[PATCH RESEND] drm/msm: fix a potential memory leak issue in submit_create()
Rob Clark
robdclark at gmail.com
Sun May 4 15:46:59 UTC 2025
On Wed, Apr 23, 2025 at 8:28 PM Haoxiang Li <haoxiang_li2024 at 163.com> wrote:
>
> The memory allocated by msm_fence_alloc() actually is the
> container of msm_fence_alloc()'s return value. Thus, just
> free its return value is not enough.
> Add a helper 'msm_fence_free()' in msm_fence.h/msm_fence.c
> to do the complete job.
>
> Fixes: f94e6a51e17c ("drm/msm: Pre-allocate hw_fence")
> Cc: stable at vger.kernel.org
> Signed-off-by: Haoxiang Li <haoxiang_li2024 at 163.com>
> ---
> drivers/gpu/drm/msm/msm_fence.c | 7 +++++++
> drivers/gpu/drm/msm/msm_fence.h | 1 +
> drivers/gpu/drm/msm/msm_gem_submit.c | 2 +-
> 3 files changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/msm/msm_fence.c b/drivers/gpu/drm/msm/msm_fence.c
> index d41e5a6bbee0..72641e6a627d 100644
> --- a/drivers/gpu/drm/msm/msm_fence.c
> +++ b/drivers/gpu/drm/msm/msm_fence.c
> @@ -183,6 +183,13 @@ msm_fence_alloc(void)
> return &f->base;
> }
>
> +void msm_fence_free(struct dma_fence *fence)
> +{
> + struct msm_fence *f = to_msm_fence(fence);
> +
> + kfree(f);
> +}
> +
> void
> msm_fence_init(struct dma_fence *fence, struct msm_fence_context *fctx)
> {
> diff --git a/drivers/gpu/drm/msm/msm_fence.h b/drivers/gpu/drm/msm/msm_fence.h
> index 148196375a0b..635c68629070 100644
> --- a/drivers/gpu/drm/msm/msm_fence.h
> +++ b/drivers/gpu/drm/msm/msm_fence.h
> @@ -82,6 +82,7 @@ bool msm_fence_completed(struct msm_fence_context *fctx, uint32_t fence);
> void msm_update_fence(struct msm_fence_context *fctx, uint32_t fence);
>
> struct dma_fence * msm_fence_alloc(void);
> +void msm_fence_free(struct dma_fence *fence);
> void msm_fence_init(struct dma_fence *fence, struct msm_fence_context *fctx);
>
> static inline bool
> diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
> index 3e9aa2cc38ef..213baa5bca5e 100644
> --- a/drivers/gpu/drm/msm/msm_gem_submit.c
> +++ b/drivers/gpu/drm/msm/msm_gem_submit.c
> @@ -56,7 +56,7 @@ static struct msm_gem_submit *submit_create(struct drm_device *dev,
>
> ret = drm_sched_job_init(&submit->base, queue->entity, 1, queue);
> if (ret) {
> - kfree(submit->hw_fence);
> + msm_fence_free(submit->hw_fence);
`struct dma_fence base` is the first field in `struct msm_fence`, so
to_msm_fence() is just a pointer cast. Ie. it is fine to pass it to
kfree() as-is
BR,
-R
> kfree(submit);
> return ERR_PTR(ret);
> }
> --
> 2.25.1
>
More information about the dri-devel
mailing list