In qxl_bo_create(), the temporary 'bo' is allocated through kzalloc(). However, it is not deallocated in the following execution if ttm_bo_init() fails, leading to a memory leak bug. To fix this issue, free 'bo' before returning the error.
Signed-off-by: Wenwen Wang wenwen@cs.uga.edu --- drivers/gpu/drm/qxl/qxl_object.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/qxl/qxl_object.c b/drivers/gpu/drm/qxl/qxl_object.c index 4928fa6..3b217fa 100644 --- a/drivers/gpu/drm/qxl/qxl_object.c +++ b/drivers/gpu/drm/qxl/qxl_object.c @@ -118,6 +118,7 @@ int qxl_bo_create(struct qxl_device *qdev, dev_err(qdev->ddev.dev, "object_init failed for (%lu, 0x%08X)\n", size, domain); + kfree(bo); return r; } *bo_ptr = bo;
On Mon, Aug 19, 2019 at 01:08:18PM -0500, Wenwen Wang wrote:
In qxl_bo_create(), the temporary 'bo' is allocated through kzalloc(). However, it is not deallocated in the following execution if ttm_bo_init() fails, leading to a memory leak bug. To fix this issue, free 'bo' before returning the error.
No. ttm_bo_init() calls the destroy callback (qxl_ttm_bo_destroy for qxl) on failure, which will properly cleanup 'bo' and also free it.
cheers, Gerd
dri-devel@lists.freedesktop.org
-
Gerd Hoffmann -
Wenwen Wang