[PATCH] drm/xe: Fix bo leak in intel_fb_bo_framebuffer_init

[Lucas De Marchi]

On Thu, Mar 21, 2024 at 03:56:23PM -0400, Rodrigo Vivi wrote:
>On Thu, Mar 21, 2024 at 03:56:44PM +0100, Maarten Lankhorst wrote:
>> Add a reference to bo after all error paths, to prevent leaking a bo
>> ref.
>>
>> Return 0 to clarify that this is the success path.
>>
>> Signed-off-by: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>
>> Fixes: 44e694958b95 ("drm/xe/display: Implement display support")
>> Cc: <stable at vger.kernel.org> # v6.8+
>> ---
>>  drivers/gpu/drm/xe/display/intel_fb_bo.c | 5 ++---
>>  1 file changed, 2 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/xe/display/intel_fb_bo.c b/drivers/gpu/drm/xe/display/intel_fb_bo.c
>> index b21da7b745a5..7262bbca9baf 100644
>> --- a/drivers/gpu/drm/xe/display/intel_fb_bo.c
>> +++ b/drivers/gpu/drm/xe/display/intel_fb_bo.c
>> @@ -27,8 +27,6 @@ int intel_fb_bo_framebuffer_init(struct intel_framebuffer *intel_fb,
>>  	struct drm_i915_private *i915 = to_i915(bo->ttm.base.dev);
>>  	int ret;
>>
>> -	xe_bo_get(bo);
>> -
>>  	ret = ttm_bo_reserve(&bo->ttm, true, false, NULL);
>>  	if (ret)
>>  		return ret;
>> @@ -48,7 +46,8 @@ int intel_fb_bo_framebuffer_init(struct intel_framebuffer *intel_fb,
>>  	}
>>  	ttm_bo_unreserve(&bo->ttm);
>>
>> -	return ret;
>> +	xe_bo_get(bo);
>
>wouldn't be safer to keep the get in the beginning of everything else
>and then if in an error path you xe_bo_put(bo); ?!

yes, I was thinking exactly that. Otherwise it's harder to reason about
the lifetime of the object and why the bo couldn't disappear after e.g.
ttm_bo_reserve() and cause use-after-free.

Lucas De Marchi

>
>> +	return 0;
>>  }
>>
>>  struct xe_bo *intel_fb_bo_lookup_valid_bo(struct drm_i915_private *i915,
>> --
>> 2.43.0
>>