From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 189EDCD343F
	for <dri-devel@archiver.kernel.org>; Fri, 15 May 2026 15:08:32 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 6F98010F563;
	Fri, 15 May 2026 15:08:31 +0000 (UTC)
Authentication-Results: gabe.freedesktop.org;
	dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=igalia.com header.i=@igalia.com header.b="V2sqb+kr";
	dkim-atps=neutral
Received: from fanzine2.igalia.com (fanzine2.igalia.com [213.97.179.56])
 by gabe.freedesktop.org (Postfix) with ESMTPS id 1ABDE10F55C
 for <dri-devel@lists.freedesktop.org>; Fri, 15 May 2026 15:08:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com;
 s=20170329; h=Cc:To:In-Reply-To:References:Message-Id:
 Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From:Sender:
 Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender
 :Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=r/1HeWLU1dTDy8jp0AqyVuXeq3BFTN0vMnIeW3li62E=; b=V2sqb+krI6m5NPNvh31PIBp3eI
 9y10N1dapvOePR8t2IWNdyfTxESKDgeX+3jKQXERPhFCjYjY+3L6/MtiVtP5rGf6TmHoFzS7oq6v5
 Mp5fwqfGWPmZSdzoaSHVLU2o5UmFprXhdaIJAhS+UWkQ1YbN7W4R3NKkeYq/OAggnBvxXiP19BJq5
 XDE0Roy7Pna9W8RjdnUZMg0Im3f0WWwNSPTbboNpkBp5sbc1FQ6r0zh7MBo6P1pfiAcPXmtRx+zc5
 5YmjajKNtqBNSUkoz4UgSQQD1X+/364Sc3GroMx7I7QXBMA58OBX5vdURmTlfNQJknJ7EHc7w6NmW
 5zQk4AVw==;
Received: from [189.7.87.67] (helo=[10.0.0.1])
 by fanzine2.igalia.com with esmtpsa
 (Cipher TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim)
 id 1wNu9I-000ZQ7-Be; Fri, 15 May 2026 17:08:24 +0200
From: =?utf-8?q?Ma=C3=ADra_Canal?= <mcanal@igalia.com>
Date: Fri, 15 May 2026 12:07:14 -0300
Subject: [PATCH 1/2] drm/v3d: Fix use-after-free of CPU job query arrays on
 error path
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Message-Id: <20260515-v3d-cpu-job-leaks-v1-1-7f147cbbf935@igalia.com>
References: <20260515-v3d-cpu-job-leaks-v1-0-7f147cbbf935@igalia.com>
In-Reply-To: <20260515-v3d-cpu-job-leaks-v1-0-7f147cbbf935@igalia.com>
To: Melissa Wen <mwen@igalia.com>, Iago Toral Quiroga <itoral@igalia.com>,
 David Airlie <airlied@gmail.com>, Simona Vetter <simona@ffwll.ch>
Cc: kernel-dev@igalia.com, dri-devel@lists.freedesktop.org,
