- fix mapped-pte usage - do not access it after unmapping.

diff --git a/drivers/char/drm/drm_scatter.h b/drivers/char/drm/drm_scatter.h
index f0793950503b3ade8d8b5d41b9849b2105775963..12f1039d58b1ffe23d2dd88ed434241468ca68a2 100644 (file)
--- a/drivers/char/drm/drm_scatter.h
+++ b/drivers/char/drm/drm_scatter.h
@@ -68,7 +68,7 @@ int DRM(sg_alloc)( struct inode *inode, struct file *filp,
        unsigned long pages, i, j;
        pgd_t *pgd;
        pmd_t *pmd;
-       pte_t *pte;
+       pte_t *pte, pte_entry;
 
        DRM_DEBUG( "%s\n", __FUNCTION__ );
 
@@ -144,18 +144,17 @@ int DRM(sg_alloc)( struct inode *inode, struct file *filp,
                        goto failed;
 
                preempt_disable();
-               pte = pte_offset_map( pmd, i );
-               if ( !pte_present( *pte ) ) {
-                       pte_unmap(pte);
-                       preempt_enable();
-                       goto failed;
-               }
+               pte = pte_offset_map(pmd, i);
+               pte_entry = *pte;
                pte_unmap(pte);
                preempt_enable();
 
-               entry->pagelist[j] = pte_page( *pte );
+               if (!pte_present(pte_entry))
+                       goto failed;
+
+               entry->pagelist[j] = pte_page(pte_entry);
 
-               SetPageReserved( entry->pagelist[j] );
+               SetPageReserved(entry->pagelist[j]);
        }
 
        request.handle = entry->handle;

diff --git a/drivers/char/drm/drm_vm.h b/drivers/char/drm/drm_vm.h
index a45150f1df7a182216cdc6d3cea90b39225010de..822daeedb46a79508810814a2aa38ca9984d542d 100644 (file)
--- a/drivers/char/drm/drm_vm.h
+++ b/drivers/char/drm/drm_vm.h
@@ -154,7 +154,7 @@ struct page *DRM(vm_shm_nopage)(struct vm_area_struct *vma,
        unsigned long    i;
        pgd_t            *pgd;
        pmd_t            *pmd;
-       pte_t            *pte;
+       pte_t            *pte, entry;
        struct page      *page;
 
        if (address > vma->vm_end) return NOPAGE_SIGBUS; /* Disallow mremap */
@@ -166,20 +166,22 @@ struct page *DRM(vm_shm_nopage)(struct vm_area_struct *vma,
         * they need to be virtually contiguous in kernel space.
         */
        pgd = pgd_offset_k( i );
-       if( !pgd_present( *pgd ) ) return NOPAGE_OOM;
+       if (!pgd_present(*pgd))
+               goto oom;
        pmd = pmd_offset( pgd, i );
-       if( !pmd_present( *pmd ) ) return NOPAGE_OOM;
+       if (!pmd_present(*pmd))
+               goto oom;
+
        preempt_disable();
-       pte = pte_offset_map( pmd, i );
-       if( !pte_present( *pte ) ) {
-               pte_unmap(pte);
-               preempt_enable();
-               return NOPAGE_OOM;
-       }
+       pte = pte_offset_map(pmd, i);
+       entry = *pte;
        pte_unmap(pte);
        preempt_enable();
 
-       page = pte_page(*pte);
+       if (!pte_present(entry))
+               goto oom;
+
+       page = pte_page(entry);
        get_page(page);
 
        DRM_DEBUG("shm_nopage 0x%lx\n", address);
@@ -188,6 +190,8 @@ struct page *DRM(vm_shm_nopage)(struct vm_area_struct *vma,
 #else
        return page;
 #endif
+oom:
+       return NOPAGE_OOM;
 }
 
 /* Special close routine which deletes map information if we are the last