drm: Fix object leak in DRM_IOCTL_GEM_CHANGE_HANDLE

kwachows · ChristianKoenigAMD · commit 630efee9493c · 2025-12-12T14:52:37.000+01:00
Add missing drm_gem_object_put() call when drm_gem_object_lookup() successfully returns an object. This fixes a GEM object reference leak that can prevent driver modules from unloading when using prime buffers. Fixes: 5309672 ("drm: Add DRM prime interface to reassign GEM handle") Cc: <stable@vger.kernel.org> # v6.18+ Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com> Reviewed-by: Christian König <christian.koenig@amd.com> Reviewed-by: Maciej Falkowski <maciej.falkowski@linux.intel.com> Signed-off-by: Christian König <christian.koenig@amd.com> Link: https://lore.kernel.org/r/20251212134133.475218-1-karol.wachowski@linux.intel.com
diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
@@ -979,8 +979,10 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data,
 	if (!obj)
 		return -ENOENT;
 
-	if (args->handle == args->new_handle)
-		return 0;
+	if (args->handle == args->new_handle) {
+		ret = 0;
+		goto out;
+	}
 
 	mutex_lock(&file_priv->prime.lock);
 
@@ -1012,6 +1014,8 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data,
 
 out_unlock:
 	mutex_unlock(&file_priv->prime.lock);
+out:
+	drm_gem_object_put(obj);
 
 	return ret;
 }
