed by Dave Jones

[AGPGART] Bulletproofing. NULL ptrs after freeing them.

parent 628c89f7
...@@ -75,6 +75,7 @@ static void amd_free_gatt_pages(void) ...@@ -75,6 +75,7 @@ static void amd_free_gatt_pages(void)
} }
} }
kfree(tables); kfree(tables);
amd_irongate_private.gatt_pages = NULL;
} }
static int amd_create_gatt_pages(int nr_tables) static int amd_create_gatt_pages(int nr_tables)
......
...@@ -185,8 +185,10 @@ static int agp_backend_initialize(struct agp_bridge_data *bridge) ...@@ -185,8 +185,10 @@ static int agp_backend_initialize(struct agp_bridge_data *bridge)
phys_to_virt(bridge->scratch_page_real)); phys_to_virt(bridge->scratch_page_real));
if (got_gatt) if (got_gatt)
bridge->driver->free_gatt_table(); bridge->driver->free_gatt_table();
if (got_keylist) if (got_keylist) {
vfree(bridge->key_list); vfree(bridge->key_list);
bridge->key_list = NULL;
}
return rc; return rc;
} }
...@@ -197,8 +199,10 @@ static void agp_backend_cleanup(struct agp_bridge_data *bridge) ...@@ -197,8 +199,10 @@ static void agp_backend_cleanup(struct agp_bridge_data *bridge)
bridge->driver->cleanup(); bridge->driver->cleanup();
if (bridge->driver->free_gatt_table) if (bridge->driver->free_gatt_table)
bridge->driver->free_gatt_table(); bridge->driver->free_gatt_table();
if (bridge->key_list) if (bridge->key_list) {
vfree(bridge->key_list); vfree(bridge->key_list);
bridge->key_list = NULL;
}
if (bridge->driver->agp_destroy_page && if (bridge->driver->agp_destroy_page &&
bridge->driver->needs_scratch_page) bridge->driver->needs_scratch_page)
......
...@@ -198,6 +198,7 @@ static int agp_create_segment(agp_client * client, agp_region * region) ...@@ -198,6 +198,7 @@ static int agp_create_segment(agp_client * client, agp_region * region)
seg = kmalloc((sizeof(agp_segment_priv) * region->seg_count), GFP_KERNEL); seg = kmalloc((sizeof(agp_segment_priv) * region->seg_count), GFP_KERNEL);
if (seg == NULL) { if (seg == NULL) {
kfree(region->seg_list); kfree(region->seg_list);
region->seg_list = NULL;
return -ENOMEM; return -ENOMEM;
} }
memset(seg, 0, (sizeof(agp_segment_priv) * region->seg_count)); memset(seg, 0, (sizeof(agp_segment_priv) * region->seg_count));
...@@ -208,14 +209,15 @@ static int agp_create_segment(agp_client * client, agp_region * region) ...@@ -208,14 +209,15 @@ static int agp_create_segment(agp_client * client, agp_region * region)
seg[i].pg_count = user_seg[i].pg_count; seg[i].pg_count = user_seg[i].pg_count;
seg[i].prot = agp_convert_mmap_flags(user_seg[i].prot); seg[i].prot = agp_convert_mmap_flags(user_seg[i].prot);
} }
kfree(region->seg_list);
region->seg_list = NULL;
ret_seg = kmalloc(sizeof(void *), GFP_KERNEL); ret_seg = kmalloc(sizeof(void *), GFP_KERNEL);
if (ret_seg == NULL) { if (ret_seg == NULL) {
kfree(region->seg_list);
kfree(seg); kfree(seg);
return -ENOMEM; return -ENOMEM;
} }
*ret_seg = seg; *ret_seg = seg;
kfree(region->seg_list);
agp_add_seg_to_client(client, ret_seg, region->seg_count); agp_add_seg_to_client(client, ret_seg, region->seg_count);
return 0; return 0;
} }
...@@ -690,6 +692,7 @@ static int agp_release(struct inode *inode, struct file *file) ...@@ -690,6 +692,7 @@ static int agp_release(struct inode *inode, struct file *file)
priv); priv);
} }
agp_remove_controller(controller); agp_remove_controller(controller);
