This issue happens in one error path of vmw_kms_fb_create(). The function forgets to decrement the refcount of a ttm_base_object obj, which is increased by vmw_user_lookup_handle() earlier, when vmw_user_lookup_handle() returns 0 but vfb is not yet created. This may incur reference count leak.

Fix it by decrement reference count in that error path instead of assigning the obj to vfb->user_obj.

Signed-off-by: Xin Xiong xiongx18@fudan.edu.cn Signed-off-by: Xiyu Yang xiyuyang19@fudan.edu.cn Signed-off-by: Xin Tan tanxin.ctf@gmail.com --- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c index 74fa41909..453fa714f 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c @@ -1426,7 +1426,7 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev, if (surface) vmw_surface_unreference(&surface);

- if (ret) { + if (ret || !vfb) { DRM_ERROR("failed to create vmw_framebuffer: %i\n", ret); ttm_base_object_unref(&user_obj); return ERR_PTR(ret);