From nobody Tue Jun 9 00:54:57 2026 Received: from cstnet.cn (smtp81.cstnet.cn [159.226.251.81]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E1A2B632; Mon, 25 May 2026 02:33:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.81 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779676419; cv=none; b=oIQ29t5oTjtyoEi2iUyyLIgCc5/o+uLgzJp4BgvazX0qt9y1JxAASFPuVrkbcj/tR04elpD1V1x3Ql4oZm44YONumiE8vAO2c9UNVhflm+DVwkxDUaueY7pwbI8fmKxjkh0mmyEV0WtHkEdvxTw4Gw+tynG5CLwRQFzsnS1A6ug= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779676419; c=relaxed/simple; bh=mBqWsRvA1FJukGR9vzi5WRGEcBoa2DU0/D1flPFyvcw=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=AsXFjWiiHT5B8Q0SEz1T2+r06nLK64gEZkJiWK0W7GmyBMde0CE9YReF8fGdVG8QP9qOwtGsdejnYviPxr8Nkhoo6DJS8Bh3DHRq8eeQMnMzMCqyy/ZQNrheOuYsV2f1rdONqmZYS7ChH2wLW6qMTWiyghG5XTJtF1uqFVKxBtA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.81 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from dfae2b116770.home.arpa (unknown [36.110.52.2]) by APP-03 (Coremail) with SMTP id rQCowAAnC+L4tBNqaq8+Eg--.682S2; Mon, 25 May 2026 10:33:28 +0800 (CST) From: Wentao Liang To: maarten.lankhorst@linux.intel.com, mripard@kernel.org, tzimmermann@suse.de, airlied@gmail.com, simona@ffwll.ch Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Wentao Liang , stable@vger.kernel.org Subject: [PATCH] gpu/drm/drm_syncobj: fix syncobj refcount leak on invalid flags in find_fence Date: Mon, 25 May 2026 02:33:24 +0000 Message-Id: <20260525023324.3883862-1-vulab@iscas.ac.cn> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: rQCowAAnC+L4tBNqaq8+Eg--.682S2 X-Coremail-Antispam: 1UD129KBjvJXoW7CFWkGryftr4xuFWUXw4ruFg_yoW8Gry3pr s3Kryq9ryrtw4Ivr4IyF9rCFWfAa1xtrW0gF1kAw1YvF1ktr15A3y5G3s0gFyDJrn7Cr1a q34qyFW5uFnFkrJanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUkC14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26ryj6F1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U JVWxJr1l84ACjcxK6I8E87Iv67AKxVWxJr0_GcWl84ACjcxK6I8E87Iv6xkF7I0E14v26r xl6s0DM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj 6xIIjxv20xvE14v26r106r15McIj6I8E87Iv67AKxVW8JVWxJwAm72CE4IkC6x0Yz7v_Jr 0_Gr1lF7xvr2IYc2Ij64vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7MxkF7I0En4kS14v2 6r1q6r43MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrV AFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUtVW8ZwCI c40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267 AKxVWUJVW8JwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_ Gr1lIxAIcVC2z280aVCY1x0267AKxVWUJVW8JbIYCTnIWIevJa73UjIFyTuYvjfUOlkVUU UUU X-CM-SenderInfo: pyxotu46lvutnvoduhdfq/1tbiCQ4SA2oTE7fg9gABsc Content-Type: text/plain; charset="utf-8" drm_syncobj_find_fence() calls drm_syncobj_find() to obtain a reference on syncobj, then checks the flags validity. If the flags are invalid, it returns -EINVAL without releasing the syncobj reference obtained earlier. Fix this by using goto to release the reference on error paths. Cc: stable@vger.kernel.org Fixes: 18226ba52159 ("drm/syncobj: reject invalid flags in drm_syncobj_find= _fence") Signed-off-by: Wentao Liang --- drivers/gpu/drm/drm_syncobj.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c index 8d9fd1917c6e..0e986daa8ff9 100644 --- a/drivers/gpu/drm/drm_syncobj.c +++ b/drivers/gpu/drm/drm_syncobj.c @@ -442,11 +442,15 @@ int drm_syncobj_find_fence(struct drm_file *file_priv= ate, u64 timeout =3D nsecs_to_jiffies64(DRM_SYNCOBJ_WAIT_FOR_SUBMIT_TIMEOUT); int ret; =20 - if (flags & ~DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT) - return -EINVAL; + if (flags & ~DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT) { + ret =3D -EINVAL; + goto out; + } =20 - if (!syncobj) - return -ENOENT; + if (!syncobj) { + ret =3D -ENOENT; + goto out; + } =20 /* Waiting for userspace with locks help is illegal cause that can * trivial deadlock with page faults for example. Make lockdep complain --=20 2.34.1