drm/tegra: put drm_gem_object ref on error in tegra_fb_create

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Inside tegra_fb_create(), drm_gem_object_lookup() increments ref count of
the found object. But if the following size check fails then the last
found object's ref count should be put there as the unreferencing loop
can't detect this situation.

Found by Linux Verification Center (linuxtesting.org).

Fixes: de2ba664c30f ("gpu: host1x: drm: Add memory manager and fb")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20231215093356.12067-1-pchelkin@ispras.ru

authored by

Fedor Pchelkin and committed by

Thierry Reding 2 years ago 32e5a120 a3baaca4

1 changed file

expand all

drivers

gpu

drm

tegra

fb.c

drivers/gpu/drm/tegra/fb.c

··· 159 159 160 160 if (gem->size < size) { 161 161 err = -EINVAL; 162 + drm_gem_object_put(gem); 162 163 goto unreference; 163 164 } 164 165