drm_gem_object_lookup() acquires a GEM object reference on success. All error paths correctly release it via put_bo, but the success path returns without calling drm_gem_object_put(obj). Since list_add_tail does not transfer ownership, the GEM object reference is permanently leaked on each successful call.
Suggested-by: Greg KH <[email protected]> Fixes: 75af0a585af9 ("accel/qaic: Grab ch_lock during QAIC_ATTACH_SLICE_BO") Cc: [email protected] Signed-off-by: WenTao Liang <[email protected]> --- Changes in v2: - Fix patch format based on reviewer feedback --- drivers/accel/qaic/qaic_data.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c index 1e4c579d2725..b17df7bf565d 100644 --- a/drivers/accel/qaic/qaic_data.c +++ b/drivers/accel/qaic/qaic_data.c @@ -1084,6 +1084,7 @@ int qaic_attach_slice_bo_ioctl(struct drm_device *dev, void *data, struct drm_fi bo->sliced = true; list_add_tail(&bo->bo_list, &bo->dbc->bo_lists); + drm_gem_object_put(obj); srcu_read_unlock(&dbc->ch_lock, rcu_id); mutex_unlock(&bo->lock); kfree(slice_ent); -- 2.39.5 (Apple Git-154)
