gfx: drv: Fix double free in page flip

Reference counted object was accidentally freed using kfree without
checking reference count. That led to double free when kfree was called
with reference counting higher than 1. That happened often when HDMI
clone mode was enabled.

Signed-off-by: Pauli Nieminen <pauli.nieminen@linux.intel.com>
CC: "Kannan, Arun" <arun.kannan@intel.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>

diff --git a/drivers/staging/mrst/drv/psb_page_flip.c b/drivers/staging/mrst/drv/psb_page_flip.c
index ce1f6db..18abb98 100644 (file)
--- a/drivers/staging/mrst/drv/psb_page_flip.c
+++ b/drivers/staging/mrst/drv/psb_page_flip.c
@@ -197,6 +197,12 @@ unlock:
        spin_unlock_irqrestore(&dev->event_lock, flags);
 }
 
+static void free_flip(struct pending_flip *crtc_flip)
+{
+       if (atomic_dec_and_test(&crtc_flip->refcnt))
+               kfree(crtc_flip);
+}
+
 static void crtc_flip_cleanup(struct drm_flip *flip)
 {
        struct pending_flip *crtc_flip =
@@ -207,7 +213,7 @@ static void crtc_flip_cleanup(struct drm_flip *flip)
        psb_fb_gtt_unref(dev, crtc_flip->mem_info, crtc_flip->tgid);
        mutex_unlock(&dev->mode_config.mutex);
 
-       kfree(crtc_flip);
+       free_flip(crtc_flip);
 }
 
 static void crtc_flip_finish(struct drm_flip *flip)
@@ -227,12 +233,6 @@ static void psb_flip_driver_flush(struct drm_flip_driver *driver)
        (void)ioread32(dev_priv->vdc_reg + PSB_PIPESTAT(PSB_PIPE_A));
 }
 
-static void free_flip(struct pending_flip *crtc_flip)
-{
-       if (atomic_dec_and_test(&crtc_flip->refcnt))
-               kfree(crtc_flip);
-}
-
 static void psb_flip_complete_sync_callback(struct pvr_pending_sync *sync,
                bool call_from_work)
 {