radeon: fix free after refcount

author Dave Airlie <airlied@redhat.com>

Sun, 2 Nov 2008 23:41:12 +0000 (09:41 +1000)

committer Dave Airlie <airlied@redhat.com>

Sun, 2 Nov 2008 23:41:12 +0000 (09:41 +1000)
author Dave Airlie <airlied@redhat.com>
Sun, 2 Nov 2008 23:41:12 +0000 (09:41 +1000)
committer Dave Airlie <airlied@redhat.com>
Sun, 2 Nov 2008 23:41:12 +0000 (09:41 +1000)
diff --git a/linux-core/radeon_display.c b/linux-core/radeon_display.c

index 679244a..f16288e 100644 (file)
--- a/linux-core/radeon_display.c
+++ b/linux-core/radeon_display.c
@@ -601,7 +601,11 @@ static void radeon_user_framebuffer_destroy(struct drm_framebuffer *fb)
         if (fb->fbdev)
                 radeonfb_remove(dev, fb);
  
-       drm_gem_object_unreference(radeon_fb->obj);
+       if (radeon_fb->obj) {
+               mutex_lock(&dev->struct_mutex);
+               drm_gem_object_unreference(radeon_fb->obj);
+               mutex_unlock(&dev->struct_mutex);
+       }
         drm_framebuffer_cleanup(fb);
         kfree(radeon_fb);
  }
diff --git a/linux-core/radeon_fb.c b/linux-core/radeon_fb.c

index 405f1da..d3722c3 100644 (file)
--- a/linux-core/radeon_fb.c
+++ b/linux-core/radeon_fb.c
@@ -1149,6 +1149,7 @@ int radeonfb_remove(struct drm_device *dev, struct drm_framebuffer *fb)
                 drm_bo_kunmap(&radeon_fb->kmap_obj);
                 mutex_lock(&dev->struct_mutex);
                 drm_gem_object_unreference(radeon_fb->obj);
+               radeon_fb->obj = NULL;
                 mutex_unlock(&dev->struct_mutex);
                 framebuffer_release(info);
         }
author	Dave Airlie <airlied@redhat.com>
	Sun, 2 Nov 2008 23:41:12 +0000 (09:41 +1000)
committer	Dave Airlie <airlied@redhat.com>
	Sun, 2 Nov 2008 23:41:12 +0000 (09:41 +1000)
linux-core/radeon_display.c		patch \| blob \| history
linux-core/radeon_fb.c		patch \| blob \| history