From 69ad5d82b0931e00811a09f2088baaa9fe6b279a Mon Sep 17 00:00:00 2001
From: Andreas Korb <andreas.d.korb@gmail.com>
Date: Fri, 7 Jun 2024 22:28:34 +0200
Subject: [PATCH 1/6] Fix file descriptor potentially never being closed

---
 src/direct/direct-export-buf.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/direct/direct-export-buf.c b/src/direct/direct-export-buf.c
index 3db44ac..27bbd67 100644
--- a/src/direct/direct-export-buf.c
+++ b/src/direct/direct-export-buf.c
@@ -218,13 +218,13 @@ static BackingImage *direct_allocateBackingImage(NVDriver *drv, NVSurface *surfa
     destroyBackingImage(drv, backingImage);
 
 import_fail:
-    if (memFd != 0) {
+    if (memFd >= 0) {
         close(memFd);
     }
-    if (memFd != 0) {
-        close(memFd);
+    if (memFd2 >= 0) {
+        close(memFd2);
     }
-    if (drmFd != 0) {
+    if (drmFd >= 0) {
         close(drmFd);
     }
     free(backingImage);

From f33c6f3f1fd2f2232f5200a0647f397db919f7ff Mon Sep 17 00:00:00 2001
From: Andreas Korb <andreas.d.korb@gmail.com>
Date: Fri, 7 Jun 2024 22:34:26 +0200
Subject: [PATCH 2/6] Fix potential double free issue

---
 src/direct/direct-export-buf.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/direct/direct-export-buf.c b/src/direct/direct-export-buf.c
index 27bbd67..e2e02b1 100644
--- a/src/direct/direct-export-buf.c
+++ b/src/direct/direct-export-buf.c
@@ -216,6 +216,9 @@ static BackingImage *direct_allocateBackingImage(NVDriver *drv, NVSurface *surfa
 
 bail:
     destroyBackingImage(drv, backingImage);
+    //another 'free' might occur on this pointer.
+    //hence, set it to NULL to ensure no operation is performed if this really happens.
+    backingImage = NULL;
 
 import_fail:
     if (memFd >= 0) {

From bed7c95045f739e343563cfa90478ba9316e49ad Mon Sep 17 00:00:00 2001
From: Andreas Korb <andreas.d.korb@gmail.com>
Date: Sat, 8 Jun 2024 13:43:02 +0200
Subject: [PATCH 3/6] realloc with NULL pointer is equivalent to malloc

---
 src/list.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/src/list.c b/src/list.c
index 0acac4a..a82e125 100644
--- a/src/list.c
+++ b/src/list.c
@@ -21,11 +21,7 @@ static void ensure_capacity(Array *arr, uint32_t new_capacity) {
         }
     }
 
-    if (arr->buf == NULL) {
-        arr->buf = malloc(arr->capacity * sizeof(void*));
-    } else {
-        arr->buf = realloc(arr->buf, arr->capacity * sizeof(void*));
-    }
+    arr->buf = realloc(arr->buf, arr->capacity * sizeof(void*));
 
     //clear the new part of the array
     memset(&arr->buf[old_capacity], 0, (arr->capacity - old_capacity) * sizeof(void*));

From aa2a0b125abd248bb34f01a4723566e95248d4cf Mon Sep 17 00:00:00 2001
From: Andreas Korb <andreas.d.korb@gmail.com>
Date: Sat, 8 Jun 2024 13:57:32 +0200
Subject: [PATCH 4/6] Remove redundant NULL check free(ptr) is defined as a
 no-op if ptr=NULL

---
 src/vabackend.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/vabackend.c b/src/vabackend.c
index 03efbc7..3935c8c 100644
--- a/src/vabackend.c
+++ b/src/vabackend.c
@@ -308,9 +308,7 @@ static void deleteObject(NVDriver *drv, VAGenericID id) {
     ARRAY_FOR_EACH(Object, o, &drv->objects)
         if (o->id == id) {
             remove_element_at(&drv->objects, o_idx);
-            if (o->obj != NULL) {
-                free(o->obj);
-            }
+            free(o->obj);
             free(o);
             //we've found the object, no need to continue
             break;

From 63bfe1d6a60f55dec01b8a1800ebfea5090d2b47 Mon Sep 17 00:00:00 2001
From: Andreas Korb <andreas.d.korb@gmail.com>
Date: Sat, 8 Jun 2024 14:57:32 +0200
Subject: [PATCH 5/6] Fix memory leak

---
 src/vabackend.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/vabackend.c b/src/vabackend.c
index 3935c8c..5353d75 100644
--- a/src/vabackend.c
+++ b/src/vabackend.c
@@ -2112,6 +2112,8 @@ static VAStatus nvTerminate( VADriverContextP ctx )
     CHECK_CUDA_RESULT_RETURN(cu->cuCtxDestroy(drv->cudaContext), VA_STATUS_ERROR_OPERATION_FAILED);
     drv->cudaContext = NULL;
 
+    free(drv);
+
     return VA_STATUS_SUCCESS;
 }
 

From e79eb5be6355ddb67f88e8f76101bcd0e1007b42 Mon Sep 17 00:00:00 2001
From: Andreas Korb <andreas.d.korb@gmail.com>
Date: Sun, 9 Jun 2024 19:45:13 +0200
Subject: [PATCH 6/6] Fix double closing file descriptor

---
 src/direct/direct-export-buf.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/direct/direct-export-buf.c b/src/direct/direct-export-buf.c
index e2e02b1..86203d6 100644
--- a/src/direct/direct-export-buf.c
+++ b/src/direct/direct-export-buf.c
@@ -172,10 +172,11 @@ static BackingImage *direct_allocateBackingImage(NVDriver *drv, NVSurface *surfa
         goto import_fail;
     }
 
-    close(memFd);
     close(memFd2);
-    memFd = -1;
     memFd2 = -1;
+    // memFd file descriptor is closed by CUDA after importing
+    memFd = -1;
+
 
     //now map the arrays
     for (uint32_t i = 0; i < fmtInfo->numPlanes; i++) {