From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: drm/v3d: Fix use-after-free of CPU job query arrays on error path
Date: Sat, 16 May 2026 08:58:37 +1000 [thread overview]
Message-ID: <review-patch1-20260515-v3d-cpu-job-leaks-v1-1-7f147cbbf935@igalia.com> (raw)
In-Reply-To: <20260515-v3d-cpu-job-leaks-v1-1-7f147cbbf935@igalia.com>
Patch Review
**Analysis of the bug:** The old code had `v3d_cpu_job_free()` as a `drm_sched_backend_ops.free_job` callback in `v3d_sched.c`, which called `v3d_job_cleanup()` at the end. On the ioctl error path (`fail:` label in `v3d_submit_cpu_ioctl`), `v3d_job_cleanup()` was called first (which does `kref_put → kfree`), then the code tried to access `cpu_job->timestamp_query.queries` and `cpu_job->performance_query.queries` — a clear use-after-free. This analysis is correct.
**Fix approach:** The patch moves the cleanup logic from the scheduler's `.free_job` callback into a kref destructor (`v3d_cpu_job_free(struct kref *ref)` in `v3d_submit.c`), registered via `v3d_job_init()`. The scheduler now uses the generic `v3d_sched_job_free`, which calls `v3d_job_cleanup() → v3d_job_put() → kref_put(..., job->free)`, ultimately dispatching to the new `v3d_cpu_job_free`. This mirrors exactly how `v3d_render_job_free` works:
```c
static void
v3d_render_job_free(struct kref *ref)
{
struct v3d_render_job *job = container_of(ref, struct v3d_render_job,
base.refcount);
...
v3d_job_free(ref);
}
```
The new function follows the same pattern:
```c
static void
v3d_cpu_job_free(struct kref *ref)
{
struct v3d_cpu_job *job = container_of(ref, struct v3d_cpu_job,
base.refcount);
v3d_timestamp_query_info_free(&job->timestamp_query,
job->timestamp_query.count);
v3d_performance_query_info_free(&job->performance_query,
job->performance_query.count);
v3d_job_free(ref);
}
```
This is correct. The `v3d_timestamp_query_info_free` and `v3d_performance_query_info_free` functions both check for `query_info->queries` being non-NULL before iterating, so they're safe to call when no queries were set up (e.g., early error paths or CPU job types that don't use queries).
The removal of the manual `kvfree()` calls from the `fail:` label is safe because `v3d_job_cleanup()` will now trigger the full teardown via kref.
The `v3d_job_init()` call is correctly updated to pass `v3d_cpu_job_free` instead of `v3d_job_free`:
```c
ret = v3d_job_init(v3d, file_priv, &cpu_job->base,
v3d_cpu_job_free, 0, &se, V3D_CPU);
```
**No issues found.** This is a solid fix.
---
Generated by Claude Code Patch Reviewer
next prev parent reply other threads:[~2026-05-15 22:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-15 15:07 [PATCH 0/2] drm/v3d: Fix CPU job teardown bugs Maíra Canal
2026-05-15 15:07 ` [PATCH 1/2] drm/v3d: Fix use-after-free of CPU job query arrays on error path Maíra Canal
2026-05-15 22:58 ` Claude Code Review Bot [this message]
2026-05-15 15:07 ` [PATCH 2/2] drm/v3d: Release indirect CSD GEM reference on CPU job free Maíra Canal
2026-05-15 22:58 ` Claude review: " Claude Code Review Bot
2026-05-15 22:58 ` Claude review: drm/v3d: Fix CPU job teardown bugs Claude Code Review Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=review-patch1-20260515-v3d-cpu-job-leaks-v1-1-7f147cbbf935@igalia.com \
--to=claude-review@example.com \
--cc=dri-devel-reviews@example.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox