[Public] Thanks for the fix. We could further refine this by wrapping a unified helper for fetching and validating the userq MQD raw data.
Reviewed-by: Prike Liang <[email protected]> Regards, Prike > -----Original Message----- > From: Junrui Luo <[email protected]> > Sent: Saturday, March 14, 2026 11:34 PM > To: Deucher, Alexander <[email protected]>; Koenig, Christian > <[email protected]>; David Airlie <[email protected]>; Simona Vetter > <[email protected]>; Liang, Prike <[email protected]> > Cc: [email protected]; [email protected]; linux- > [email protected]; Yuhao Jiang <[email protected]>; > [email protected]; Junrui Luo <[email protected]> > Subject: [PATCH] drm/amdgpu/userq: fix memory leak in MQD creation error paths > > [Some people who received this message don't often get email from > [email protected]. Learn why this is important at > https://aka.ms/LearnAboutSenderIdentification ] > > In mes_userq_mqd_create(), the memdup_user() allocations for IP-specific MQD > structs are not freed when subsequent VA validation fails. The goto free_mqd > label > only cleans up the MQD BO object and userq_props. > > Fix by adding kfree() before each goto free_mqd on VA validation failure in > the > COMPUTE, GFX, and SDMA branches. > > Fixes: 9e46b8bb0539 ("drm/amdgpu: validate userq buffer virtual address and > size") > Reported-by: Yuhao Jiang <[email protected]> > Cc: [email protected] > Signed-off-by: Junrui Luo <[email protected]> > --- > drivers/gpu/drm/amd/amdgpu/mes_userqueue.c | 16 ++++++++++++---- > 1 file changed, 12 insertions(+), 4 deletions(-) > > diff --git a/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c > b/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c > index 8c74894254f7..faac21ee5739 100644 > --- a/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c > +++ b/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c > @@ -324,8 +324,10 @@ static int mes_userq_mqd_create(struct > amdgpu_usermode_queue *queue, > > r = amdgpu_userq_input_va_validate(adev, queue, compute_mqd- > >eop_va, > 2048); > - if (r) > + if (r) { > + kfree(compute_mqd); > goto free_mqd; > + } > > userq_props->eop_gpu_addr = compute_mqd->eop_va; > userq_props->hqd_pipe_priority = > AMDGPU_GFX_PIPE_PRIO_NORMAL; @@ -365,12 +367,16 @@ static int > mes_userq_mqd_create(struct amdgpu_usermode_queue *queue, > > r = amdgpu_userq_input_va_validate(adev, queue, mqd_gfx_v11- > >shadow_va, > shadow_info.shadow_size); > - if (r) > + if (r) { > + kfree(mqd_gfx_v11); > goto free_mqd; > + } > r = amdgpu_userq_input_va_validate(adev, queue, > mqd_gfx_v11->csa_va, > shadow_info.csa_size); > - if (r) > + if (r) { > + kfree(mqd_gfx_v11); > goto free_mqd; > + } > > kfree(mqd_gfx_v11); > } else if (queue->queue_type == AMDGPU_HW_IP_DMA) { @@ -390,8 > +396,10 @@ static int mes_userq_mqd_create(struct amdgpu_usermode_queue > *queue, > } > r = amdgpu_userq_input_va_validate(adev, queue, mqd_sdma_v11- > >csa_va, > 32); > - if (r) > + if (r) { > + kfree(mqd_sdma_v11); > goto free_mqd; > + } > > userq_props->csa_addr = mqd_sdma_v11->csa_va; > kfree(mqd_sdma_v11); > > --- > base-commit: 0257f64bdac7fdca30fa3cae0df8b9ecbec7733a > change-id: 20260314-fixes-f4411ac85e22 > > Best regards, > -- > Junrui Luo <[email protected]>
