drm/gem: Fix a GEM leak in drm_gem_get_unmapped_area()

drm_gem_object_lookup_at_offset() can return a valid object with
filp or filp->f_op->get_unmapped_area set to NULL. Make sure we still
release the ref we acquired on such objects.

Cc: Loïc Molinari <loic.molinari@collabora.com>
Fixes: 99bda20d6d4c ("drm/gem: Introduce drm_gem_get_unmapped_area() fop")
Reviewed-by: Loïc Molinari <loic.molinari@collabora.com>
Link: https://patch.msgid.link/20260106164935.409765-1-boris.brezillon@collabora.com
Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>

diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
index 36c8af12387701e79a245a06183a5914b2ad16f4..f7cbf6e8d1e06d39b0f385fa7003271ecaf97dd8 100644 (file)
--- a/drivers/gpu/drm/drm_gem.c
+++ b/drivers/gpu/drm/drm_gem.c
@@ -1298,11 +1298,13 @@ unsigned long drm_gem_get_unmapped_area(struct file *filp, unsigned long uaddr,
        unsigned long ret;
 
        obj = drm_gem_object_lookup_at_offset(filp, pgoff, len >> PAGE_SHIFT);
-       if (IS_ERR(obj) || !obj->filp || !obj->filp->f_op->get_unmapped_area)
-               return mm_get_unmapped_area(filp, uaddr, len, 0, flags);
+       if (IS_ERR(obj))
+               obj = NULL;
 
-       ret = obj->filp->f_op->get_unmapped_area(obj->filp, uaddr, len, 0,
-                                                flags);
+       if (!obj || !obj->filp || !obj->filp->f_op->get_unmapped_area)
+               ret = mm_get_unmapped_area(filp, uaddr, len, 0, flags);
+       else
+               ret = obj->filp->f_op->get_unmapped_area(obj->filp, uaddr, len, 0, flags);
 
        drm_gem_object_put(obj);