Commit ced5c30e authored by Junrui Luo's avatar Junrui Luo Committed by Alex Deucher
Browse files

drm/amdgpu/userq: fix memory leak in MQD creation error paths 



In mes_userq_mqd_create(), the memdup_user() allocations for
IP-specific MQD structs are not freed when subsequent VA validation
fails. The goto free_mqd label only cleans up the MQD BO object and
userq_props.

Fix by adding kfree() before each goto free_mqd on VA validation
failure in the COMPUTE, GFX, and SDMA branches.

Fixes: 9e46b8bb ("drm/amdgpu: validate userq buffer virtual address and size")
Reported-by: default avatarYuhao Jiang <danisjiang@gmail.com>
Signed-off-by: default avatarJunrui Luo <moonafterrain@outlook.com>
Reviewed-by: default avatarPrike Liang <Prike.Liang@amd.com>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 27f5ff9e)
Cc: stable@vger.kernel.org
parent 6caeace0

drivers/gpu/drm/amd/amdgpu/mes_userqueue.c

+12 −4
Original line number Diff line number Diff line
@@ -324,8 +324,10 @@ static int mes_userq_mqd_create(struct amdgpu_usermode_queue *queue, 


		r = amdgpu_userq_input_va_validate(adev, queue, compute_mqd->eop_va,

						   2048);

		if (r)

		if (r) {

			kfree(compute_mqd);

			goto free_mqd;

		}



		userq_props->eop_gpu_addr = compute_mqd->eop_va;

		userq_props->hqd_pipe_priority = AMDGPU_GFX_PIPE_PRIO_NORMAL;
@@ -365,12 +367,16 @@ static int mes_userq_mqd_create(struct amdgpu_usermode_queue *queue, 


		r = amdgpu_userq_input_va_validate(adev, queue, mqd_gfx_v11->shadow_va,

						   shadow_info.shadow_size);

		if (r)

		if (r) {

			kfree(mqd_gfx_v11);

			goto free_mqd;

		}

		r = amdgpu_userq_input_va_validate(adev, queue, mqd_gfx_v11->csa_va,

						   shadow_info.csa_size);

		if (r)

		if (r) {

			kfree(mqd_gfx_v11);

			goto free_mqd;

		}



		kfree(mqd_gfx_v11);

	} else if (queue->queue_type == AMDGPU_HW_IP_DMA) {
@@ -390,8 +396,10 @@ static int mes_userq_mqd_create(struct amdgpu_usermode_queue *queue, 
		}

		r = amdgpu_userq_input_va_validate(adev, queue, mqd_sdma_v11->csa_va,

						   32);

		if (r)

		if (r) {

			kfree(mqd_sdma_v11);

			goto free_mqd;

		}



		userq_props->csa_addr = mqd_sdma_v11->csa_va;

		kfree(mqd_sdma_v11);