[PATCH] drm/amdgpu/userq: fix memory leak in MQD creation error paths

[Junrui Luo]

In mes_userq_mqd_create(), the memdup_user() allocations for
IP-specific MQD structs are not freed when subsequent VA validation
fails. The goto free_mqd label only cleans up the MQD BO object and
userq_props.

Fix by adding kfree() before each goto free_mqd on VA validation
failure in the COMPUTE, GFX, and SDMA branches.

Fixes: 9e46b8bb0539 ("drm/amdgpu: validate userq buffer virtual address and 
size")
Reported-by: Yuhao Jiang <danisji...@gmail.com>
Cc: sta...@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterr...@outlook.com>
---
 drivers/gpu/drm/amd/amdgpu/mes_userqueue.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c 
b/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
index 8c74894254f7..faac21ee5739 100644
--- a/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
+++ b/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
@@ -324,8 +324,10 @@ static int mes_userq_mqd_create(struct 
amdgpu_usermode_queue *queue,
 
                r = amdgpu_userq_input_va_validate(adev, queue, 
compute_mqd->eop_va,
                                                   2048);
-               if (r)
+               if (r) {
+                       kfree(compute_mqd);
                        goto free_mqd;
+               }
 
                userq_props->eop_gpu_addr = compute_mqd->eop_va;
                userq_props->hqd_pipe_priority = AMDGPU_GFX_PIPE_PRIO_NORMAL;
@@ -365,12 +367,16 @@ static int mes_userq_mqd_create(struct 
amdgpu_usermode_queue *queue,
 
                r = amdgpu_userq_input_va_validate(adev, queue, 
mqd_gfx_v11->shadow_va,
                                                   shadow_info.shadow_size);
-               if (r)
+               if (r) {
+                       kfree(mqd_gfx_v11);
                        goto free_mqd;
+               }
                r = amdgpu_userq_input_va_validate(adev, queue, 
mqd_gfx_v11->csa_va,
                                                   shadow_info.csa_size);
-               if (r)
+               if (r) {
+                       kfree(mqd_gfx_v11);
                        goto free_mqd;
+               }
 
                kfree(mqd_gfx_v11);
        } else if (queue->queue_type == AMDGPU_HW_IP_DMA) {
@@ -390,8 +396,10 @@ static int mes_userq_mqd_create(struct 
amdgpu_usermode_queue *queue,
                }
                r = amdgpu_userq_input_va_validate(adev, queue, 
mqd_sdma_v11->csa_va,
                                                   32);
-               if (r)
+               if (r) {
+                       kfree(mqd_sdma_v11);
                        goto free_mqd;
+               }
 
                userq_props->csa_addr = mqd_sdma_v11->csa_va;
                kfree(mqd_sdma_v11);

---
base-commit: 0257f64bdac7fdca30fa3cae0df8b9ecbec7733a
change-id: 20260314-fixes-f4411ac85e22

Best regards,
-- 
Junrui Luo <moonafterr...@outlook.com>