[PATCH] fix: drm/nouveau: validate_init: break paths after drm_gem_object_lookup leak GEM reference

Next message: Alexander Mikhalitsyn: "Re: [PATCH 04/10] x86/fpu: Document reasoning of FX-only fallback"
Previous message: Miquel Raynal: "Re: [PATCH 2/3] mtd: maps: remove uclinux map driver"
Next in thread: WenTao Liang: "Re: [PATCH] fix: drm/nouveau: validate_init: break paths after drm_gem_object_lookup leak GEM reference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: WenTao Liang

Date: Fri Jun 26 2026 - 10:27:09 EST

drm_gem_object_lookup acquires a GEM object reference at the start of
each loop iteration. Two break paths (ttm_bo_reserve failure non-EDEADLK
and "vma not found") exit the loop without adding the gem to any cleanup
list and without calling drm_gem_object_put, causing a GEM object
reference leak.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 9242829a87e9 ("drm/nouveau: Keep only a single list for validation.")
Fixes: 19ca10d82e33 ("drm/nouveau/gem: lookup VMAs for buffers referenced by pushbuf ioctl")
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
drivers/gpu/drm/nouveau/nouveau_gem.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
index 20dba02d6175..c654256f4081 100644
--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -513,6 +513,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file *file_priv,
if (unlikely(ret)) {
if (ret != -ERESTARTSYS)
NV_PRINTK(err, cli, "fail reserve\n");
+ drm_gem_object_put(gem);
break;
}
}
@@ -523,6 +524,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file *file_priv,
if (!vma) {
NV_PRINTK(err, cli, "vma not found!\n");
ret = -EINVAL;
+ drm_gem_object_put(gem);
break;
}

--
2.39.5 (Apple Git-154)