[PATCH v2] accel/qaic: fix GEM object refcount leak in qaic_attach_slice_bo_ioctl
From: WenTao Liang
Date: Sun Jun 28 2026 - 07:51:46 EST
drm_gem_object_lookup() acquires a GEM object reference on success. All
error paths correctly release it via put_bo, but the success path returns
without calling drm_gem_object_put(obj). Since list_add_tail does not
transfer ownership, the GEM object reference is permanently leaked on
each successful call.
Suggested-by: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx>
Fixes: 75af0a585af9 ("accel/qaic: Grab ch_lock during QAIC_ATTACH_SLICE_BO")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
Changes in v2:
- Fix patch format based on reviewer feedback
---
drivers/accel/qaic/qaic_data.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c
index 1e4c579d2725..b17df7bf565d 100644
--- a/drivers/accel/qaic/qaic_data.c
+++ b/drivers/accel/qaic/qaic_data.c
@@ -1084,6 +1084,7 @@ int qaic_attach_slice_bo_ioctl(struct drm_device *dev, void *data, struct drm_fi
bo->sliced = true;
list_add_tail(&bo->bo_list, &bo->dbc->bo_lists);
+ drm_gem_object_put(obj);
srcu_read_unlock(&dbc->ch_lock, rcu_id);
mutex_unlock(&bo->lock);
kfree(slice_ent);
--
2.39.5 (Apple Git-154)