Re: [PATCH] fix: drm/nouveau: nvkm_ucgrp_new: nvkm_cgrp_new failure leaks ucgrp object and engine reference
From: WenTao Liang
Date: Sun Jun 28 2026 - 00:08:26 EST
> 2026年6月26日 22:47,WenTao Liang <vulab@xxxxxxxxxxx> 写道:
>
> nvkm_object_ctor initializes ucgrp with an embedded kref and increments
> the engine's reference count. When nvkm_cgrp_new subsequently fails, the
> function jumps to done without calling nvkm_object_del to release ucgrp.
> The caller ignores *pobject on error, so the ucgrp object and its engine
> reference are permanently leaked.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 06db7fded6de ("drm/nouveau/fifo: add new channel classes")
> Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
> ---
> drivers/gpu/drm/nouveau/nvkm/engine/fifo/ucgrp.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ucgrp.c b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ucgrp.c
> index dfa3c7dbdf34..7d11b92f946b 100644
> --- a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ucgrp.c
> +++ b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ucgrp.c
> @@ -113,8 +113,10 @@ nvkm_ucgrp_new(struct nvkm_fifo *fifo, const struct nvkm_oclass *oclass, void *a
> *pobject = &ucgrp->object;
>
> ret = nvkm_cgrp_new(runl, args->v0.name, vmm, true, &ucgrp->cgrp);
> - if (ret)
> + if (ret) {
> + nvkm_object_del(pobject);
> goto done;
> + }
>
> /* Return channel group info to caller. */
> args->v0.cgid = ucgrp->cgrp->id;
> --
> 2.39.5 (Apple Git-154)
Please ignore this patch. I will resend a proper version after
learning the kernel submission process.
Apologies for the noise.
Best regards,
WenTao Liang