[PATCH] fix: drm: drm_syncobj_find_fence: invalid flags check before NULL check leaks syncobj reference

Next message: Vladimir Zapolskiy: "Re: [PATCH v2 1/8] dt-bindings: media: Add macros for video interface devices"
Previous message: Yury Norov: "Re: [PATCH v5 04/24] cpumask: Introduce cpu_preferred_mask"
Next in thread: WenTao Liang: "Re: [PATCH] fix: drm: drm_syncobj_find_fence: invalid flags check before NULL check leaks syncobj reference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: WenTao Liang

Date: Fri Jun 26 2026 - 09:21:26 EST

drm_syncobj_find() acquires a syncobj reference on success. The invalid
flags check at line 445 returns -EINVAL without calling drm_syncobj_put,
bypassing the out label where the reference would be released. The flags
check should be moved after the NULL check, or drm_syncobj_put should be
called before the early return.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 18226ba52159 ("drm/syncobj: reject invalid flags in drm_syncobj_find_fence")
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
drivers/gpu/drm/drm_syncobj.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c
index 8d9fd1917c6e..e40e2d92d5ef 100644
--- a/drivers/gpu/drm/drm_syncobj.c
+++ b/drivers/gpu/drm/drm_syncobj.c
@@ -442,12 +442,14 @@ int drm_syncobj_find_fence(struct drm_file *file_private,
u64 timeout = nsecs_to_jiffies64(DRM_SYNCOBJ_WAIT_FOR_SUBMIT_TIMEOUT);
int ret;

- if (flags & ~DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT)
- return -EINVAL;
-
if (!syncobj)
return -ENOENT;

+ if (flags & ~DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT) {
+ drm_syncobj_put(syncobj);
+ return -EINVAL;
+ }
+
/* Waiting for userspace with locks help is illegal cause that can
* trivial deadlock with page faults for example. Make lockdep complain
* about it early on.
--
2.39.5 (Apple Git-154)