[PATCH] drm/vc4: fix krealloc() memory leak

[PATCH] drm/vc4: fix krealloc() memory leak

[Alexander A. Klimov]

Don't just overwrite the original pointer passed to krealloc()
with its return value without checking latter:

    MEM = krealloc(MEM, SZ, GFP);

If krealloc() returns NULL, that erases the pointer
to the still allocated memory, hence leaks this memory.
Instead, use a temporary variable, check it's not NULL
and only then assign it to the original pointer:

    TMP = krealloc(MEM, SZ, GFP);
    if (!TMP) return;
    MEM = TMP;

Fixes: 6d45c81d229d ("drm/vc4: Add support for branching in shader validation.")
Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
---
 drivers/gpu/drm/vc4/vc4_validate_shaders.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/gpu/drm/vc4/vc4_validate_shaders.c b/drivers/gpu/drm/vc4/vc4_validate_shaders.c
index d48cf76983c0..af48758592f9 100644
--- a/drivers/gpu/drm/vc4/vc4_validate_shaders.c
+++ b/drivers/gpu/drm/vc4/vc4_validate_shaders.c
@@ -291,14 +291,14 @@ static bool require_uniform_address_uniform(struct vc4_validated_shader_info *va
 	uint32_t o = validated_shader->num_uniform_addr_offsets;
 	uint32_t num_uniforms = validated_shader->uniforms_size / 4;
 
-	validated_shader->uniform_addr_offsets =
-		krealloc(validated_shader->uniform_addr_offsets,
-			 (o + 1) *
-			 sizeof(*validated_shader->uniform_addr_offsets),
-			 GFP_KERNEL);
-	if (!validated_shader->uniform_addr_offsets)
+	void *mem = krealloc(validated_shader->uniform_addr_offsets,
+			     (o + 1) *
+			     sizeof(*validated_shader->uniform_addr_offsets),
+			     GFP_KERNEL);
+	if (!mem)
 		return false;
 
+	validated_shader->uniform_addr_offsets = mem;
 	validated_shader->uniform_addr_offsets[o] = num_uniforms;
 	validated_shader->num_uniform_addr_offsets++;
 
-- 
2.54.0

Claude review: drm/vc4: fix krealloc() memory leak

[Claude Code Review Bot]

Overall Series Review

Subject: drm/vc4: fix krealloc() memory leak
Author: "Alexander A. Klimov" <grandmaster@al2klimov.de>
Patches: 1
Reviewed: 2026-05-27T14:21:18.853622

---

This is a single patch fixing a genuine krealloc() memory leak bug in the VC4 shader validation code. The bug pattern is well-known: when `krealloc()` fails and returns NULL, writing that NULL back to the original pointer loses the reference to the still-allocated old memory. The fix is correct and minimal.

The patch is part of a larger series (indicated by the `In-Reply-To` header referencing a `*-1-*` message), presumably fixing this same krealloc pattern across multiple drivers.

**Verdict: The patch is correct and should be applied.**

---
Generated by Claude Code Patch Reviewer

Claude review: drm/vc4: fix krealloc() memory leak

[Claude Code Review Bot]

Patch Review

**Correctness: Good.** The fix correctly addresses a real memory leak. In the original code:

```c
validated_shader->uniform_addr_offsets =
    krealloc(validated_shader->uniform_addr_offsets,
             (o + 1) *
             sizeof(*validated_shader->uniform_addr_offsets),
             GFP_KERNEL);
if (!validated_shader->uniform_addr_offsets)
    return false;
```

If `krealloc()` returns NULL, the original allocation pointed to by `uniform_addr_offsets` is leaked because the pointer is overwritten before the NULL check. The caller chain eventually calls `kfree(validated_shader->uniform_addr_offsets)` in the cleanup paths (`vc4_validate_shaders.c:951`, `vc4_bo.c:176`, `vc4_bo.c:585`), but since `uniform_addr_offsets` is now NULL, the free is a no-op and the original memory leaks.

