| Message ID | YMinJwpIei9n1Pn1@mwanda (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm/nouveau: fix double free in nouveau_gem_new() | expand |
diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c index c88cbb85f101..d612c1a720f8 100644 --- a/drivers/gpu/drm/nouveau/nouveau_gem.c +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c @@ -211,10 +211,8 @@ nouveau_gem_new(struct nouveau_cli *cli, u64 size, int align, uint32_t domain, } ret = nouveau_bo_init(nvbo, size, align, domain, NULL, NULL); - if (ret) { - nouveau_bo_ref(NULL, &nvbo); + if (ret) return ret; - } /* we restrict allowed domains on nv50+ to only the types * that were requested at creation time. not possibly on
The ttm_bo_init_reserved() function calls ttm_bo_put(bo) which calls nouveau_bo_del_ttm() which frees the "nvbo.bo" so the nouveau_bo_ref() call leads to a double free. Fixes: 019cbd4a4feb ("drm/nouveau: Initialize GEM object before TTM object") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- This fix is obvious enough and fixes my double free, but unfortunately there are other bugs here so my system still hangs when I try to open ten latest version Firefox windows in a row. drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)