On Tue, 6 Jan 2026 17:49:35 +0100 Boris Brezillon <[email protected]> wrote:
> drm_gem_object_lookup_at_offset() can return a valid object with > filp or filp->f_op->get_unmapped_area set to NULL. Make sure we still > release the ref we acquired on such objects. > > Cc: Loïc Molinari <[email protected]> > Fixes: 99bda20d6d4c ("drm/gem: Introduce drm_gem_get_unmapped_area() fop") > Signed-off-by: Boris Brezillon <[email protected]> Queued to drm-misc-next. > --- > drivers/gpu/drm/drm_gem.c | 10 ++++++---- > 1 file changed, 6 insertions(+), 4 deletions(-) > > diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c > index 36c8af123877..f7cbf6e8d1e0 100644 > --- a/drivers/gpu/drm/drm_gem.c > +++ b/drivers/gpu/drm/drm_gem.c > @@ -1298,11 +1298,13 @@ unsigned long drm_gem_get_unmapped_area(struct file > *filp, unsigned long uaddr, > unsigned long ret; > > obj = drm_gem_object_lookup_at_offset(filp, pgoff, len >> PAGE_SHIFT); > - if (IS_ERR(obj) || !obj->filp || !obj->filp->f_op->get_unmapped_area) > - return mm_get_unmapped_area(filp, uaddr, len, 0, flags); > + if (IS_ERR(obj)) > + obj = NULL; > > - ret = obj->filp->f_op->get_unmapped_area(obj->filp, uaddr, len, 0, > - flags); > + if (!obj || !obj->filp || !obj->filp->f_op->get_unmapped_area) > + ret = mm_get_unmapped_area(filp, uaddr, len, 0, flags); > + else > + ret = obj->filp->f_op->get_unmapped_area(obj->filp, uaddr, len, > 0, flags); > > drm_gem_object_put(obj); >
