A struct nvmap_handle may be shared by multiple clients. If the original client (the handle "owner") is destroyed, but the handle is still referenced by other clients, h->owner points to freed memory. To prevent this, clear h->owner when the owner frees its reference to that struct nvmap_handle. Signed-off-by: Robert Morell <rmorell@xxxxxxxxxx> --- This fixes the crash I mentioned in my previous email, but duped allocations can still be orphaned from their owner and no longer listed in any carveout commit lists although they still consume carveout. drivers/video/tegra/nvmap/nvmap_handle.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/drivers/video/tegra/nvmap/nvmap_handle.c b/drivers/video/tegra/nvmap/nvmap_handle.c index 09502bf..5376ea9 100644 --- a/drivers/video/tegra/nvmap/nvmap_handle.c +++ b/drivers/video/tegra/nvmap/nvmap_handle.c @@ -376,6 +376,9 @@ void nvmap_free_handle_id(struct nvmap_client *client, unsigned long id) while (pins--) nvmap_unpin_handles(client, &ref->handle, 1); + if (h->owner == client) + h->owner = NULL; + kfree(ref); out: -- 1.7.2.2 -- To unsubscribe from this list: send the line "unsubscribe linux-tegra" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
