[PATCH] drm: Fix object leak in DRM_IOCTL_GEM_CHANGE_HANDLE

[PATCH] drm: Fix object leak in DRM_IOCTL_GEM_CHANGE_HANDLE

[Karol Wachowski]

Add missing drm_gem_object_put() call when drm_gem_object_lookup()
successfully returns an object. This fixes a GEM object reference
leak that can prevent driver modules from unloading when using
prime buffers.

Fixes: 53096728b891 ("drm: Add DRM prime interface to reassign GEM handle")
Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
---
 drivers/gpu/drm/drm_gem.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
index ca1956608261..e150bc1ce65a 100644
--- a/drivers/gpu/drm/drm_gem.c
+++ b/drivers/gpu/drm/drm_gem.c
@@ -1001,7 +1001,7 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data,
 {
 	struct drm_gem_change_handle *args = data;
 	struct drm_gem_object *obj;
-	int ret;
+	int ret = 0;
 
 	if (!drm_core_check_feature(dev, DRIVER_GEM))
 		return -EOPNOTSUPP;
@@ -1011,7 +1011,7 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data,
 		return -ENOENT;
 
 	if (args->handle == args->new_handle)
-		return 0;
+		goto out;
 
 	mutex_lock(&file_priv->prime.lock);
 
@@ -1043,6 +1043,8 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data,
 
 out_unlock:
 	mutex_unlock(&file_priv->prime.lock);
+out:
+	drm_gem_object_put(obj);
 
 	return ret;
 }
-- 
2.43.0

Re: [PATCH] drm: Fix object leak in DRM_IOCTL_GEM_CHANGE_HANDLE

[Christian König]

On 12/12/25 14:02, Karol Wachowski wrote:
> Add missing drm_gem_object_put() call when drm_gem_object_lookup()
> successfully returns an object. This fixes a GEM object reference
> leak that can prevent driver modules from unloading when using
> prime buffers.

Good catch.

> Fixes: 53096728b891 ("drm: Add DRM prime interface to reassign GEM handle")
> Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>

CC: stable 6.18?

> ---
>  drivers/gpu/drm/drm_gem.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
> index ca1956608261..e150bc1ce65a 100644
> --- a/drivers/gpu/drm/drm_gem.c
> +++ b/drivers/gpu/drm/drm_gem.c
> @@ -1001,7 +1001,7 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data,
>  {
>  	struct drm_gem_change_handle *args = data;
>  	struct drm_gem_object *obj;
> -	int ret;
> +	int ret = 0;

Please set ret explicitly in the if branch below.

Always initializing return values is usually considered bad coding style.

Apart from that looks good to me.

Thanks,
Christian.

>  
>  	if (!drm_core_check_feature(dev, DRIVER_GEM))
>  		return -EOPNOTSUPP;
> @@ -1011,7 +1011,7 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data,
>  		return -ENOENT;
>  
>  	if (args->handle == args->new_handle)
> -		return 0;
> +		goto out;
>  
>  	mutex_lock(&file_priv->prime.lock);
>  
> @@ -1043,6 +1043,8 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data,
>  
>  out_unlock:
>  	mutex_unlock(&file_priv->prime.lock);
> +out:
> +	drm_gem_object_put(obj);
>  
>  	return ret;
>  }

Re: [PATCH] drm: Fix object leak in DRM_IOCTL_GEM_CHANGE_HANDLE

[Karol Wachowski]

On 12/12/2025 2:06 PM, Christian König wrote:
> On 12/12/25 14:02, Karol Wachowski wrote:
>> Add missing drm_gem_object_put() call when drm_gem_object_lookup()
>> successfully returns an object. This fixes a GEM object reference
>> leak that can prevent driver modules from unloading when using
>> prime buffers.
> 
> Good catch.
> 
>> Fixes: 53096728b891 ("drm: Add DRM prime interface to reassign GEM handle")
>> Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
> 
> CC: stable 6.18?

Good idea - added CC: stable in v2.

> 
>> ---
>>  drivers/gpu/drm/drm_gem.c | 6 ++++--
>>  1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
>> index ca1956608261..e150bc1ce65a 100644
>> --- a/drivers/gpu/drm/drm_gem.c
>> +++ b/drivers/gpu/drm/drm_gem.c
>> @@ -1001,7 +1001,7 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data,
>>  {
>>  	struct drm_gem_change_handle *args = data;
>>  	struct drm_gem_object *obj;
>> -	int ret;
>> +	int ret = 0;
> 
> Please set ret explicitly in the if branch below.
> 
> Always initializing return values is usually considered bad coding style.

Totally agree, moved setting to suggested place in v2.

> 
> Apart from that looks good to me.
> 
> Thanks,
> Christian.

Thanks,
Karol.>
>>  
>>  	if (!drm_core_check_feature(dev, DRIVER_GEM))
>>  		return -EOPNOTSUPP;
>> @@ -1011,7 +1011,7 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data,
>>  		return -ENOENT;
>>  
>>  	if (args->handle == args->new_handle)
>> -		return 0;
>> +		goto out;
>>  
>>  	mutex_lock(&file_priv->prime.lock);
>>  
>> @@ -1043,6 +1043,8 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data,
>>  
>>  out_unlock:
>>  	mutex_unlock(&file_priv->prime.lock);
>> +out:
>> +	drm_gem_object_put(obj);
>>  
>>  	return ret;
>>  }
>