Re: [PATCH v10 5/6] drm/panthor: Support sparse mappings

[Boris Brezillon]

On Tue, 5 May 2026 10:14:50 +0200
Marcin Ślusarz <marcin.slusarz@xxxxxxx> wrote:

> On Wed, Apr 29, 2026 at 07:32:17PM +0100, Adri�n Larumbe wrote:
> > @@ -1651,6 +1715,13 @@ int panthor_vm_pool_create(struct panthor_file *pfile)
> >  		return -ENOMEM;
> >  
> >  	xa_init_flags(&pfile->vms->xa, XA_FLAGS_ALLOC1);
> > +
> > +	pfile->vms->dummy = panthor_dummy_bo_create(pfile->ptdev);
> > +	if (IS_ERR(pfile->vms->dummy)) {
> > +		kfree(pfile->vms);
> > +		return PTR_ERR(pfile->vms->dummy);  
> 
> This is use-after-free.

Indeed. Let's add a proper error path where panthor_vm_pool_destroy()
is called to make sure we don't leak resources when an error occurs
anywhere in the creation path, and let's make panthor_vm_pool_destroy()
safe against dummy=NULL.

void panthor_vm_pool_destroy(struct panthor_file *pfile)
{
...

	if (pfile->vms->dummy)
		drm_gem_object_put(&pfile->vms->dummy->base);

...
}

int panthor_vm_pool_create(struct panthor_file *pfile)
{
	struct panthor_gem_object *dummy;

	...

	dummy = panthor_dummy_bo_create(pfile->ptdev);
	if (IS_ERR(dummy)) {
		ret = PTR_ERR(dummy);
		goto err_destroy_vm_pool;
	}

	pfile->vms->dummy = dummy;

	...

	return 0;

err_destroy_vm_pool:
	panthor_vm_pool_destroy(pfile);
	return ret;
}

> 
> > +	}
> > +
> >  	return 0;
> >  }