drm_gem_object_lookup acquires a GEM object reference at the start of
each loop iteration. Two break paths (ttm_bo_reserve failure non-EDEADLK
and "vma not found") exit the loop without adding the gem to any cleanup
list and without calling drm_gem_object_put, causing a GEM object
reference leak.

Suggested-by: Greg KH <[email protected]>
Fixes: 9242829a87e9 ("drm/nouveau: Keep only a single list for validation.")
Fixes: 19ca10d82e33 ("drm/nouveau/gem: lookup VMAs for buffers referenced by 
pushbuf ioctl")
Cc: [email protected]
Signed-off-by: WenTao Liang <[email protected]>
---
Changes in v2:
- Fix patch format based on reviewer feedback
---
 drivers/gpu/drm/nouveau/nouveau_gem.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c 
b/drivers/gpu/drm/nouveau/nouveau_gem.c
index 20dba02d6175..c654256f4081 100644
--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -513,6 +513,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file 
*file_priv,
                        if (unlikely(ret)) {
                                if (ret != -ERESTARTSYS)
                                        NV_PRINTK(err, cli, "fail reserve\n");
+                               drm_gem_object_put(gem);
                                break;
                        }
                }
@@ -523,6 +524,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file 
*file_priv,
                        if (!vma) {
                                NV_PRINTK(err, cli, "vma not found!\n");
                                ret = -EINVAL;
+                               drm_gem_object_put(gem);
                                break;
                        }
 
-- 
2.39.5 (Apple Git-154)

Reply via email to