[PATCH v2] drm/nouveau: fix GEM refcount leak in validate_init error paths
From: WenTao Liang
Date: Sun Jun 28 2026 - 10:33:06 EST
drm_gem_object_lookup acquires a GEM object reference at the start of
each loop iteration. Two break paths (ttm_bo_reserve failure non-EDEADLK
and "vma not found") exit the loop without adding the gem to any cleanup
list and without calling drm_gem_object_put, causing a GEM object
reference leak.
Suggested-by: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx>
Fixes: 9242829a87e9 ("drm/nouveau: Keep only a single list for validation.")
Fixes: 19ca10d82e33 ("drm/nouveau/gem: lookup VMAs for buffers referenced by pushbuf ioctl")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
Changes in v2:
- Fix patch format based on reviewer feedback
---
drivers/gpu/drm/nouveau/nouveau_gem.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
index 20dba02d6175..c654256f4081 100644
--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -513,6 +513,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file *file_priv,
if (unlikely(ret)) {
if (ret != -ERESTARTSYS)
NV_PRINTK(err, cli, "fail reserve\n");
+ drm_gem_object_put(gem);
break;
}
}
@@ -523,6 +524,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file *file_priv,
if (!vma) {
NV_PRINTK(err, cli, "vma not found!\n");
ret = -EINVAL;
+ drm_gem_object_put(gem);
break;
}
--
2.39.5 (Apple Git-154)