drm_syncobj_find() acquires a syncobj reference on success. The invalid
flags check returns -EINVAL without calling drm_syncobj_put, bypassing
the out label where the reference would be released. Move the flags check
after the NULL check to ensure the reference is properly released.

Suggested-by: Greg KH <[email protected]>
Fixes: 18226ba52159 ("drm/syncobj: reject invalid flags in 
drm_syncobj_find_fence")
Cc: [email protected]
Signed-off-by: WenTao Liang <[email protected]>
---
Changes in v2:
- Fix patch format based on reviewer feedback
---
 drivers/gpu/drm/drm_syncobj.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c
index 8d9fd1917c6e..e40e2d92d5ef 100644
--- a/drivers/gpu/drm/drm_syncobj.c
+++ b/drivers/gpu/drm/drm_syncobj.c
@@ -442,12 +442,14 @@ int drm_syncobj_find_fence(struct drm_file *file_private,
        u64 timeout = nsecs_to_jiffies64(DRM_SYNCOBJ_WAIT_FOR_SUBMIT_TIMEOUT);
        int ret;
 
-       if (flags & ~DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT)
-               return -EINVAL;
-
        if (!syncobj)
                return -ENOENT;
 
+       if (flags & ~DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT) {
+               drm_syncobj_put(syncobj);
+               return -EINVAL;
+       }
+
        /* Waiting for userspace with locks help is illegal cause that can
         * trivial deadlock with page faults for example. Make lockdep complain
         * about it early on.
-- 
2.39.5 (Apple Git-154)

Reply via email to