On Thu, May 25, 2023 at 2:31 AM Ben Skeggs <skeggsb@xxxxxxxxx> wrote:
>
> From: Ben Skeggs <bskeggs@xxxxxxxxxx>
>
> DRM cleanup paths unconditionally call nvif_mmu_dtor() for clients,
> which would result in a double-free if nvif_mmu_ctor()'d previously
> failed.
>
> Signed-off-by: Ben Skeggs <bskeggs@xxxxxxxxxx>
> ---
> drivers/gpu/drm/nouveau/nvif/mmu.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/nouveau/nvif/mmu.c b/drivers/gpu/drm/nouveau/nvif/mmu.c
> index 3709cbbc19a1..c9dd3cff49a0 100644
> --- a/drivers/gpu/drm/nouveau/nvif/mmu.c
> +++ b/drivers/gpu/drm/nouveau/nvif/mmu.c
> @@ -27,6 +27,9 @@
> void
> nvif_mmu_dtor(struct nvif_mmu *mmu)
> {
> + if (!nvif_object_constructed(&mmu->object))
> + return;
> +
nvif_mmu_ctor seems to be calling into this in its clean up path, so
this could now leaks memory in case nvif_mmu_ctor fails, no?
> kfree(mmu->kind);
> kfree(mmu->type);
> kfree(mmu->heap);
> --
> 2.40.1
>
