* [PATCH] accel/habanalabs: fix refcount leak in hl_direct_io()
@ 2026-06-03 9:10 Wentao Liang
2026-06-04 1:49 ` Claude review: " Claude Code Review Bot
2026-06-04 1:49 ` Claude Code Review Bot
0 siblings, 2 replies; 3+ messages in thread
From: Wentao Liang @ 2026-06-03 9:10 UTC (permalink / raw)
To: koby.elbaz, konstantin.sinyuk, ogabbay
Cc: dri-devel, linux-kernel, kees, farah.kassabri, Wentao Liang,
stable
When hl_dio_get_iopath() succeeds, it calls hl_ctx_get() to acquire a
reference on the context. If the subsequent vzalloc() fails, the
function returns -ENOMEM without calling hl_dio_put_iopath(), leaking
the reference.
Fix this by jumping to the cleanup label on error, which will call
hl_dio_put_iopath() and safely handle the NULL io->bv.
Cc: stable@vger.kernel.org
Fixes: 8cbacc9a2703 ("accel/habanalabs: add NVMe Direct I/O (HLDIO) infrastructure")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
drivers/accel/habanalabs/common/hldio.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/accel/habanalabs/common/hldio.c b/drivers/accel/habanalabs/common/hldio.c
index c33c817a962a..d7dfa259bede 100644
--- a/drivers/accel/habanalabs/common/hldio.c
+++ b/drivers/accel/habanalabs/common/hldio.c
@@ -248,8 +248,10 @@ static ssize_t hl_direct_io(struct hl_device *hdev, struct hl_direct_io *io)
* closest one.
*/
io->bv = vzalloc(npages * sizeof(struct bio_vec));
- if (!io->bv)
+ if (!io->bv) {
+ hl_dio_put_iopath(io->f.ctx);
return -ENOMEM;
+ }
for (i = 0, device_va = io->device_va; i < npages ; ++i, device_va += PAGE_SIZE) {
io->bv[i].bv_page = hl_dio_va2page(hdev, io->f.ctx, device_va);
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Claude review: accel/habanalabs: fix refcount leak in hl_direct_io()
2026-06-03 9:10 [PATCH] accel/habanalabs: fix refcount leak in hl_direct_io() Wentao Liang
@ 2026-06-04 1:49 ` Claude Code Review Bot
2026-06-04 1:49 ` Claude Code Review Bot
1 sibling, 0 replies; 3+ messages in thread
From: Claude Code Review Bot @ 2026-06-04 1:49 UTC (permalink / raw)
To: dri-devel-reviews
Overall Series Review
Subject: accel/habanalabs: fix refcount leak in hl_direct_io()
Author: Wentao Liang <vulab@iscas.ac.cn>
Patches: 1
Reviewed: 2026-06-04T11:49:49.715054
---
This is a single-patch series that fixes a refcount leak in the `hl_direct_io()` function in the habanalabs NVMe Direct I/O path. The fix is **correct and appropriate**.
When `hl_dio_get_iopath()` succeeds (line 235), it acquires two resources: it increments a per-CPU inflight I/O counter and takes a reference on the context via `hl_ctx_get()` (see `hl_dio_get_iopath()` at line 162). The corresponding cleanup function `hl_dio_put_iopath()` (line 170-176) releases both: it calls `hl_ctx_put()` and decrements the per-CPU counter.
Before this patch, if the `vzalloc()` at line 250 failed, the function returned `-ENOMEM` directly without calling `hl_dio_put_iopath()`, leaking both the context reference and the inflight I/O count. The existing `cleanup` label at line 274 already calls both `vfree(io->bv)` and `hl_dio_put_iopath(io->f.ctx)`, and `vfree(NULL)` is safe, so jumping there would have been an alternative — but the inline fix is equally correct and arguably clearer since it matches the early-return style already in use at this point in the function.
The series is minimal, well-targeted, and appropriate for stable backport.
---
Generated by Claude Code Patch Reviewer
^ permalink raw reply [flat|nested] 3+ messages in thread
* Claude review: accel/habanalabs: fix refcount leak in hl_direct_io()
2026-06-03 9:10 [PATCH] accel/habanalabs: fix refcount leak in hl_direct_io() Wentao Liang
2026-06-04 1:49 ` Claude review: " Claude Code Review Bot
@ 2026-06-04 1:49 ` Claude Code Review Bot
1 sibling, 0 replies; 3+ messages in thread
From: Claude Code Review Bot @ 2026-06-04 1:49 UTC (permalink / raw)
To: dri-devel-reviews
Patch Review
**Verdict: Correct fix, good for merge.**
The bug analysis in the commit message is accurate:
1. `hl_dio_get_iopath()` (line 149-168) calls `hl_ctx_get(ctx)` at line 162 and increments `inflight_ios` at line 154 on success.
2. `hl_dio_put_iopath()` (line 170-176) is the matching cleanup — it calls `hl_ctx_put(ctx)` and decrements `inflight_ios`.
3. Without this fix, the `vzalloc()` failure path returned directly:
```c
if (!io->bv)
return -ENOMEM;
```
This leaked the context reference and inflight I/O count.
4. The fix correctly adds the cleanup call before the early return:
```c
if (!io->bv) {
hl_dio_put_iopath(io->f.ctx);
return -ENOMEM;
}
```
**Minor note on style:** The commit message says "Fix this by jumping to the cleanup label on error" but the actual patch adds an inline `hl_dio_put_iopath()` call rather than a `goto cleanup`. The code is correct either way — the `cleanup` label at line 274 does `vfree(io->bv)` followed by `hl_dio_put_iopath()`, and since `io->bv` is NULL at this point `vfree(NULL)` is a no-op, so a `goto cleanup` would also work. However, the **commit message is misleading** — it describes a `goto cleanup` approach but the implementation uses a direct inline call. The author should fix the commit message to match the implementation.
**Tags:** The `Fixes:` tag and `Cc: stable` are appropriate. The fix is minimal and backport-safe.
---
Generated by Claude Code Patch Reviewer
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-04 1:49 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-03 9:10 [PATCH] accel/habanalabs: fix refcount leak in hl_direct_io() Wentao Liang
2026-06-04 1:49 ` Claude review: " Claude Code Review Bot
2026-06-04 1:49 ` Claude Code Review Bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox