Thank you for your contribution! Sashiko AI review found 1 potential issue(s) 
to consider:

Pre-existing issues:
- [High] Resource leak (BO references and map objects) in pin_job error paths.
--

commit 385c1315fdf5345a4727ff1380f8b72577ca3566
Author: WenTao Liang <[email protected]>

    drm/tegra: fix host1x_bo_pin leak in tegra_dc_pin error path
    
    When map->chunks > 1 triggers an error, the function jumps to unpin
    before storing the current map in state->map[i]. The unpin loop only
    cleans up previously pinned planes (indices 0 through i-1), so the
    current mapping returned by host1x_bo_pin is never released via
    host1x_bo_unpin.
    
    Suggested-by: Greg KH <[email protected]>
    Fixes: c6aeaf56f468 ("drm/tegra: Implement correct DMA-BUF semantics")
    Cc: [email protected]

> diff --git a/drivers/gpu/drm/tegra/plane.c b/drivers/gpu/drm/tegra/plane.c
> index ffe5f06b770dc..e0b146a0926e7 100644
> --- a/drivers/gpu/drm/tegra/plane.c
> +++ b/drivers/gpu/drm/tegra/plane.c
> @@ -161,6 +161,7 @@ static int tegra_dc_pin(struct tegra_dc *dc, struct 
> tegra_plane_state *state)
>                        */
>                       if (map->chunks > 1) {
>                               err = -EINVAL;
> +                             host1x_bo_unpin(map);
>                               goto unpin;
>                       }
>  

[Severity: High]
This is a pre-existing issue, but the exact same resource leak pattern exists
in drivers/gpu/host1x/job.c:pin_job().

If host1x_bo_pin() fails, or if map->chunks > 1, the function jumps to the
unpin label:

drivers/gpu/host1x/job.c:pin_job() {
    ...
                reloc->target.bo = host1x_bo_get(reloc->target.bo);
                ...
                bo = reloc->target.bo;
                ...
                map = host1x_bo_pin(dev, bo, direction, NULL);
                if (IS_ERR(map)) {
                        err = PTR_ERR(map);
                        goto unpin;
                }

                /* ... */
                if (map->chunks > 1) {
                        err = -EINVAL;
                        goto unpin;
                }
    ...
}

Because the acquired bo and map have not yet been added to the job->unpins
array, host1x_job_unpin() will not clean them up. This leaks the bo reference
if host1x_bo_pin() fails, and leaks both the bo reference and the map if
map->chunks > 1.

Similarly, later in the same function during gather BO processing, if the IOVA
allocation fails:

drivers/gpu/host1x/job.c:pin_job() {
    ...
                        alloc = alloc_iova(&host->iova, gather_size >> shift,
                                           host->iova_end >> shift, true);
                        if (!alloc) {
                                err = -ENOMEM;
                                goto put;
                        }
    ...
}

Jumping to put releases g->bo, but leaks the already created map because it
was not added to job->unpins.

Could similar cleanup logic be added to the error paths in pin_job() to
prevent these memory leaks?

-- 
Sashiko AI review ยท 
https://sashiko.dev/#/patchset/[email protected]?part=1

Reply via email to