-----邮件原件-----
发件人: bernard@xxxxxxxx <bernard@xxxxxxxx> 代表 Jani Nikula
发送时间: 2021年12月31日 19:09
收件人: 赵军奎 <bernard@xxxxxxxx>; Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxxxx>; Maxime Ripard <mripard@xxxxxxxxxx>; Thomas Zimmermann <tzimmermann@xxxxxxx>; David Airlie <airlied@xxxxxxxx>; Daniel Vetter <daniel@xxxxxxxx>; dri-devel@xxxxxxxxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx
抄送: 赵军奎 <bernard@xxxxxxxx>
主题: Re: [PATCH] gpu/drm: fix potential memleak in error branch
On Tue, 16 Nov 2021, Bernard Zhao <bernard@xxxxxxxx> wrote:
> This patch try to fix potential memleak in error branch.
>Please elaborate.
Hi Jani:
This patch try to fix potential memleak in error branch.
For example:
nv50_sor_create ->nv50_mstm_new-> drm_dp_mst_topology_mgr_init
In function drm_dp_mst_topology_mgr_init, there are five error branches, error branch just return error code, no free called.
And we see that the caller didn`t do the drm_dp_mst_topology_mgr_destroy job.
I am not sure if there some gap, I think this may bring in the risk of memleak issue.
Thanks!
BR//Bernard
>BR,
>Jani.
>
> Signed-off-by: Bernard Zhao <bernard@xxxxxxxx>
> ---
> drivers/gpu/drm/drm_dp_mst_topology.c | 22 ++++++++++++++++------
> 1 file changed, 16 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c
> b/drivers/gpu/drm/drm_dp_mst_topology.c
> index f3d79eda94bb..f73b180dee73 100644
> --- a/drivers/gpu/drm/drm_dp_mst_topology.c
> +++ b/drivers/gpu/drm/drm_dp_mst_topology.c
> @@ -5501,7 +5501,10 @@ int drm_dp_mst_topology_mgr_init(struct drm_dp_mst_topology_mgr *mgr,
> int max_lane_count, int max_link_rate,
> int conn_base_id)
> {
> - struct drm_dp_mst_topology_state *mst_state;
> + struct drm_dp_mst_topology_state *mst_state = NULL;
> +
> + mgr->payloads = NULL;
> + mgr->proposed_vcpis = NULL;
>
> mutex_init(&mgr->lock);
> mutex_init(&mgr->qlock);
> @@ -5523,7 +5526,7 @@ int drm_dp_mst_topology_mgr_init(struct drm_dp_mst_topology_mgr *mgr,
> */
> mgr->delayed_destroy_wq = alloc_ordered_workqueue("drm_dp_mst_wq", 0);
> if (mgr->delayed_destroy_wq == NULL)
> - return -ENOMEM;
> + goto out;
>
> INIT_WORK(&mgr->work, drm_dp_mst_link_probe_work);
> INIT_WORK(&mgr->tx_work, drm_dp_tx_work); @@ -5539,18 +5542,18 @@
> int drm_dp_mst_topology_mgr_init(struct drm_dp_mst_topology_mgr *mgr,
> mgr->conn_base_id = conn_base_id;
> if (max_payloads + 1 > sizeof(mgr->payload_mask) * 8 ||
> max_payloads + 1 > sizeof(mgr->vcpi_mask) * 8)
> - return -EINVAL;
> + goto failed;
> mgr->payloads = kcalloc(max_payloads, sizeof(struct drm_dp_payload), GFP_KERNEL);
> if (!mgr->payloads)
> - return -ENOMEM;
> + goto failed;
> mgr->proposed_vcpis = kcalloc(max_payloads, sizeof(struct drm_dp_vcpi *), GFP_KERNEL);
> if (!mgr->proposed_vcpis)
> - return -ENOMEM;
> + goto failed;
> set_bit(0, &mgr->payload_mask);
>
> mst_state = kzalloc(sizeof(*mst_state), GFP_KERNEL);
> if (mst_state == NULL)
> - return -ENOMEM;
> + goto failed;
>
> mst_state->total_avail_slots = 63;
> mst_state->start_slot = 1;
> @@ -5563,6 +5566,13 @@ int drm_dp_mst_topology_mgr_init(struct drm_dp_mst_topology_mgr *mgr,
> &drm_dp_mst_topology_state_funcs);
>
> return 0;
> +
> +failed:
> + kfree(mgr->proposed_vcpis);
> + kfree(mgr->payloads);
> + destroy_workqueue(mgr->delayed_destroy_wq);
> +out:
> + return -ENOMEM;
> }
> EXPORT_SYMBOL(drm_dp_mst_topology_mgr_init);
--
Jani Nikula, Intel Open Source Graphics Center
