[PATCH] staging: fbtft: core: fix potential memory leak in fbtft_probe_common()
fbtft_probe_common() allocates a memory chunk for "info" with
fbtft_framebuffer_alloc(). When "display->buswidth == 0" is true, the
function returns without releasing the "info", which will lead to a
memory leak.
Fix it by calling fbtft_framebuffer_release() when "display->buswidth
== 0" is true.
Signed-off-by: Jianglei Nie
---
drivers/staging/fbtft/fbtft-core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/staging/fbtft/fbtft-core.c
b/drivers/staging/fbtft/fbtft-core.c
index afaba94d1d1c..ecf595aff786 100644
--- a/drivers/staging/fbtft/fbtft-core.c
+++ b/drivers/staging/fbtft/fbtft-core.c
@@ -1225,6 +1225,7 @@ int fbtft_probe_common(struct fbtft_display *display,
if (display->buswidth == 0) {
dev_err(dev, "buswidth is not set\n");
+ fbtft_framebuffer_release(info);
return -EINVAL;
}
--
2.25.1
[PATCH] drm/amdgpu/mes: Fix an error handling path in amdgpu_mes_self_test()
if amdgpu_mes_ctx_alloc_meta_data() fails, we should call amdgpu_vm_fini()
to handle amdgpu_vm_init().
Add a new lable before amdgpu_vm_init() and goto this lable when
amdgpu_mes_ctx_alloc_meta_data() fails.
Signed-off-by: Jianglei Nie
---
drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c
b/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c
index 69a70a0aaed9..7c196b8ac49f 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c
@@ -1157,7 +1157,7 @@ int amdgpu_mes_self_test(struct amdgpu_device *adev)
r = amdgpu_mes_ctx_alloc_meta_data(adev, _data);
if (r) {
DRM_ERROR("failed to alloc ctx meta data\n");
- goto error_pasid;
+ goto error_fini;
}
ctx_data.meta_data_gpu_addr = AMDGPU_VA_RESERVED_SIZE;
@@ -1215,6 +1215,8 @@ int amdgpu_mes_self_test(struct amdgpu_device *adev)
BUG_ON(amdgpu_bo_reserve(ctx_data.meta_data_obj, true));
amdgpu_vm_bo_del(adev, ctx_data.meta_data_va);
amdgpu_bo_unreserve(ctx_data.meta_data_obj);
+
+error_fini:
amdgpu_vm_fini(adev, vm);
error_pasid:
--
2.25.1
[PATCH] drm/nouveau: fix a use-after-free in nouveau_gem_prime_import_sg_table()
nouveau_bo_init() is backed by ttm_bo_init() and ferries its return code
back to the caller. On failures, ttm will call nouveau_bo_del_ttm() and
free the memory.Thus, when nouveau_bo_init() returns an error, the gem
object has already been released. Then the call to nouveau_bo_ref() will
use the freed "nvbo->bo" and lead to a use-after-free bug.
We should delete the call to nouveau_bo_ref() to avoid the use-after-free.
Signed-off-by: Jianglei Nie
---
drivers/gpu/drm/nouveau/nouveau_prime.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/gpu/drm/nouveau/nouveau_prime.c
b/drivers/gpu/drm/nouveau/nouveau_prime.c
index 347488685f74..9608121e49b7 100644
--- a/drivers/gpu/drm/nouveau/nouveau_prime.c
+++ b/drivers/gpu/drm/nouveau/nouveau_prime.c
@@ -71,7 +71,6 @@ struct drm_gem_object
*nouveau_gem_prime_import_sg_table(struct drm_device *dev,
ret = nouveau_bo_init(nvbo, size, align, NOUVEAU_GEM_DOMAIN_GART,
sg, robj);
if (ret) {
- nouveau_bo_ref(NULL, );
obj = ERR_PTR(ret);
goto unlock;
}
--
2.25.1
[PATCH] drm/amdgpu: Fix reference leak in psp_xgmi_reflect_topology_info()
amdgpu_get_xgmi_hive() increases the kobject reference counter of the hive it returned. The hive returned by amdgpu_get_xgmi_hive() should be released with the help of amdgpu_put_xgmi_hive() to balance its kobject reference counter properly. Forgetting the amdgpu_put_xgmi_hive() operation will result in reference leak. We can fix it by calling amdgpu_put_xgmi_hive() before the end of the function. Signed-off-by: Jianglei Nie --- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c index e9411c28d88b..7b3a78da1684 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c @@ -1292,6 +1292,7 @@ static void psp_xgmi_reflect_topology_info(struct psp_context *psp, break; } + amdgpu_put_xgmi_hive(hive); } int psp_xgmi_get_topology_info(struct psp_context *psp, -- 2.25.1
[PATCH] drm/amdgpu: Fix reference leak in psp_xgmi_reflect_topology_info()
In line 1138 (#1), amdgpu_get_xgmi_hive() increases the kobject reference
counter of the hive it returned. The hive returned by
amdgpu_get_xgmi_hive()should be released with the help of
amdgpu_put_xgmi_hive() to balance its kobject reference counter properly.
Forgetting the amdgpu_put_xgmi_hive() operation will result in reference
leak.
We can fix it by calling amdgpu_put_xgmi_hive() before the end of the
function (#2).
1128 static void psp_xgmi_reflect_topology_info(struct psp_context *psp,
1129struct psp_xgmi_node_info node_info)
1130 {
1138hive = amdgpu_get_xgmi_hive(psp->adev);
// #1: kzalloc space reference increment
1139list_for_each_entry(mirror_adev, >device_list, gmc.xgmi.head) {
1140struct psp_xgmi_topology_info *mirror_top_info;
1141int j;
1143if (mirror_adev->gmc.xgmi.node_id != dst_node_id)
1144continue;
1146mirror_top_info = _adev->psp.xgmi_context.top_info;
1147for (j = 0; j < mirror_top_info->num_nodes; j++) {
1148if (mirror_top_info->nodes[j].node_id != src_node_id)
1149continue;
1151mirror_top_info->nodes[j].num_hops = dst_num_hops;
1157if (dst_num_links)
1158mirror_top_info->nodes[j].num_links =
dst_num_links;
1160break;
1161}
1163break;
1164}
// #2: missing reference decrement
1165 }
Signed-off-by: Jianglei Nie
---
drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
index c641f84649d6..f6362047ed71 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
@@ -1162,6 +1162,7 @@ static void psp_xgmi_reflect_topology_info(struct
psp_context *psp,
break;
}
+ amdgpu_put_xgmi_hive(hive);
}
int psp_xgmi_get_topology_info(struct psp_context *psp,
--
2.25.1
