This series addresses two independent teardown bugs in V3D's CPU job submission path:
- PATCH 1: A use-after-free on the ioctl's fail label, where the timestamp and performance query arrays are freed through cpu_job after v3d_job_cleanup() has already released the job. It consolidates the CPU job teardown into the job's kref destructor so a single code path covers both the scheduler .free_job and ioctl error paths. - PATCH 2: A GEM reference leak on indirect CSD jobs: the extra reference taken by v3d_get_cpu_indirect_csd_params() is never released. It adds the missing drop in v3d_cpu_job_free(). Claude was the one that identified these teardown bugs, although the fixes were written by myself. Therefore, an Assisted-by tag was added to the patches in conformance with the AI Coding Assistants [0] policy. [0] https://docs.kernel.org/process/coding-assistants.html Best regards, - Maíra --- Maíra Canal (2): drm/v3d: Fix use-after-free of CPU job query arrays on error path drm/v3d: Release indirect CSD GEM reference on CPU job free drivers/gpu/drm/v3d/v3d_sched.c | 16 +--------------- drivers/gpu/drm/v3d/v3d_submit.c | 22 +++++++++++++++++++--- 2 files changed, 20 insertions(+), 18 deletions(-) --- base-commit: 0a9c56dd387605d17dabeedd9fdd2c4c1d0bab7b change-id: 20260515-v3d-cpu-job-leaks-06c60f2af206
