From: Junrui Luo <moonafterrain@outlook.com>
To: Alex Deucher <alexander.deucher@amd.com>,
Christian König <christian.koenig@amd.com>,
David Airlie <airlied@gmail.com>, Simona Vetter <simona@ffwll.ch>,
"Jesse.Zhang" <Jesse.Zhang@amd.com>
Cc: amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org,
Junrui Luo <moonafterrain@outlook.com>,
Yuhao Jiang <danisjiang@gmail.com>,
stable@vger.kernel.org
Subject: [PATCH 0/2] drm/amdgpu: fix error handling bugs in amdgpu_userq_create()
Date: Sat, 11 Apr 2026 17:24:48 +0800 [thread overview]
Message-ID: <SYBPR01MB7881A5714C08FAF6A974EDA1AF262@SYBPR01MB7881.ausprd01.prod.outlook.com> (raw)
Commit f18719ef4bb7 ("drm/amdgpu: Convert amdgpu userqueue management
from IDR to XArray") introduced a global XArray userq_doorbell_xa for
device-wide queue tracking, but the error paths in amdgpu_userq_create()
were not fully updated to clean up entries from it.
- Patch 1 fixes a use-after-free: when xa_alloc() or
amdgpu_userq_map_helper() fails, the queue is freed but its pointer
remains in userq_doorbell_xa. Any subsequent xa_for_each() iteration
(suspend, resume, GPU reset) dereferences the freed pointer.
- Patch 2 fixes a resource leak: when xa_store_irq() fails, the error
path calls kfree() without first releasing resources from the preceding
successful mqd_create() and fence_driver_alloc().
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
---
Junrui Luo (2):
drm/amdgpu: fix use-after-free in amdgpu_userq_create() error paths
drm/amdgpu: fix resource leak in amdgpu_userq_create() xa_store_irq error path
drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c | 4 ++++
1 file changed, 4 insertions(+)
---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260411-fixes-30893f27c5aa
Best regards,
--
Junrui Luo <moonafterrain@outlook.com>
next reply other threads:[~2026-04-11 9:26 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-11 9:24 Junrui Luo [this message]
2026-04-11 23:10 ` Claude review: drm/amdgpu: fix error handling bugs in amdgpu_userq_create() Claude Code Review Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=SYBPR01MB7881A5714C08FAF6A974EDA1AF262@SYBPR01MB7881.ausprd01.prod.outlook.com \
--to=moonafterrain@outlook.com \
--cc=Jesse.Zhang@amd.com \
--cc=airlied@gmail.com \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=christian.koenig@amd.com \
--cc=danisjiang@gmail.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=simona@ffwll.ch \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox