Commit 8f8ef09f authored by Jani Nikula's avatar Jani Nikula
Browse files

drm/i915/panic: fix panic structure allocation memory leak 



Separating the panic allocation from framebuffer allocation in commit
729c5f7f ("drm/{i915,xe}/panic: move framebuffer allocation where it
belongs") failed to deallocate the panic structure anywhere.

The fix is two-fold. First, free the panic structure in
intel_user_framebuffer_destroy() in the general case. Second, move the
panic allocation later to intel_framebuffer_init() to not leak the panic
structure in error paths (if any, now or later) between
intel_framebuffer_alloc() and intel_framebuffer_init().

v2: Rebase

Fixes: 729c5f7f ("drm/{i915,xe}/panic: move framebuffer allocation where it belongs")
Cc: Jocelyn Falempe <jfalempe@redhat.com>
Cc: Maarten Lankhorst <dev@lankhorst.se>
Reported-by: default avatarMichał Grzelak <michal.grzelak@intel.com>
Suggested-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
Tested-by: Michał Grzelak <michal.grzelak@intel.com> # v1
Reviewed-by: default avatarJocelyn Falempe <jfalempe@redhat.com>
Link: https://lore.kernel.org/r/20251015095135.2183415-1-jani.nikula@intel.com


Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
parent 682505a0

drivers/gpu/drm/i915/display/intel_fb.c

+13 −12
Original line number Diff line number Diff line
@@ -2114,6 +2114,7 @@ static void intel_user_framebuffer_destroy(struct drm_framebuffer *fb) 


	intel_frontbuffer_put(intel_fb->frontbuffer);



	kfree(intel_fb->panic);

	kfree(intel_fb);

}
@@ -2212,16 +2213,22 @@ int intel_framebuffer_init(struct intel_framebuffer *intel_fb, 
	struct intel_display *display = to_intel_display(obj->dev);

	struct drm_framebuffer *fb = &intel_fb->base;

	u32 max_stride;

	int ret = -EINVAL;

	int ret;

	int i;



	intel_fb->panic = intel_panic_alloc();

	if (!intel_fb->panic)

		return -ENOMEM;



	/*

	 * intel_frontbuffer_get() must be done before

	 * intel_fb_bo_framebuffer_init() to avoid set_tiling vs. addfb race.

	 */

	intel_fb->frontbuffer = intel_frontbuffer_get(obj);

	if (!intel_fb->frontbuffer)

		return -ENOMEM;

	if (!intel_fb->frontbuffer) {

		ret = -ENOMEM;

		goto err_free_panic;

	}



	ret = intel_fb_bo_framebuffer_init(obj, mode_cmd);

	if (ret)
@@ -2320,6 +2327,9 @@ int intel_framebuffer_init(struct intel_framebuffer *intel_fb, 
	intel_fb_bo_framebuffer_fini(obj);

err_frontbuffer_put:

	intel_frontbuffer_put(intel_fb->frontbuffer);

err_free_panic:

	kfree(intel_fb->panic);



	return ret;

}
@@ -2346,20 +2356,11 @@ intel_user_framebuffer_create(struct drm_device *dev, 
struct intel_framebuffer *intel_framebuffer_alloc(void)

{

	struct intel_framebuffer *intel_fb;

	struct intel_panic *panic;



	intel_fb = kzalloc(sizeof(*intel_fb), GFP_KERNEL);

	if (!intel_fb)

		return NULL;



	panic = intel_panic_alloc();

	if (!panic) {

		kfree(intel_fb);

		return NULL;

	}



	intel_fb->panic = panic;



	return intel_fb;

}