[PATCH] fix: drm/vmwgfx: ttm_base_object_init: fix tfile reference leak on error paths

From: WenTao Liang

Date: Fri Jun 26 2026 - 11:02:46 EST


ttm_base_object_init calls ttm_object_file_ref(tfile) to acquire a tfile
reference early in the function. On error paths (idr_alloc failure and
ttm_ref_object_add failure), the function returns without calling
ttm_object_file_unref to release this reference, causing a tfile
reference leak.

Add proper cleanup in the error paths to release the tfile reference via
ttm_object_file_unref.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 0b8762e997df ("drm/ttm, drm/vmwgfx: Move the lock- and object functionality to the vmwgfx driver")
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
drivers/gpu/drm/vmwgfx/ttm_object.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/vmwgfx/ttm_object.c b/drivers/gpu/drm/vmwgfx/ttm_object.c
index 2421b0dd057c..93ae5a07d70a 100644
--- a/drivers/gpu/drm/vmwgfx/ttm_object.c
+++ b/drivers/gpu/drm/vmwgfx/ttm_object.c
@@ -204,7 +204,7 @@ int ttm_base_object_init(struct ttm_object_file *tfile,
spin_unlock(&tdev->object_lock);
idr_preload_end();
if (ret < 0)
- return ret;
+ goto err_unref_tfile;

base->handle = ret;
ret = ttm_ref_object_add(tfile, base, NULL, false);
@@ -218,6 +218,10 @@ int ttm_base_object_init(struct ttm_object_file *tfile,
spin_lock(&tdev->object_lock);
idr_remove(&tdev->idr, base->handle);
spin_unlock(&tdev->object_lock);
+ ttm_object_file_unref(&base->tfile);
+ return ret;
+err_unref_tfile:
+ ttm_object_file_unref(&base->tfile);
return ret;
}

--
2.39.5 (Apple Git-154)