[PATCH] fix: drm/nouveau: nvkm_ucgrp_new: nvkm_cgrp_new failure leaks ucgrp object and engine reference

From: WenTao Liang

Date: Fri Jun 26 2026 - 10:59:18 EST


nvkm_object_ctor initializes ucgrp with an embedded kref and increments
the engine's reference count. When nvkm_cgrp_new subsequently fails, the
function jumps to done without calling nvkm_object_del to release ucgrp.
The caller ignores *pobject on error, so the ucgrp object and its engine
reference are permanently leaked.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 06db7fded6de ("drm/nouveau/fifo: add new channel classes")
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
drivers/gpu/drm/nouveau/nvkm/engine/fifo/ucgrp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ucgrp.c b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ucgrp.c
index dfa3c7dbdf34..7d11b92f946b 100644
--- a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ucgrp.c
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ucgrp.c
@@ -113,8 +113,10 @@ nvkm_ucgrp_new(struct nvkm_fifo *fifo, const struct nvkm_oclass *oclass, void *a
*pobject = &ucgrp->object;

ret = nvkm_cgrp_new(runl, args->v0.name, vmm, true, &ucgrp->cgrp);
- if (ret)
+ if (ret) {
+ nvkm_object_del(pobject);
goto done;
+ }

/* Return channel group info to caller. */
args->v0.cgid = ucgrp->cgrp->id;
--
2.39.5 (Apple Git-154)