[PATCH] drm/gem-shmem: When drm_gem_object_init failed, should release object

Wed Nov 9 09:07:45 UTC 2022

Hi,

drm_gem_object_init() will do these before failed:

void drm_gem_private_object_init(struct drm_device *dev,
                                 struct drm_gem_object *obj, size_t
size) {
        BUG_ON((size & (PAGE_SIZE - 1)) != 0);

        obj->dev = dev;
        obj->filp = NULL;

        kref_init(&obj->refcount);
        obj->handle_count = 0;
        obj->size = size;
        dma_resv_init(&obj->_resv);
        if (!obj->resv)
                obj->resv = &obj->_resv;

        drm_vma_node_reset(&obj->vma_node);
        INIT_LIST_HEAD(&obj->lru_node);
}

so I think when it failed, should use drm_gem_object_release()
to do dma_resv_fini() and others.

another, if drm_gem_object_init() fails, the drm_gem_handle_create()
can not be called.

于 Tue, 8 Nov 2022 09:28:34 +0100
Thomas Zimmermann <tzimmermann at suse.de> 写道:

> Hi
> 
> Am 08.11.22 um 03:03 schrieb ChunyouTang:
> > when goto err_free, the object had init, so it should be release
> > when fail.
> 
> If the call to drm_gem_object_init() fails, the object is still 
> uninitialized. Admittedly, the call to gem_create_object could need 
> additional cleanup, but it appears as if no one has had a need for
> this so far.
> 
> Is there anything that might leak?
> 
> > 
> > Signed-off-by: ChunyouTang <tangchunyou at 163.com>
> > ---
> >   drivers/gpu/drm/drm_gem_shmem_helper.c | 4 ++--
> >   1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c
> > b/drivers/gpu/drm/drm_gem_shmem_helper.c index
> > 35138f8a375c..2e5e3207355f 100644 ---
> > a/drivers/gpu/drm/drm_gem_shmem_helper.c +++
> > b/drivers/gpu/drm/drm_gem_shmem_helper.c @@ -104,10 +104,10 @@
> > __drm_gem_shmem_create(struct drm_device *dev, size_t size, bool
> > private) return shmem;
> >   
> > -err_release:
> > -	drm_gem_object_release(obj);
> >   err_free:
> >   	kfree(obj);
> > +err_release:
> > +	drm_gem_object_release(obj);
> 
> You have now freed the object's memory before releasing it. Not going
> to work.
> 
> Best regards
> Thomas
> 
> >   
> >   	return ERR_PTR(ret);
> >   }
> 