Commit 5f8d6f29 authored by Boris Brezillon's avatar Boris Brezillon
Browse files

drm/gem: Fix a GEM leak in drm_gem_get_unmapped_area() 



drm_gem_object_lookup_at_offset() can return a valid object with
filp or filp->f_op->get_unmapped_area set to NULL. Make sure we still
release the ref we acquired on such objects.

Cc: Loïc Molinari <loic.molinari@collabora.com>
Fixes: 99bda20d ("drm/gem: Introduce drm_gem_get_unmapped_area() fop")
Reviewed-by: default avatarLoïc Molinari <loic.molinari@collabora.com>
Link: https://patch.msgid.link/20260106164935.409765-1-boris.brezillon@collabora.com


Signed-off-by: default avatarBoris Brezillon <boris.brezillon@collabora.com>
parent 0244539f

drivers/gpu/drm/drm_gem.c

+6 −4
Original line number Diff line number Diff line
@@ -1298,11 +1298,13 @@ unsigned long drm_gem_get_unmapped_area(struct file *filp, unsigned long uaddr, 
	unsigned long ret;



	obj = drm_gem_object_lookup_at_offset(filp, pgoff, len >> PAGE_SHIFT);

	if (IS_ERR(obj) || !obj->filp || !obj->filp->f_op->get_unmapped_area)

		return mm_get_unmapped_area(filp, uaddr, len, 0, flags);

	if (IS_ERR(obj))

		obj = NULL;



	ret = obj->filp->f_op->get_unmapped_area(obj->filp, uaddr, len, 0,

						 flags);

	if (!obj || !obj->filp || !obj->filp->f_op->get_unmapped_area)

		ret = mm_get_unmapped_area(filp, uaddr, len, 0, flags);

	else

		ret = obj->filp->f_op->get_unmapped_area(obj->filp, uaddr, len, 0, flags);



	drm_gem_object_put(obj);