**Fix approach:** The fix uses a `void *mem` temporary variable and only assigns to `validated_shader->uniform_addr_offsets` after confirming non-NULL:

```c
void *mem = krealloc(validated_shader->uniform_addr_offsets,
                     (o + 1) *
                     sizeof(*validated_shader->uniform_addr_offsets),
                     GFP_KERNEL);
if (!mem)
    return false;

validated_shader->uniform_addr_offsets = mem;
```

This preserves the original pointer on failure so the existing cleanup paths can properly free it.

**Minor style observation:** The temporary is typed `void *` rather than `uint32_t *` (the actual type of `uniform_addr_offsets` as seen in `vc4_drv.h:858`). This works correctly since C allows implicit conversion from `void *`, and it's idiomatic for krealloc wrappers. However, using `uint32_t *mem` would be slightly more type-safe and avoid the implicit cast. This is a matter of taste and not a blocker — the series likely uses `void *` consistently across all patches for the same krealloc pattern.

**Fixes tag:** Correctly references commit `6d45c81d229d ("drm/vc4: Add support for branching in shader validation.")` which introduced this code.

**Scope:** The change is minimal and precisely scoped — only the 6 lines around the krealloc call are modified, with no functional change on the success path.

**Recommendation: Patch is correct. Apply as-is.**

---
Generated by Claude Code Patch Reviewer

Re: [PATCH] drm/vc4: fix krealloc() memory leak

[Maíra Canal]

Hi Alexander,

LGTM, but a small styling nit:

On 26/05/26 15:41, Alexander A. Klimov wrote:
> Don't just overwrite the original pointer passed to krealloc()
> with its return value without checking latter:
> 
>      MEM = krealloc(MEM, SZ, GFP);
> 
> If krealloc() returns NULL, that erases the pointer
> to the still allocated memory, hence leaks this memory.
> Instead, use a temporary variable, check it's not NULL
> and only then assign it to the original pointer:
> 
>      TMP = krealloc(MEM, SZ, GFP);
>      if (!TMP) return;
>      MEM = TMP;
> 
> Fixes: 6d45c81d229d ("drm/vc4: Add support for branching in shader validation.")
> Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
> ---
>   drivers/gpu/drm/vc4/vc4_validate_shaders.c | 12 ++++++------
>   1 file changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/gpu/drm/vc4/vc4_validate_shaders.c b/drivers/gpu/drm/vc4/vc4_validate_shaders.c
> index d48cf76983c0..af48758592f9 100644
> --- a/drivers/gpu/drm/vc4/vc4_validate_shaders.c
> +++ b/drivers/gpu/drm/vc4/vc4_validate_shaders.c
> @@ -291,14 +291,14 @@ static bool require_uniform_address_uniform(struct vc4_validated_shader_info *va
>   	uint32_t o = validated_shader->num_uniform_addr_offsets;
>   	uint32_t num_uniforms = validated_shader->uniforms_size / 4;

Declare the variable here.

>   
> -	validated_shader->uniform_addr_offsets =
> -		krealloc(validated_shader->uniform_addr_offsets,
> -			 (o + 1) *
> -			 sizeof(*validated_shader->uniform_addr_offsets),
> -			 GFP_KERNEL);
> -	if (!validated_shader->uniform_addr_offsets)
> +	void *mem = krealloc(validated_shader->uniform_addr_offsets,

Instead of void *, you should probably use uint32_t *.

Best regards,
- Maíra

> +			     (o + 1) *
> +			     sizeof(*validated_shader->uniform_addr_offsets),
> +			     GFP_KERNEL);
> +	if (!mem)
>   		return false;
>   
> +	validated_shader->uniform_addr_offsets = mem;
>   	validated_shader->uniform_addr_offsets[o] = num_uniforms;
>   	validated_shader->num_uniform_addr_offsets++;
>   

Re: [PATCH] drm/vc4: fix krealloc() memory leak

[Alexander A. Klimov]

