From: T.J. Mercier <tjmercier@xxxxxxxxxx> commit 8c7c44be57672e1474bf15a451011c291e85fda4 upstream. A syncobj reference is taken in drm_syncobj_find, but not released if eventfd_ctx_fdget or kzalloc fails. Put the reference in these error paths. Reported-by: Xingyu Jin <xingyuj@xxxxxxxxxx> Fixes: c7a472297169 ("drm/syncobj: add IOCTL to register an eventfd") Signed-off-by: T.J. Mercier <tjmercier@xxxxxxxxxx> Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@xxxxxxxxxx> Reviewed-by. Christian König <christian.koenig@xxxxxxx> CC: stable@xxxxxxxxxxxxxxx # 6.6+ Link: https://patchwork.freedesktop.org/patch/msgid/20240909205400.3498337-1-tjmercier@xxxxxxxxxx Signed-off-by: Christian König <christian.koenig@xxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/gpu/drm/drm_syncobj.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) --- a/drivers/gpu/drm/drm_syncobj.c +++ b/drivers/gpu/drm/drm_syncobj.c @@ -1421,6 +1421,7 @@ drm_syncobj_eventfd_ioctl(struct drm_dev struct drm_syncobj *syncobj; struct eventfd_ctx *ev_fd_ctx; struct syncobj_eventfd_entry *entry; + int ret; if (!drm_core_check_feature(dev, DRIVER_SYNCOBJ_TIMELINE)) return -EOPNOTSUPP; @@ -1436,13 +1437,15 @@ drm_syncobj_eventfd_ioctl(struct drm_dev return -ENOENT; ev_fd_ctx = eventfd_ctx_fdget(args->fd); - if (IS_ERR(ev_fd_ctx)) - return PTR_ERR(ev_fd_ctx); + if (IS_ERR(ev_fd_ctx)) { + ret = PTR_ERR(ev_fd_ctx); + goto err_fdget; + } entry = kzalloc(sizeof(*entry), GFP_KERNEL); if (!entry) { - eventfd_ctx_put(ev_fd_ctx); - return -ENOMEM; + ret = -ENOMEM; + goto err_kzalloc; } entry->syncobj = syncobj; entry->ev_fd_ctx = ev_fd_ctx; @@ -1453,6 +1456,12 @@ drm_syncobj_eventfd_ioctl(struct drm_dev drm_syncobj_put(syncobj); return 0; + +err_kzalloc: + eventfd_ctx_put(ev_fd_ctx); +err_fdget: + drm_syncobj_put(syncobj); + return ret; } int Patches currently in stable-queue which might be from tjmercier@xxxxxxxxxx are queue-6.6/drm-syncobj-fix-syncobj-leak-in-drm_syncobj_eventfd_ioctl.patch queue-6.6/dma-buf-heaps-fix-off-by-one-in-cma-heap-fault-handler.patch