Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues: - [High] Resource leak (BO references and map objects) in pin_job error paths. -- commit 385c1315fdf5345a4727ff1380f8b72577ca3566 Author: WenTao Liang <[email protected]> drm/tegra: fix host1x_bo_pin leak in tegra_dc_pin error path When map->chunks > 1 triggers an error, the function jumps to unpin before storing the current map in state->map[i]. The unpin loop only cleans up previously pinned planes (indices 0 through i-1), so the current mapping returned by host1x_bo_pin is never released via host1x_bo_unpin. Suggested-by: Greg KH <[email protected]> Fixes: c6aeaf56f468 ("drm/tegra: Implement correct DMA-BUF semantics") Cc: [email protected] > diff --git a/drivers/gpu/drm/tegra/plane.c b/drivers/gpu/drm/tegra/plane.c > index ffe5f06b770dc..e0b146a0926e7 100644 > --- a/drivers/gpu/drm/tegra/plane.c > +++ b/drivers/gpu/drm/tegra/plane.c > @@ -161,6 +161,7 @@ static int tegra_dc_pin(struct tegra_dc *dc, struct > tegra_plane_state *state) > */ > if (map->chunks > 1) { > err = -EINVAL; > + host1x_bo_unpin(map); > goto unpin; > } > [Severity: High] This is a pre-existing issue, but the exact same resource leak pattern exists in drivers/gpu/host1x/job.c:pin_job(). If host1x_bo_pin() fails, or if map->chunks > 1, the function jumps to the unpin label: drivers/gpu/host1x/job.c:pin_job() { ... reloc->target.bo = host1x_bo_get(reloc->target.bo); ... bo = reloc->target.bo; ... map = host1x_bo_pin(dev, bo, direction, NULL); if (IS_ERR(map)) { err = PTR_ERR(map); goto unpin; } /* ... */ if (map->chunks > 1) { err = -EINVAL; goto unpin; } ... } Because the acquired bo and map have not yet been added to the job->unpins array, host1x_job_unpin() will not clean them up. This leaks the bo reference if host1x_bo_pin() fails, and leaks both the bo reference and the map if map->chunks > 1. Similarly, later in the same function during gather BO processing, if the IOVA allocation fails: drivers/gpu/host1x/job.c:pin_job() { ... alloc = alloc_iova(&host->iova, gather_size >> shift, host->iova_end >> shift, true); if (!alloc) { err = -ENOMEM; goto put; } ... } Jumping to put releases g->bo, but leaks the already created map because it was not added to job->unpins. Could similar cleanup logic be added to the error paths in pin_job() to prevent these memory leaks? -- Sashiko AI review ยท https://sashiko.dev/#/patchset/[email protected]?part=1