On 5/28/26 20:17, Maíra Canal wrote:
> Hi Alexander,
> 
> LGTM, but a small styling nit:
> 
> On 26/05/26 15:41, Alexander A. Klimov wrote:
>> Don't just overwrite the original pointer passed to krealloc()
>> with its return value without checking latter:
>>
>>      MEM = krealloc(MEM, SZ, GFP);
>>
>> If krealloc() returns NULL, that erases the pointer
>> to the still allocated memory, hence leaks this memory.
>> Instead, use a temporary variable, check it's not NULL
>> and only then assign it to the original pointer:
>>
>>      TMP = krealloc(MEM, SZ, GFP);
>>      if (!TMP) return;
>>      MEM = TMP;
>>
>> Fixes: 6d45c81d229d ("drm/vc4: Add support for branching in shader validation.")
>> Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
>> ---
>>   drivers/gpu/drm/vc4/vc4_validate_shaders.c | 12 ++++++------
>>   1 file changed, 6 insertions(+), 6 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/vc4/vc4_validate_shaders.c b/drivers/gpu/drm/vc4/vc4_validate_shaders.c
>> index d48cf76983c0..af48758592f9 100644
>> --- a/drivers/gpu/drm/vc4/vc4_validate_shaders.c
>> +++ b/drivers/gpu/drm/vc4/vc4_validate_shaders.c
>> @@ -291,14 +291,14 @@ static bool require_uniform_address_uniform(struct vc4_validated_shader_info *va
>>       uint32_t o = validated_shader->num_uniform_addr_offsets;
>>       uint32_t num_uniforms = validated_shader->uniforms_size / 4;
> 
> Declare the variable here.

Strange...
It comes already directly after num_uniforms, doesn't it?
At least when I apply my patch to Linus' master.

Re: [PATCH] drm/vc4: fix krealloc() memory leak

[Maíra Canal]

Hi Alexander,

On 28/05/26 15:54, Alexander A. Klimov wrote:
> 
> 
> On 5/28/26 20:17, Maíra Canal wrote:
>> Hi Alexander,
>>
>> LGTM, but a small styling nit:
>>
>> On 26/05/26 15:41, Alexander A. Klimov wrote:
>>> Don't just overwrite the original pointer passed to krealloc()
>>> with its return value without checking latter:
>>>
>>>      MEM = krealloc(MEM, SZ, GFP);
>>>
>>> If krealloc() returns NULL, that erases the pointer
>>> to the still allocated memory, hence leaks this memory.
>>> Instead, use a temporary variable, check it's not NULL
>>> and only then assign it to the original pointer:
>>>
>>>      TMP = krealloc(MEM, SZ, GFP);
>>>      if (!TMP) return;
>>>      MEM = TMP;
>>>
>>> Fixes: 6d45c81d229d ("drm/vc4: Add support for branching in shader 
>>> validation.")
>>> Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
>>> ---
>>>   drivers/gpu/drm/vc4/vc4_validate_shaders.c | 12 ++++++------
>>>   1 file changed, 6 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/drivers/gpu/drm/vc4/vc4_validate_shaders.c b/drivers/ 
>>> gpu/drm/vc4/vc4_validate_shaders.c
>>> index d48cf76983c0..af48758592f9 100644
>>> --- a/drivers/gpu/drm/vc4/vc4_validate_shaders.c
>>> +++ b/drivers/gpu/drm/vc4/vc4_validate_shaders.c
>>> @@ -291,14 +291,14 @@ static bool 
>>> require_uniform_address_uniform(struct vc4_validated_shader_info *va
>>>       uint32_t o = validated_shader->num_uniform_addr_offsets;
>>>       uint32_t num_uniforms = validated_shader->uniforms_size / 4;
>>
>> Declare the variable here.
> 
> Strange...
> It comes already directly after num_uniforms, doesn't it?

Yeah, it does. However, usually, we declare the variables and then we
proceed to the functions. Check, for example, the function
record_texture_sample() in vc4.

Best regards,
- Maíra

> At least when I apply my patch to Linus' master.