controller = NULL;
} }
} }
...@@ -698,6 +701,7 @@ static int agp_release(struct inode *inode, struct file *file) ...@@ -698,6 +701,7 @@ static int agp_release(struct inode *inode, struct file *file)
agp_remove_file_private(priv); agp_remove_file_private(priv);
kfree(priv); kfree(priv);
(agp_file_private *) file->private_data = NULL;
up(&(agp_fe.agp_mutex)); up(&(agp_fe.agp_mutex));
return 0; return 0;
} }
...@@ -860,10 +864,8 @@ static int agpioc_reserve_wrap(agp_file_private * priv, unsigned long arg) ...@@ -860,10 +864,8 @@ static int agpioc_reserve_wrap(agp_file_private * priv, unsigned long arg)
client_priv = agp_find_private(reserve.pid); client_priv = agp_find_private(reserve.pid);
if (client_priv != NULL) { if (client_priv != NULL) {
set_bit(AGP_FF_IS_CLIENT, set_bit(AGP_FF_IS_CLIENT, &client_priv->access_flags);
&client_priv->access_flags); set_bit(AGP_FF_IS_VALID, &client_priv->access_flags);
set_bit(AGP_FF_IS_VALID,
&client_priv->access_flags);
} }
if (client == NULL) { if (client == NULL) {
/* client is already removed */ /* client is already removed */
...@@ -875,7 +877,7 @@ static int agpioc_reserve_wrap(agp_file_private * priv, unsigned long arg) ...@@ -875,7 +877,7 @@ static int agpioc_reserve_wrap(agp_file_private * priv, unsigned long arg)
if (reserve.seg_count >= 16384) if (reserve.seg_count >= 16384)
return -EINVAL; return -EINVAL;
segment = kmalloc((sizeof(agp_segment) * reserve.seg_count), segment = kmalloc((sizeof(agp_segment) * reserve.seg_count),
GFP_KERNEL); GFP_KERNEL);
...@@ -900,15 +902,11 @@ static int agpioc_reserve_wrap(agp_file_private * priv, unsigned long arg) ...@@ -900,15 +902,11 @@ static int agpioc_reserve_wrap(agp_file_private * priv, unsigned long arg)
client_priv = agp_find_private(reserve.pid); client_priv = agp_find_private(reserve.pid);
if (client_priv != NULL) { if (client_priv != NULL) {
set_bit(AGP_FF_IS_CLIENT, set_bit(AGP_FF_IS_CLIENT, &client_priv->access_flags);
&client_priv->access_flags); set_bit(AGP_FF_IS_VALID, &client_priv->access_flags);
set_bit(AGP_FF_IS_VALID,
&client_priv->access_flags);
} }
return agp_create_segment(client, &reserve);
} else {
return agp_create_segment(client, &reserve);
} }
return agp_create_segment(client, &reserve);
} }
/* Will never really happen */ /* Will never really happen */
return -EINVAL; return -EINVAL;
......
...@@ -599,7 +599,6 @@ int agp_generic_create_gatt_table(void) ...@@ -599,7 +599,6 @@ int agp_generic_create_gatt_table(void)
} }
EXPORT_SYMBOL(agp_generic_create_gatt_table); EXPORT_SYMBOL(agp_generic_create_gatt_table);
int agp_generic_suspend(void) int agp_generic_suspend(void)
{ {
return 0; return 0;
...@@ -657,6 +656,12 @@ int agp_generic_free_gatt_table(void) ...@@ -657,6 +656,12 @@ int agp_generic_free_gatt_table(void)
ClearPageReserved(page); ClearPageReserved(page);
free_pages((unsigned long) agp_bridge->gatt_table_real, page_order); free_pages((unsigned long) agp_bridge->gatt_table_real, page_order);
agp_gatt_table = NULL;
agp_bridge->gatt_table = NULL;
agp_bridge->gatt_table_real = NULL;
agp_bridge->gatt_bus_addr = NULL;
return 0; return 0;
} }
EXPORT_SYMBOL(agp_generic_free_gatt_table); EXPORT_SYMBOL(agp_generic_free_gatt_table);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment