I don't totally understand the stack trace but I do see a double free
bug.
drivers/gpu/drm/vgem/vgem_drv.c
186 static struct drm_gem_object *vgem_gem_create(struct drm_device *dev,
187 struct drm_file *file,
188 unsigned int *handle,
189 unsigned long size)
190 {
191 struct drm_vgem_gem_object *obj;
192 int ret;
193
194 obj = __vgem_gem_create(dev, size);
obj->base.handle_count is zero.
195 if (IS_ERR(obj))
196 return ERR_CAST(obj);
197
198 ret = drm_gem_handle_create(file, &obj->base, handle);
We bump it +1 and then the error handling calls
drm_gem_object_handle_put_unlocked(obj);
which calls drm_gem_object_put_unlocked(); which frees obj.
199 drm_gem_object_put_unlocked(&obj->base);
So this is a double free. Could someone check my thinking and send
a patch? It's just a one liner. Otherwise I can send it on Monday.
200 if (ret)
201 return ERR_PTR(ret);
202
203 return &obj->base;
204 }
regards,
dan carpenter
From: Colin Ian King <colin.king(a)canonical.com>
The -ENOTTY error return path does not free the allocated
kdata as it returns directly. Fix this by returning via the
error handling label err.
Addresses-Coverity: ("Resource leak")
Fixes: c02a81fba74f ("dma-buf: Add dma-buf heaps framework")
Signed-off-by: Colin Ian King <colin.king(a)canonical.com>
---
drivers/dma-buf/dma-heap.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/dma-buf/dma-heap.c b/drivers/dma-buf/dma-heap.c
index 4f04d104ae61..80f2f5eac1e4 100644
--- a/drivers/dma-buf/dma-heap.c
+++ b/drivers/dma-buf/dma-heap.c
@@ -157,7 +157,8 @@ static long dma_heap_ioctl(struct file *file, unsigned int ucmd,
ret = dma_heap_ioctl_allocate(file, kdata);
break;
default:
- return -ENOTTY;
+ ret = -ENOTTY;
+ goto err;
}
if (copy_to_user((void __user *)arg, kdata, out_size) != 0)
--
2.24.0