[PATCH v2] drm/vc4: fix krealloc() memory leak

[Alexander A. Klimov]

Don't just overwrite the original pointer passed to krealloc()
with its return value without checking latter:

    MEM = krealloc(MEM, SZ, GFP);

If krealloc() returns NULL, that erases the pointer
to the still allocated memory, hence leaks this memory.
Instead, use a temporary variable, check it's not NULL
and only then assign it to the original pointer:

    TMP = krealloc(MEM, SZ, GFP);
    if (!TMP) return;
    MEM = TMP;

Fixes: 6d45c81d229d ("drm/vc4: Add support for branching in shader validation.")
Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
---
 v2: Declare the variable explicitly
 v2: Instead of void *, use u32 *
 v2: While on it, enhance variable name

 [✓] scripts/checkpatch.pl --strict
 [✓] allmodconfig compiled (i686, LLVM)
 [✓] localyesconfig booted (IBM T43)

 Note to myself: use --in-reply-to=2b602ec6-d563-4fa0-a0c5-89b97a46abf9@igalia.com

 drivers/gpu/drm/vc4/vc4_validate_shaders.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/gpu/drm/vc4/vc4_validate_shaders.c b/drivers/gpu/drm/vc4/vc4_validate_shaders.c
index d48cf76983c0..6f52b4db9cc9 100644
--- a/drivers/gpu/drm/vc4/vc4_validate_shaders.c
+++ b/drivers/gpu/drm/vc4/vc4_validate_shaders.c
@@ -290,15 +290,16 @@ static bool require_uniform_address_uniform(struct vc4_validated_shader_info *va
 {
 	uint32_t o = validated_shader->num_uniform_addr_offsets;
 	uint32_t num_uniforms = validated_shader->uniforms_size / 4;
+	u32 *offsets;
 
-	validated_shader->uniform_addr_offsets =
-		krealloc(validated_shader->uniform_addr_offsets,
-			 (o + 1) *
-			 sizeof(*validated_shader->uniform_addr_offsets),
-			 GFP_KERNEL);
-	if (!validated_shader->uniform_addr_offsets)
+	offsets = krealloc(validated_shader->uniform_addr_offsets,
+			   (o + 1) *
+			   sizeof(*validated_shader->uniform_addr_offsets),
+			   GFP_KERNEL);
+	if (!offsets)
 		return false;
 
+	validated_shader->uniform_addr_offsets = offsets;
 	validated_shader->uniform_addr_offsets[o] = num_uniforms;
 	validated_shader->num_uniform_addr_offsets++;
 
-- 
2.54.0

Re: [PATCH v2] drm/vc4: fix krealloc() memory leak

[Joe Perches]

On Sun, 2026-05-31 at 21:55 +0200, Alexander A. Klimov wrote:
> Don't just overwrite the original pointer passed to krealloc()
> with its return value without checking latter:
[]
> diff --git a/drivers/gpu/drm/vc4/vc4_validate_shaders.c b/drivers/gpu/drm/vc4/vc4_validate_shaders.c
[]
> @@ -290,15 +290,16 @@ static bool require_uniform_address_uniform(struct vc4_validated_shader_info *va
>  {
>  	uint32_t o = validated_shader->num_uniform_addr_offsets;
>  	uint32_t num_uniforms = validated_shader->uniforms_size / 4;
> +	u32 *offsets;
>  
> -	validated_shader->uniform_addr_offsets =
> -		krealloc(validated_shader->uniform_addr_offsets,
> -			 (o + 1) *
> -			 sizeof(*validated_shader->uniform_addr_offsets),
> -			 GFP_KERNEL);
> -	if (!validated_shader->uniform_addr_offsets)
> +	offsets = krealloc(validated_shader->uniform_addr_offsets,
> +			   (o + 1) *
> +			   sizeof(*validated_shader->uniform_addr_offsets),
> +			   GFP_KERNEL);

krealloc_array ?

> +	if (!offsets)
>  		return false;
>  
> +	validated_shader->uniform_addr_offsets = offsets;
>  	validated_shader->uniform_addr_offsets[o] = num_uniforms;
>  	validated_shader->num_uniform_addr_offsets++;