Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider: - [High] Removing `drm_sched_entity_fini()` from `pvr_queue_destroy()` introduces a memory leak of the DRM scheduler entity's `stats` object on context creation error paths. --
commit 0d8d2bad82070bd09e00e51ef99c2958cc08953b Author: Brajesh Gupta <[email protected]> drm/imagination: Fix double call to drm_sched_entity_fini() This commit addresses a double-free issue during normal context destruction by removing the call to drm_sched_entity_fini() from pvr_queue_destroy(). It relies on pvr_queue_kill() to finalize the scheduling entity instead. Fixes: eaf01ee5ba28 ("drm/imagination: Implement job submission and scheduling") References: fd177135f0e6 ("drm/sched: Account entity GPU time") > diff --git a/drivers/gpu/drm/imagination/pvr_queue.c > b/drivers/gpu/drm/imagination/pvr_queue.c > index 7ed60e1c1a866..c163f8da2106b 100644 > --- a/drivers/gpu/drm/imagination/pvr_queue.c > +++ b/drivers/gpu/drm/imagination/pvr_queue.c > @@ -1453,7 +1453,6 @@ void pvr_queue_destroy(struct pvr_queue *queue) > mutex_unlock(&queue->ctx->pvr_dev->queues.lock); > > drm_sched_fini(&queue->scheduler); > - drm_sched_entity_fini(&queue->entity); [Severity: High] Does removing this call introduce a memory leak on context creation error paths? During context creation in pvr_context_create(), if an error occurs after a queue is successfully created (for instance, if init_fw_objs() fails due to invalid userspace parameters), the error path skips pvr_context_kill_queues() and jumps straight to queue destruction: pvr_context_create() ... err_destroy_queues: pvr_context_destroy_queues() pvr_queue_destroy() Because pvr_queue_kill() is bypassed on these failure paths, and drm_sched_entity_fini() is no longer called here, it looks like the dynamically allocated entity->stats structure is leaked. Could an unprivileged user exploit this by repeatedly calling the DRM_IOCTL_PVR_CREATE_CONTEXT ioctl with invalid parameters to continuously trigger the error path, potentially causing an out of memory condition? > > if (WARN_ON(queue->last_queued_job_scheduled_fence)) > dma_fence_put(queue->last_queued_job_scheduled_fence); -- Sashiko AI review ยท https://sashiko.dev/#/patchset/[email protected]?part=1
