[Nouveau] [PATCH] drm/nouveau/core/object: fix double free on error in nvkm_ioctl_new()

From: Dan Carpenter <dan.carpenter@oracle.com>
To: Ben Skeggs <bskeggs@redhat.com>
Cc: David Airlie <airlied@linux.ie>,
	nouveau@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
	Daniel Vetter <daniel@ffwll.ch>
Subject: [Nouveau] [PATCH] drm/nouveau/core/object: fix double free on error in nvkm_ioctl_new()
Date: Mon, 14 Jun 2021 13:43:27 +0300	[thread overview]
Message-ID: <YMcyzyVyI4N6anBo@mwanda> (raw)

If nvkm_object_init() fails then we should not call nvkm_object_fini()
because it results in calling object->func->fini(object, suspend) twice.
Once inside the nvkm_object_init() function and once inside the
nvkm_object_fini() function.

Fixes: fbd58ebda9c8 ("drm/nouveau/object: merge with handle")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This is something that I spotted while looking for reference counting
bugs.  I have tried running it, but it does not fix my crashes.  My
system is basically unusable.  It's something to do with the new version
of Firefox which triggers the refcount_t underflow, but switching to
Epiphany doesn't solve the issue either.

 drivers/gpu/drm/nouveau/nvkm/core/ioctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/core/ioctl.c b/drivers/gpu/drm/nouveau/nvkm/core/ioctl.c
index d777df5a64e6..87c761fb475a 100644
--- a/drivers/gpu/drm/nouveau/nvkm/core/ioctl.c
+++ b/drivers/gpu/drm/nouveau/nvkm/core/ioctl.c
@@ -134,8 +134,8 @@ nvkm_ioctl_new(struct nvkm_client *client,
 				return 0;
 			}
 			ret = -EEXIST;
+			nvkm_object_fini(object, false);
 		}
-		nvkm_object_fini(object, false);
 	}
 
 	nvkm_object_del(&object);
-- 
2.30.2

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau
