Re: [PATCH] fix: drm/nouveau: validate_init: break paths after drm_gem_object_lookup leak GEM reference
From: WenTao Liang
Date: Sat Jun 27 2026 - 23:56:49 EST
> 2026年6月26日 22:26,WenTao Liang <vulab@xxxxxxxxxxx> 写道:
>
> drm_gem_object_lookup acquires a GEM object reference at the start of
> each loop iteration. Two break paths (ttm_bo_reserve failure non-EDEADLK
> and "vma not found") exit the loop without adding the gem to any cleanup
> list and without calling drm_gem_object_put, causing a GEM object
> reference leak.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 9242829a87e9 ("drm/nouveau: Keep only a single list for validation.")
> Fixes: 19ca10d82e33 ("drm/nouveau/gem: lookup VMAs for buffers referenced by pushbuf ioctl")
> Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
> ---
> drivers/gpu/drm/nouveau/nouveau_gem.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
> index 20dba02d6175..c654256f4081 100644
> --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
> +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
> @@ -513,6 +513,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file *file_priv,
> if (unlikely(ret)) {
> if (ret != -ERESTARTSYS)
> NV_PRINTK(err, cli, "fail reserve\n");
> + drm_gem_object_put(gem);
> break;
> }
> }
> @@ -523,6 +524,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file *file_priv,
> if (!vma) {
> NV_PRINTK(err, cli, "vma not found!\n");
> ret = -EINVAL;
> + drm_gem_object_put(gem);
> break;
> }
>
> --
> 2.39.5 (Apple Git-154)
Please ignore this patch. I will resend a proper version after
learning the kernel submission process.
Apologies for the noise.
Best regards,
WenTao Liang