 =?utf-8?q?Ma=C3=ADra_Canal?= <mcanal@igalia.com>
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=openpgp-sha256; l=4172; i=mcanal@igalia.com;
 h=from:subject:message-id; bh=DwCvExWXLFFuCRVHV5nir81rx8AjQn6nd8Org2LSa0o=;
 b=owGbwMvMwMVo/5mvq6zj1yrG02pJDFnsZo/uzDM6nyd8ubv1nU2Wt1zVVI7z1457tZY83yIq3
 cHIITGjk9GYhYGRi0FWTJHlx5PYWkaxcnbNZeUXYQaxMoFMYeDiFICJKOhzMFwR2eRa1Chp5mi8
 tP6fhpWwullBBi+L3IVyhq3dUooaAR+PxtxMeVlgK8f1xeyP9uUojafsW/gTPtZJ5zxt+8Ywz+l
 X07Xl0r+PduWe0+uw0mPK6Ll88oOosFitWOklGUdr/mAti6Uuu/mPVRSW7yjolffdXZf0+fKnzm
 ttz+cZTEvz378hVmCOvUvx/mUiHCuFN06Mfi+k1by0bta7xOVPb21a2NKSfGjytdpX/Y3yh7utd
 k2XUJ2v8zm9m63Xcr7ZjXOztxu5nN719qSXzv7QbVctA+bvmvFVYM8iyeDZ7L/t/WROSLN5+Mgr
 FCrP7jtqPi+GK/ZimecJUfn6hMdnz5bYCSrmCkg1/+8BAA==
X-Developer-Key: i=mcanal@igalia.com; a=openpgp;
 fpr=F8E45D7D0116770729A677D13FF30E8A7688FAAA
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
 <dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

VGhlIENQVSBqb2IgaW9jdGwncyBmYWlsIGxhYmVsIGNhbGxzIGt2ZnJlZSgpIG9uIGNwdV9qb2In
cyB0aW1lc3RhbXAgYW5kCnBlcmZvcm1hbmNlIHF1ZXJ5IGFycmF5cyBhZnRlciB2M2Rfam9iX2Ns
ZWFudXAoKSwgd2hpY2ggZHJvcHMgdGhlIGpvYidzCmxhc3QgcmVmZXJlbmNlIGFuZCBmcmVlcyBj
cHVfam9iLiBSZWFkaW5nIGNwdV9qb2IgYXQgdGhhdCBwb2ludCBpcyBhCnVzZS1hZnRlci1mcmVl
LiBBbHNvLCBvbiB0aGUgZWFybHkgdjNkX2pvYl9pbml0KCkgZmFpbHVyZSBwYXRoLCBpdCBpcyBh
Ck5VTEwgZGVyZWZlcmVuY2UsIHNpbmNlIHYzZF9qb2JfZGVhbGxvY2F0ZSgpIHplcm9lcyB0aGUg
bG9jYWwgcG9pbnRlci4KCkluIHRoZSBzdWNjZXNzIHBhdGgsIHRoZSBhcnJheXMgYXJlIHJlbGVh
c2VkIGZyb20gdGhlIHNjaGVkdWxlcidzCi5mcmVlX2pvYiBjYWxsYmFjaywgYnV0IG9uIHRoZSBl
cnJvciBwYXRoLCB0aGV5IGFyZSBmcmVlZCBtYW51YWxseSwgYXMKdGhlIGpvYiB3YXMgbmV2ZXIg
cHVzaGVkIHRvIHRoZSBzY2hlZHVsZXIuIFdoaWxlIHRoZSBzdWNjZXNzIHBhdGggZGVhbHMKd2l0
aCB0aGlzIGNvcnJlY3RseSwgdGhlIGZhaWwgcGF0aCBkb2Vzbid0LgoKT24gdG9wIG9mIHRoYXQs
IHRoZSBtYW51YWwga3ZmcmVlKCkgY2FsbHMgb25seSBmcmVlIHRoZSBhcnJheSBzdG9yYWdlOwp0
aGV5IGRvbid0IGRybV9zeW5jb2JqX3B1dCgpIHRoZSBwZXItcXVlcnkgc3luY29ianMgdGhhdAp2
M2RfdGltZXN0YW1wX3F1ZXJ5X2luZm9fZnJlZSgpIGFuZCB2M2RfcGVyZm9ybWFuY2VfcXVlcnlf
aW5mb19mcmVlKCkKcmVsZWFzZSBvbiB0aGUgc3VjY2VzcyBwYXRoLiBTbyB0aGUgc2FtZSBmYWls
IHBhdGggdGhhdCB0cmlnZ2VycyB0aGUKdXNlLWFmdGVyLWZyZWUgYWxzbyBsZWFrcyBvbmUgc3lu
