Re: [PATCH] fix: accel/qaic: qaic_attach_slice_bo_ioctl: success path missing drm_gem_object_put

Next message: WenTao Liang: "Re: [PATCH] fix: dma-buf: fence_chains_init: error unwind path leaks enable_sw_signaling reference"
Previous message: WenTao Liang: "Re: [PATCH] fix: x86/events/intel/uncore: discover_upi_topology: inner loop leaks PCI device references from pci_get_domain_bus_and_slot"
In reply to: WenTao Liang: "[PATCH] fix: accel/qaic: qaic_attach_slice_bo_ioctl: success path missing drm_gem_object_put"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: WenTao Liang

Date: Sat Jun 27 2026 - 23:53:17 EST

> 2026年6月26日 19:43，WenTao Liang <vulab@xxxxxxxxxxx> 写道：
>
> drm_gem_object_lookup() acquires a GEM object reference on success. All
> error paths correctly release it via put_bo, but the success path returns
> without calling drm_gem_object_put(obj). Since list_add_tail does not
> transfer ownership, the GEM object reference is permanently leaked on
> each successful call.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 75af0a585af9 ("accel/qaic: Grab ch_lock during QAIC_ATTACH_SLICE_BO")
> Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
> ---
> drivers/accel/qaic/qaic_data.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c
> index 1e4c579d2725..b17df7bf565d 100644
> --- a/drivers/accel/qaic/qaic_data.c
> +++ b/drivers/accel/qaic/qaic_data.c
> @@ -1084,6 +1084,7 @@ int qaic_attach_slice_bo_ioctl(struct drm_device *dev, void *data, struct drm_fi
>
> bo->sliced = true;
> list_add_tail(&bo->bo_list, &bo->dbc->bo_lists);
> + drm_gem_object_put(obj);
> srcu_read_unlock(&dbc->ch_lock, rcu_id);
> mutex_unlock(&bo->lock);
> kfree(slice_ent);
> --
> 2.39.5 (Apple Git-154)

Please ignore this patch. I will resend a proper version after
learning the kernel submission process.

Apologies for the noise.

Best regards,
WenTao Liang