From 9c89bd10c8097525ce9570550e672d01511f0f45 Mon Sep 17 00:00:00 2001
From: Linus Torvalds <torvalds@home.osdl.org>
Date: Thu, 7 Aug 2003 01:37:30 -0700
Subject: [PATCH] Merge with DRI CVS tree: fix use-after-free bug in
 DRM(takedown)

---
 drivers/char/drm/drm_drv.h | 76 +++++++++++++++++++-------------------
 1 file changed, 37 insertions(+), 39 deletions(-)

diff --git a/drivers/char/drm/drm_drv.h b/drivers/char/drm/drm_drv.h
index f18b967da5c5..d62156b35fcf 100644
--- a/drivers/char/drm/drm_drv.h
+++ b/drivers/char/drm/drm_drv.h
@@ -452,51 +452,49 @@ static int DRM(takedown)( drm_device_t *dev )
 	}
 
 	if( dev->maplist ) {
-		for(list = dev->maplist->head.next;
-		    list != &dev->maplist->head;
-		    list = list_next) {
-			list_next = list->next;
+		list_for_each_safe( list, list_next, &dev->maplist->head ) {
 			r_list = (drm_map_list_t *)list;
-			map = r_list->map;
-			DRM(free)(r_list, sizeof(*r_list), DRM_MEM_MAPS);
-			if(!map) continue;
 
-			switch ( map->type ) {
-			case _DRM_REGISTERS:
-			case _DRM_FRAME_BUFFER:
+			if ( ( map = r_list->map ) ) {
+				switch ( map->type ) {
+				case _DRM_REGISTERS:
+				case _DRM_FRAME_BUFFER:
 #if __REALLY_HAVE_MTRR
-				if ( map->mtrr >= 0 ) {
-					int retcode;
-					retcode = mtrr_del( map->mtrr,
-							    map->offset,
-							    map->size );
-					DRM_DEBUG( "mtrr_del=%d\n", retcode );
-				}
-#endif
-				DRM(ioremapfree)( map->handle, map->size, dev );
-				break;
-			case _DRM_SHM:
-				vfree(map->handle);
-				break;
-
-			case _DRM_AGP:
-				/* Do nothing here, because this is all
-				 * handled in the AGP/GART driver.
-				 */
-				break;
-                       case _DRM_SCATTER_GATHER:
-				/* Handle it, but do nothing, if HAVE_SG
-				 * isn't defined.
-				 */
+					if ( map->mtrr >= 0 ) {
+						int retcode;
+						retcode = mtrr_del( map->mtrr,
+								    map->offset,
+								    map->size );
+						DRM_DEBUG( "mtrr_del=%d\n", retcode );
+					}
+#endif
+					DRM(ioremapfree)( map->handle, map->size, dev );
+					break;
+				case _DRM_SHM:
+					vfree(map->handle);
+					break;
+
+				case _DRM_AGP:
+					/* Do nothing here, because this is all
+					 * handled in the AGP/GART driver.
+					 */
+					break;
+				case _DRM_SCATTER_GATHER:
+					/* Handle it, but do nothing, if HAVE_SG
+					 * isn't defined.
+					 */
 #if __HAVE_SG
-				if(dev->sg) {
-					DRM(sg_cleanup)(dev->sg);
-					dev->sg = NULL;
-				}
+					if(dev->sg) {
+						DRM(sg_cleanup)(dev->sg);
+						dev->sg = NULL;
+					}
 #endif
-				break;
+					break;
+				}
+				DRM(free)(map, sizeof(*map), DRM_MEM_MAPS);
 			}
- 			DRM(free)(map, sizeof(*map), DRM_MEM_MAPS);
+			list_del( list );
+			DRM(free)(r_list, sizeof(*r_list), DRM_MEM_MAPS);
  		}
 		DRM(free)(dev->maplist, sizeof(*dev->maplist), DRM_MEM_MAPS);
 		dev->maplist = NULL;
-- 
2.39.5