drm/nouveau: Fix refcount leak in nouveau_connector_detect

[PATCH v3] drm/nouveau: Fix refcount leak in nouveau_connector_detect

Posted by Shuhao Fu 4 months ago

A possible inconsistent refcount update has been identified in function
`nouveau_connector_detect`, which may cause a resource leak.

After calling `pm_runtime_get_*(dev->dev)`, the usage counter of `dev->dev`
gets increased. In case function `nvif_outp_edid_get` returns negative,
function `nouveau_connector_detect` returns without decreasing the usage
counter of `dev->dev`, causing a refcount inconsistency.

Closes: https://gitlab.freedesktop.org/drm/nouveau/-/issues/450
Fixes: 0cd7e0718139 ("drm/nouveau/disp: add output method to fetch edid")
Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
Cc: stable@vger.kernel.org

Change in v3:
- Cc stable
Change in v2:
- Add "Fixes" and "Cc" tags
---
 drivers/gpu/drm/nouveau/nouveau_connector.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c
index 63621b151..45caccade 100644
--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
+++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
@@ -600,8 +600,10 @@ nouveau_connector_detect(struct drm_connector *connector, bool force)
                                new_edid = drm_get_edid(connector, nv_encoder->i2c);
                } else {
                        ret = nvif_outp_edid_get(&nv_encoder->outp, (u8 **)&new_edid);
-                       if (ret < 0)
-                               return connector_status_disconnected;
+                       if (ret < 0) {
+                               conn_status = connector_status_disconnected;
+                               goto out;
+                       }
                }

                nouveau_connector_set_edid(nv_connector, new_edid);
--
2.39.5

Re: [PATCH v3] drm/nouveau: Fix refcount leak in nouveau_connector_detect

Posted by Shuhao Fu 3 months, 2 weeks ago

Hi, this is a friendly reminder of this patch. Please do let me know if
it needs any rework.

On Wed, Oct 08, 2025 at 11:20:15AM +0800, Shuhao Fu wrote:
> A possible inconsistent refcount update has been identified in function
> `nouveau_connector_detect`, which may cause a resource leak.
> 
> After calling `pm_runtime_get_*(dev->dev)`, the usage counter of `dev->dev`
> gets increased. In case function `nvif_outp_edid_get` returns negative,
> function `nouveau_connector_detect` returns without decreasing the usage
> counter of `dev->dev`, causing a refcount inconsistency.
> 
> Closes: https://gitlab.freedesktop.org/drm/nouveau/-/issues/450
> Fixes: 0cd7e0718139 ("drm/nouveau/disp: add output method to fetch edid")
> Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
> Cc: stable@vger.kernel.org
> 
> Change in v3:
> - Cc stable
> Change in v2:
> - Add "Fixes" and "Cc" tags
> ---
>  drivers/gpu/drm/nouveau/nouveau_connector.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c
> index 63621b151..45caccade 100644
> --- a/drivers/gpu/drm/nouveau/nouveau_connector.c
> +++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
> @@ -600,8 +600,10 @@ nouveau_connector_detect(struct drm_connector *connector, bool force)
>                                 new_edid = drm_get_edid(connector, nv_encoder->i2c);
>                 } else {
>                         ret = nvif_outp_edid_get(&nv_encoder->outp, (u8 **)&new_edid);
> -                       if (ret < 0)
> -                               return connector_status_disconnected;
> +                       if (ret < 0) {
> +                               conn_status = connector_status_disconnected;
> +                               goto out;
> +                       }
>                 }
> 
>                 nouveau_connector_set_edid(nv_connector, new_edid);
> --
> 2.39.5
>