If drm_gem_handle_create() fails in vkms_gem_create(), then the
vkms_gem_object is not freed.
Fix it by adding a call to vkms_gem_free_object().
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 0ea2ea42b31a ("drm/vkms: Hold gem object while still in-use")
Cc: stable@xxxxxxxxxxxxxxx#v5.10.212
#Co-developed-by: Fedor Pchelkin <pchelkin@xxxxxxxxx>
Signed-off-by: Salomatkina Elena <elena.salomatkina.cmc@xxxxxxxxx>
---
drivers/gpu/drm/vkms/vkms_gem.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/vkms/vkms_gem.c b/drivers/gpu/drm/vkms/vkms_gem.c
index a017fc59905e..cc6584767a1b 100644
--- a/drivers/gpu/drm/vkms/vkms_gem.c
+++ b/drivers/gpu/drm/vkms/vkms_gem.c
@@ -113,9 +113,10 @@ static struct drm_gem_object *vkms_gem_create(struct drm_device *dev,
return ERR_CAST(obj);
ret = drm_gem_handle_create(file, &obj->gem, handle);
- if (ret)
+ if (ret) {
+ vkms_gem_free_object(&obj->gem);
return ERR_PTR(ret);
-
+ }
return &obj->gem;
}
--
2.34.1
