If drm_gem_handle_create() fails in vkms_gem_create(), then the vkms_gem_object is not freed.
Fix it by adding a call to vkms_gem_free_object().
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 0ea2ea42b31a ("drm/vkms: Hold gem object while still in-use") Cc: stable@vger.kernel.org#v5.10.212 #Co-developed-by: Fedor Pchelkin pchelkin@ispras.ru Signed-off-by: Salomatkina Elena elena.salomatkina.cmc@gmail.com --- drivers/gpu/drm/vkms/vkms_gem.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/vkms/vkms_gem.c b/drivers/gpu/drm/vkms/vkms_gem.c index a017fc59905e..cc6584767a1b 100644 --- a/drivers/gpu/drm/vkms/vkms_gem.c +++ b/drivers/gpu/drm/vkms/vkms_gem.c @@ -113,9 +113,10 @@ static struct drm_gem_object *vkms_gem_create(struct drm_device *dev, return ERR_CAST(obj);
ret = drm_gem_handle_create(file, &obj->gem, handle); - if (ret) + if (ret) { + vkms_gem_free_object(&obj->gem); return ERR_PTR(ret); - + } return &obj->gem; }
linux-stable-mirror@lists.linaro.org