Y29iaiByZWZlcmVuY2UgcGVyIHF1ZXJ5LgoKVW5pZnkgdGhlIENQVSBqb2IgdGVhcmRvd24gaW50
byB0aGUgQ1BVIGpvYidzIGtyZWYgZGVzdHJ1Y3RvciwgbWlycm9yaW5nCnYzZF9yZW5kZXJfam9i
X2ZyZWUoKS4gVGhlIHNjaGVkdWxlcidzIC5mcmVlX2pvYiBzbG90IHJldmVydHMgdG8gdGhlCmdl
bmVyaWMgdjNkX3NjaGVkX2pvYl9mcmVlKCkgYW5kIHRoZSBmYWlsIGxhYmVsIGRyb3BzIHRoZSBt
YW51YWwKa3ZmcmVlKCkgY2FsbHMsIGxlYXZpbmcgYSBzaW5nbGUgdGVhcmRvd24gcGF0aCB0aGF0
IGlzIHJlYWNoZWQgZnJvbSBib3RoCnRoZSBzY2hlZHVsZXIgYW5kIHRoZSBpb2N0bCBlcnJvciBw
YXRoLiBUaGF0IHJlbW92ZXMgdGhlIHVzZS1hZnRlci1mcmVlLAp0aGUgTlVMTCBkZXJlZmVyZW5j
ZSwgYW5kIHRoZSBzeW5jb2JqIGxlYWsgYnkgY29uc3RydWN0aW9uLgoKRml4ZXM6IDliYTBmZjNl
MDgzZiAoImRybS92M2Q6IENyZWF0ZSBhIENQVSBqb2IgZXh0ZW5zaW9uIGZvciB0aGUgdGltZXN0
YW1wIHF1ZXJ5IGpvYiIpCkFzc2lzdGVkLWJ5OiBDbGF1ZGU6Y2xhdWRlLW9wdXMtNC43ClNpZ25l
ZC1vZmYtYnk6IE1hw61yYSBDYW5hbCA8bWNhbmFsQGlnYWxpYS5jb20+Ci0tLQogZHJpdmVycy9n
cHUvZHJtL3YzZC92M2Rfc2NoZWQuYyAgfCAxNiArLS0tLS0tLS0tLS0tLS0tCiBkcml2ZXJzL2dw
dS9kcm0vdjNkL3YzZF9zdWJtaXQuYyB8IDE5ICsrKysrKysrKysrKysrKystLS0KIDIgZmlsZXMg
Y2hhbmdlZCwgMTcgaW5zZXJ0aW9ucygrKSwgMTggZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEv
ZHJpdmVycy9ncHUvZHJtL3YzZC92M2Rfc2NoZWQuYyBiL2RyaXZlcnMvZ3B1L2RybS92M2QvdjNk
X3NjaGVkLmMKaW5kZXggMTg1NWVmNWIzYjVmLi45NGJmNjI4ZGM5MWMgMTAwNjQ0Ci0tLSBhL2Ry
aXZlcnMvZ3B1L2RybS92M2QvdjNkX3NjaGVkLmMKKysrIGIvZHJpdmVycy9ncHUvZHJtL3YzZC92
M2Rfc2NoZWQuYwpAQCAtMTI1LDIwICsxMjUsNiBAQCB2M2RfcGVyZm9ybWFuY2VfcXVlcnlfaW5m
b19mcmVlKHN0cnVjdCB2M2RfcGVyZm9ybWFuY2VfcXVlcnlfaW5mbyAqcXVlcnlfaW5mbywKIAl9
CiB9CiAKLXN0YXRpYyB2b2lkCi12M2RfY3B1X2pvYl9mcmVlKHN0cnVjdCBkcm1fc2NoZWRfam9i
ICpzY2hlZF9qb2IpCi17Ci0Jc3RydWN0IHYzZF9jcHVfam9iICpqb2IgPSB0b19jcHVfam9iKHNj
aGVkX2pvYik7Ci0KLQl2M2RfdGltZXN0YW1wX3F1ZXJ5X2luZm9fZnJlZSgmam9iLT50aW1lc3Rh
bXBfcXVlcnksCi0JCQkJICAgICAgam9iLT50aW1lc3RhbXBfcXVlcnkuY291bnQpOwotCi0JdjNk
X3BlcmZvcm1hbmNlX3F1ZXJ5X2luZm9fZnJlZSgmam9iLT5wZXJmb3JtYW5jZV9xdWVyeSwKLQkJ
CQkJam9iLT5wZXJmb3JtYW5jZV9xdWVyeS5jb3VudCk7Ci0KLQl2M2Rfam9iX2NsZWFudXAoJmpv
Yi0+YmFzZSk7Ci19Ci0KIHN0YXRpYyB2b2lkCiB2M2Rfc3dpdGNoX3BlcmZtb24oc3RydWN0IHYz
ZF9kZXYgKnYzZCwgc3RydWN0IHYzZF9qb2IgKmpvYikKIHsKQEAgLTgzMCw3ICs4MTYsNyBAQCBz
