This issue happens in one error path of vmw_kms_fb_create(). The
function forgets to decrement the refcount of a ttm_base_object obj,
which is increased by vmw_user_lookup_handle() earlier, when
vmw_user_lookup_handle() returns 0 but vfb is not yet created. This
may incur reference count leak.
Fix it by decrement reference count in that error path instead of
assigning the obj to vfb->user_obj.
Signed-off-by: Xin Xiong <xiongx18@xxxxxxxxxxxx>
Signed-off-by: Xiyu Yang <xiyuyang19@xxxxxxxxxxxx>
Signed-off-by: Xin Tan <tanxin.ctf@xxxxxxxxx>
---
drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
index 74fa41909..453fa714f 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
@@ -1426,7 +1426,7 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev,
if (surface)
vmw_surface_unreference(&surface);
- if (ret) {
+ if (ret || !vfb) {
DRM_ERROR("failed to create vmw_framebuffer: %i\n", ret);
ttm_base_object_unref(&user_obj);
return ERR_PTR(ret);
--
2.25.1
