From: Dan Carpenter <dan.carpenter@oracle.com>
To: Ben Skeggs <bskeggs@redhat.com>
Cc: David Airlie <airlied@linux.ie>, Daniel Vetter <daniel@ffwll.ch>,
Thierry Reding <treding@nvidia.com>,
Gerd Hoffmann <kraxel@redhat.com>,
dri-devel@lists.freedesktop.org, nouveau@lists.freedesktop.org,
kernel-janitors@vger.kernel.org
Subject: [PATCH] drm/nouveau: fix double free in nouveau_gem_new()
Date: Tue, 15 Jun 2021 16:12:07 +0300 [thread overview]
Message-ID: <YMinJwpIei9n1Pn1@mwanda> (raw)
The ttm_bo_init_reserved() function calls ttm_bo_put(bo) which calls
nouveau_bo_del_ttm() which frees the "nvbo.bo" so the nouveau_bo_ref()
call leads to a double free.
Fixes: 019cbd4a4feb ("drm/nouveau: Initialize GEM object before TTM object")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This fix is obvious enough and fixes my double free, but unfortunately
there are other bugs here so my system still hangs when I try to open
ten latest version Firefox windows in a row.
drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
index c88cbb85f101..d612c1a720f8 100644
--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -211,10 +211,8 @@ nouveau_gem_new(struct nouveau_cli *cli, u64 size, int align, uint32_t domain,
}
ret = nouveau_bo_init(nvbo, size, align, domain, NULL, NULL);
- if (ret) {
- nouveau_bo_ref(NULL, &nvbo);
+ if (ret)
return ret;
- }
/* we restrict allowed domains on nv50+ to only the types
* that were requested at creation time. not possibly on
--
2.30.2
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Ben Skeggs <bskeggs@redhat.com>
Cc: David Airlie <airlied@linux.ie>,
nouveau@lists.freedesktop.org, kernel-janitors@vger.kernel.org,
dri-devel@lists.freedesktop.org,
Gerd Hoffmann <kraxel@redhat.com>,
Daniel Vetter <daniel@ffwll.ch>,
Thierry Reding <treding@nvidia.com>
Subject: [Nouveau] [PATCH] drm/nouveau: fix double free in nouveau_gem_new()
Date: Tue, 15 Jun 2021 16:12:07 +0300 [thread overview]
Message-ID: <YMinJwpIei9n1Pn1@mwanda> (raw)
The ttm_bo_init_reserved() function calls ttm_bo_put(bo) which calls
nouveau_bo_del_ttm() which frees the "nvbo.bo" so the nouveau_bo_ref()
call leads to a double free.
Fixes: 019cbd4a4feb ("drm/nouveau: Initialize GEM object before TTM object")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This fix is obvious enough and fixes my double free, but unfortunately
there are other bugs here so my system still hangs when I try to open
ten latest version Firefox windows in a row.
drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
index c88cbb85f101..d612c1a720f8 100644
--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -211,10 +211,8 @@ nouveau_gem_new(struct nouveau_cli *cli, u64 size, int align, uint32_t domain,
}
ret = nouveau_bo_init(nvbo, size, align, domain, NULL, NULL);
- if (ret) {
- nouveau_bo_ref(NULL, &nvbo);
+ if (ret)
return ret;
- }
/* we restrict allowed domains on nv50+ to only the types
* that were requested at creation time. not possibly on
--
2.30.2
_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Ben Skeggs <bskeggs@redhat.com>
Cc: David Airlie <airlied@linux.ie>,
nouveau@lists.freedesktop.org, kernel-janitors@vger.kernel.org,
dri-devel@lists.freedesktop.org,
Gerd Hoffmann <kraxel@redhat.com>,
Thierry Reding <treding@nvidia.com>
Subject: [PATCH] drm/nouveau: fix double free in nouveau_gem_new()
Date: Tue, 15 Jun 2021 16:12:07 +0300 [thread overview]
Message-ID: <YMinJwpIei9n1Pn1@mwanda> (raw)
The ttm_bo_init_reserved() function calls ttm_bo_put(bo) which calls
nouveau_bo_del_ttm() which frees the "nvbo.bo" so the nouveau_bo_ref()
call leads to a double free.
Fixes: 019cbd4a4feb ("drm/nouveau: Initialize GEM object before TTM object")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This fix is obvious enough and fixes my double free, but unfortunately
there are other bugs here so my system still hangs when I try to open
ten latest version Firefox windows in a row.
drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
index c88cbb85f101..d612c1a720f8 100644
--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -211,10 +211,8 @@ nouveau_gem_new(struct nouveau_cli *cli, u64 size, int align, uint32_t domain,
}
ret = nouveau_bo_init(nvbo, size, align, domain, NULL, NULL);
- if (ret) {
- nouveau_bo_ref(NULL, &nvbo);
+ if (ret)
return ret;
- }
/* we restrict allowed domains on nv50+ to only the types
* that were requested at creation time. not possibly on
--
2.30.2
next reply other threads:[~2021-06-15 13:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-15 13:12 Dan Carpenter [this message]
2021-06-15 13:12 ` [PATCH] drm/nouveau: fix double free in nouveau_gem_new() Dan Carpenter
2021-06-15 13:12 ` [Nouveau] " Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YMinJwpIei9n1Pn1@mwanda \
--to=dan.carpenter@oracle.com \
--cc=airlied@linux.ie \
--cc=bskeggs@redhat.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=kraxel@redhat.com \
--cc=nouveau@lists.freedesktop.org \
--cc=treding@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.