Re: [PATCH] fix: drm/vmwgfx: ttm_base_object_init: fix tfile reference leak on error paths
From: WenTao Liang
Date: Sun Jun 28 2026 - 00:05:53 EST
> 2026年6月26日 22:59,WenTao Liang <vulab@xxxxxxxxxxx> 写道:
>
> ttm_base_object_init calls ttm_object_file_ref(tfile) to acquire a tfile
> reference early in the function. On error paths (idr_alloc failure and
> ttm_ref_object_add failure), the function returns without calling
> ttm_object_file_unref to release this reference, causing a tfile
> reference leak.
>
> Add proper cleanup in the error paths to release the tfile reference via
> ttm_object_file_unref.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 0b8762e997df ("drm/ttm, drm/vmwgfx: Move the lock- and object functionality to the vmwgfx driver")
> Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
> ---
> drivers/gpu/drm/vmwgfx/ttm_object.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/vmwgfx/ttm_object.c b/drivers/gpu/drm/vmwgfx/ttm_object.c
> index 2421b0dd057c..93ae5a07d70a 100644
> --- a/drivers/gpu/drm/vmwgfx/ttm_object.c
> +++ b/drivers/gpu/drm/vmwgfx/ttm_object.c
> @@ -204,7 +204,7 @@ int ttm_base_object_init(struct ttm_object_file *tfile,
> spin_unlock(&tdev->object_lock);
> idr_preload_end();
> if (ret < 0)
> - return ret;
> + goto err_unref_tfile;
>
> base->handle = ret;
> ret = ttm_ref_object_add(tfile, base, NULL, false);
> @@ -218,6 +218,10 @@ int ttm_base_object_init(struct ttm_object_file *tfile,
> spin_lock(&tdev->object_lock);
> idr_remove(&tdev->idr, base->handle);
> spin_unlock(&tdev->object_lock);
> + ttm_object_file_unref(&base->tfile);
> + return ret;
> +err_unref_tfile:
> + ttm_object_file_unref(&base->tfile);
> return ret;
> }
>
> --
> 2.39.5 (Apple Git-154)
Please ignore this patch. I will resend a proper version after
learning the kernel submission process.
Apologies for the noise.
Best regards,
WenTao Liang