LinuxLists.cc - [PATCH] drm/xen: fix potential memleak in error branch

2021-11-15 03:51:50

Subject: [PATCH] drm/xen: fix potential memleak in error branch

In function xen_drm_front_gem_import_sg_table, if in error branch,
there maybe potential memleak if not call gem_free_pages_array.

Signed-off-by: Bernard Zhao <[email protected]>
---
drivers/gpu/drm/xen/xen_drm_front_gem.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/xen/xen_drm_front_gem.c b/drivers/gpu/drm/xen/xen_drm_front_gem.c
index b293c67230ef..732c3eec0666 100644
--- a/drivers/gpu/drm/xen/xen_drm_front_gem.c
+++ b/drivers/gpu/drm/xen/xen_drm_front_gem.c
@@ -222,15 +222,19 @@ xen_drm_front_gem_import_sg_table(struct drm_device *dev,

ret = drm_prime_sg_to_page_array(sgt, xen_obj->pages,
xen_obj->num_pages);
- if (ret < 0)
+ if (ret < 0) {
+ gem_free_pages_array(xen_obj);
return ERR_PTR(ret);
+ }

ret = xen_drm_front_dbuf_create(drm_info->front_info,
xen_drm_front_dbuf_to_cookie(&xen_obj->base),
0, 0, 0, size, sgt->sgl->offset,
xen_obj->pages);
- if (ret < 0)
+ if (ret < 0) {
+ gem_free_pages_array(xen_obj);
return ERR_PTR(ret);
+ }

DRM_DEBUG("Imported buffer of size %zu with nents %u\n",
size, sgt->orig_nents);
--
2.33.1

2021-11-15 14:05:03

by Oleksandr Andrushchenko

[permalink] [raw]

Subject: Re: [PATCH] drm/xen: fix potential memleak in error branch

Hi, Bernard!

On 15.11.21 05:45, Bernard Zhao wrote:
> In function xen_drm_front_gem_import_sg_table, if in error branch,
> there maybe potential memleak if not call gem_free_pages_array.
>
> Signed-off-by: Bernard Zhao <[email protected]>
> ---
> drivers/gpu/drm/xen/xen_drm_front_gem.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/xen/xen_drm_front_gem.c b/drivers/gpu/drm/xen/xen_drm_front_gem.c
> index b293c67230ef..732c3eec0666 100644
> --- a/drivers/gpu/drm/xen/xen_drm_front_gem.c
> +++ b/drivers/gpu/drm/xen/xen_drm_front_gem.c
> @@ -222,15 +222,19 @@ xen_drm_front_gem_import_sg_table(struct drm_device *dev,
>
> ret = drm_prime_sg_to_page_array(sgt, xen_obj->pages,
> xen_obj->num_pages);
> - if (ret < 0)
> + if (ret < 0) {
> + gem_free_pages_array(xen_obj);
> return ERR_PTR(ret);
> + }
This will be deleted on the fail path of the import by removing the GEM
object, so xen_drm_front_gem_free_object_unlocked will take care of this
>
> ret = xen_drm_front_dbuf_create(drm_info->front_info,
> xen_drm_front_dbuf_to_cookie(&xen_obj->base),
> 0, 0, 0, size, sgt->sgl->offset,
> xen_obj->pages);
> - if (ret < 0)
> + if (ret < 0) {
> + gem_free_pages_array(xen_obj);
> return ERR_PTR(ret);
> + }
>
> DRM_DEBUG("Imported buffer of size %zu with nents %u\n",
> size, sgt->orig_nents);
Thank you,
Oleksandr