[PATCH] fix: drm: drm_mode_obj_get_properties_ioctl: DRM_MODESET_LOCK_ALL_BEGIN retry leaks drm_mode_object reference

Next message: Liviu Dudau: "Re: [PATCH 05/11] drm/panthor: Fix theoretical IOMEM access in suspended state"
Previous message: Helge Deller: "Re: [PATCH] fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: WenTao Liang

Date: Fri Jun 26 2026 - 09:15:42 EST

The DRM_MODESET_LOCK_ALL_BEGIN macro retries the ioctl on -EDEADLK. Each
retry re-executes drm_mode_object_find, overwriting the obj pointer
without releasing the previous reference via drm_mode_object_put. The
out_unref label only releases the final obj, leaking references from
earlier retry iterations.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 949619f32eee ("drm: Extract drm_mode_object.[hc]")
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
drivers/gpu/drm/drm_mode_object.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/drm_mode_object.c b/drivers/gpu/drm/drm_mode_object.c
index 2d943a610b88..10fce40f7020 100644
--- a/drivers/gpu/drm/drm_mode_object.c
+++ b/drivers/gpu/drm/drm_mode_object.c
@@ -479,7 +479,7 @@ int drm_mode_obj_get_properties_ioctl(struct drm_device *dev, void *data,
struct drm_file *file_priv)
{
struct drm_mode_obj_get_properties *arg = data;
- struct drm_mode_object *obj;
+ struct drm_mode_object *obj = NULL;
struct drm_modeset_acquire_ctx ctx;
int ret = 0;

@@ -487,7 +487,9 @@ int drm_mode_obj_get_properties_ioctl(struct drm_device *dev, void *data,
return -EOPNOTSUPP;

DRM_MODESET_LOCK_ALL_BEGIN(dev, ctx, 0, ret);
-
+ if (obj)
+ drm_mode_object_put(obj);
+
obj = drm_mode_object_find(dev, file_priv, arg->obj_id, arg->obj_type);
if (!obj) {
ret = -ENOENT;
--
2.39.5 (Apple Git-154)