drm_gem_object_lookup acquires a GEM object reference at the start of each loop iteration. Two break paths (ttm_bo_reserve failure non-EDEADLK and "vma not found") exit the loop without adding the gem to any cleanup list and without calling drm_gem_object_put, causing a GEM object reference leak.
Suggested-by: Greg KH <[email protected]> Fixes: 9242829a87e9 ("drm/nouveau: Keep only a single list for validation.") Fixes: 19ca10d82e33 ("drm/nouveau/gem: lookup VMAs for buffers referenced by pushbuf ioctl") Cc: [email protected] Signed-off-by: WenTao Liang <[email protected]> --- Changes in v2: - Fix patch format based on reviewer feedback --- drivers/gpu/drm/nouveau/nouveau_gem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c index 20dba02d6175..c654256f4081 100644 --- a/drivers/gpu/drm/nouveau/nouveau_gem.c +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c @@ -513,6 +513,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file *file_priv, if (unlikely(ret)) { if (ret != -ERESTARTSYS) NV_PRINTK(err, cli, "fail reserve\n"); + drm_gem_object_put(gem); break; } } @@ -523,6 +524,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file *file_priv, if (!vma) { NV_PRINTK(err, cli, "vma not found!\n"); ret = -EINVAL; + drm_gem_object_put(gem); break; } -- 2.39.5 (Apple Git-154)
