[PATCH] drm/i915/panic: fix panic structure allocation memory leak

Sat, 18 Oct 2025 05:10:17 -0700 

Separating the panic allocation from framebuffer allocation in commit
729c5f7ffa83 ("drm/{i915,xe}/panic: move framebuffer allocation where it
belongs") failed to deallocate the panic structure anywhere.

The fix is two-fold. First, free the panic structure in
intel_user_framebuffer_destroy() in the general case. Second, move the
panic allocation later to intel_framebuffer_init() to not leak the panic
structure in error paths (if any, now or later) between
intel_framebuffer_alloc() and intel_framebuffer_init().

Fixes: 729c5f7ffa83 ("drm/{i915,xe}/panic: move framebuffer allocation where it 
belongs")
Cc: Jocelyn Falempe <[email protected]>
Cc: Maarten Lankhorst <[email protected]>
Reported-by: Michał Grzelak <[email protected]>
Suggested-by: Ville Syrjälä <[email protected]>
Signed-off-by: Jani Nikula <[email protected]>
---
 drivers/gpu/drm/i915/display/intel_fb.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/drivers/gpu/drm/i915/display/intel_fb.c 
b/drivers/gpu/drm/i915/display/intel_fb.c
index 69237dabdae8..3356ec022d06 100644
--- a/drivers/gpu/drm/i915/display/intel_fb.c
+++ b/drivers/gpu/drm/i915/display/intel_fb.c
@@ -2117,6 +2117,7 @@ static void intel_user_framebuffer_destroy(struct 
drm_framebuffer *fb)
 
        intel_fb_bo_framebuffer_fini(intel_fb_bo(fb));
 
+       kfree(intel_fb->panic);
        kfree(intel_fb);
 }
 
@@ -2222,10 +2223,16 @@ int intel_framebuffer_init(struct intel_framebuffer 
*intel_fb,
        if (ret)
                return ret;
 
+       intel_fb->panic = intel_panic_alloc();
+       if (!intel_fb->panic) {
+               ret = -ENOMEM;
+               goto err_framebuffer_fini;
+       }
+
        intel_fb->frontbuffer = intel_frontbuffer_get(obj);
        if (!intel_fb->frontbuffer) {
                ret = -ENOMEM;
-               goto err;
+               goto err_panic_free;
        }
 
        ret = -EINVAL;
@@ -2319,7 +2326,9 @@ int intel_framebuffer_init(struct intel_framebuffer 
*intel_fb,
                intel_dpt_destroy(intel_fb->dpt_vm);
 err_frontbuffer_put:
        intel_frontbuffer_put(intel_fb->frontbuffer);
-err:
+err_panic_free:
+       kfree(intel_fb->panic);
+err_framebuffer_fini:
        intel_fb_bo_framebuffer_fini(obj);
        return ret;
 }
@@ -2347,20 +2356,11 @@ intel_user_framebuffer_create(struct drm_device *dev,
 struct intel_framebuffer *intel_framebuffer_alloc(void)
 {
        struct intel_framebuffer *intel_fb;
-       struct intel_panic *panic;
 
        intel_fb = kzalloc(sizeof(*intel_fb), GFP_KERNEL);
        if (!intel_fb)
                return NULL;
 
-       panic = intel_panic_alloc();
-       if (!panic) {
-               kfree(intel_fb);
-               return NULL;
-       }
-
-       intel_fb->panic = panic;
-
        return intel_fb;
 }
 
-- 
2.47.3

Reply via email to