dGF0aWMgY29uc3Qgc3RydWN0IGRybV9zY2hlZF9iYWNrZW5kX29wcyB2M2RfY2FjaGVfY2xlYW5f
c2NoZWRfb3BzID0gewogCiBzdGF0aWMgY29uc3Qgc3RydWN0IGRybV9zY2hlZF9iYWNrZW5kX29w
cyB2M2RfY3B1X3NjaGVkX29wcyA9IHsKIAkucnVuX2pvYiA9IHYzZF9jcHVfam9iX3J1biwKLQku
ZnJlZV9qb2IgPSB2M2RfY3B1X2pvYl9mcmVlCisJLmZyZWVfam9iID0gdjNkX3NjaGVkX2pvYl9m
cmVlCiB9OwogCiBzdGF0aWMgaW50CmRpZmYgLS1naXQgYS9kcml2ZXJzL2dwdS9kcm0vdjNkL3Yz
ZF9zdWJtaXQuYyBiL2RyaXZlcnMvZ3B1L2RybS92M2QvdjNkX3N1Ym1pdC5jCmluZGV4IGVlNDUx
MmRiMjk0Yi4uZTNhNmU3Y2M3YmQ1IDEwMDY0NAotLS0gYS9kcml2ZXJzL2dwdS9kcm0vdjNkL3Yz
ZF9zdWJtaXQuYworKysgYi9kcml2ZXJzL2dwdS9kcm0vdjNkL3YzZF9zdWJtaXQuYwpAQCAtMTIz
LDYgKzEyMywyMSBAQCB2M2RfcmVuZGVyX2pvYl9mcmVlKHN0cnVjdCBrcmVmICpyZWYpCiAJdjNk
X2pvYl9mcmVlKHJlZik7CiB9CiAKK3N0YXRpYyB2b2lkCit2M2RfY3B1X2pvYl9mcmVlKHN0cnVj
dCBrcmVmICpyZWYpCit7CisJc3RydWN0IHYzZF9jcHVfam9iICpqb2IgPSBjb250YWluZXJfb2Yo
cmVmLCBzdHJ1Y3QgdjNkX2NwdV9qb2IsCisJCQkJCSAgICAgICBiYXNlLnJlZmNvdW50KTsKKwor
CXYzZF90aW1lc3RhbXBfcXVlcnlfaW5mb19mcmVlKCZqb2ItPnRpbWVzdGFtcF9xdWVyeSwKKwkJ
CQkgICAgICBqb2ItPnRpbWVzdGFtcF9xdWVyeS5jb3VudCk7CisKKwl2M2RfcGVyZm9ybWFuY2Vf
cXVlcnlfaW5mb19mcmVlKCZqb2ItPnBlcmZvcm1hbmNlX3F1ZXJ5LAorCQkJCQlqb2ItPnBlcmZv
cm1hbmNlX3F1ZXJ5LmNvdW50KTsKKworCXYzZF9qb2JfZnJlZShyZWYpOworfQorCiB2b2lkIHYz
ZF9qb2JfY2xlYW51cChzdHJ1Y3QgdjNkX2pvYiAqam9iKQogewogCWlmICgham9iKQpAQCAtMTMw
Miw3ICsxMzE3LDcgQEAgdjNkX3N1Ym1pdF9jcHVfaW9jdGwoc3RydWN0IGRybV9kZXZpY2UgKmRl
diwgdm9pZCAqZGF0YSwKIAl0cmFjZV92M2Rfc3VibWl0X2NwdV9pb2N0bCgmdjNkLT5kcm0sIGNw
dV9qb2ItPmpvYl90eXBlKTsKIAogCXJldCA9IHYzZF9qb2JfaW5pdCh2M2QsIGZpbGVfcHJpdiwg
JmNwdV9qb2ItPmJhc2UsCi0JCQkgICB2M2Rfam9iX2ZyZWUsIDAsICZzZSwgVjNEX0NQVSk7CisJ
CQkgICB2M2RfY3B1X2pvYl9mcmVlLCAwLCAmc2UsIFYzRF9DUFUpOwogCWlmIChyZXQpIHsKIAkJ
djNkX2pvYl9kZWFsbG9jYXRlKCh2b2lkICopJmNwdV9qb2IpOwogCQlnb3RvIGZhaWw7CkBAIC0x
Mzg1LDggKzE0MDAsNiBAQCB2M2Rfc3VibWl0X2NwdV9pb2N0bChzdHJ1Y3QgZHJtX2RldmljZSAq
ZGV2LCB2b2lkICpkYXRhLAogCXYzZF9qb2JfY2xlYW51cCgodm9pZCAqKWNzZF9qb2IpOwogCXYz
ZF9qb2JfY2xlYW51cChjbGVhbl9qb2IpOwogCXYzZF9wdXRfbXVsdGlzeW5jX3Bvc3RfZGVwcygm
c2UpOwotCWt2ZnJlZShjcHVfam9iLT50aW1lc3RhbXBfcXVlcnkucXVlcmllcyk7Ci0Ja3ZmcmVl
KGNwdV9qb2ItPnBlcmZvcm1hbmNlX3F1ZXJ5LnF1ZXJpZXMpOwogCiAJcmV0dXJuIHJldDsKIH0K
Ci0tIAoyLjU0LjAKCg==