From: sashiko-bot@kernel.org
To: "Brajesh Gupta" <brajesh.gupta@imgtec.com>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] drm/imagination: Fix double call to drm_sched_entity_fini()
Date: Wed, 10 Jun 2026 12:55:19 +0000 [thread overview]
Message-ID: <20260610125520.AC27B1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260610-b4-sched_fix-v1-1-c5977a6e0b4c@imgtec.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Removing `drm_sched_entity_fini()` from `pvr_queue_destroy()` introduces a memory leak of the DRM scheduler entity's `stats` object on context creation error paths.
--
commit 0d8d2bad82070bd09e00e51ef99c2958cc08953b
Author: Brajesh Gupta <brajesh.gupta@imgtec.com>
drm/imagination: Fix double call to drm_sched_entity_fini()
This commit addresses a double-free issue during normal context destruction
by removing the call to drm_sched_entity_fini() from pvr_queue_destroy().
It relies on pvr_queue_kill() to finalize the scheduling entity instead.
Fixes: eaf01ee5ba28 ("drm/imagination: Implement job submission and scheduling")
References: fd177135f0e6 ("drm/sched: Account entity GPU time")
> diff --git a/drivers/gpu/drm/imagination/pvr_queue.c b/drivers/gpu/drm/imagination/pvr_queue.c
> index 7ed60e1c1a866..c163f8da2106b 100644
> --- a/drivers/gpu/drm/imagination/pvr_queue.c
> +++ b/drivers/gpu/drm/imagination/pvr_queue.c
> @@ -1453,7 +1453,6 @@ void pvr_queue_destroy(struct pvr_queue *queue)
> mutex_unlock(&queue->ctx->pvr_dev->queues.lock);
>
> drm_sched_fini(&queue->scheduler);
> - drm_sched_entity_fini(&queue->entity);
[Severity: High]
Does removing this call introduce a memory leak on context creation error
paths?
During context creation in pvr_context_create(), if an error occurs after a
queue is successfully created (for instance, if init_fw_objs() fails due to
invalid userspace parameters), the error path skips pvr_context_kill_queues()
and jumps straight to queue destruction:
pvr_context_create()
...
err_destroy_queues:
pvr_context_destroy_queues()
pvr_queue_destroy()
Because pvr_queue_kill() is bypassed on these failure paths, and
drm_sched_entity_fini() is no longer called here, it looks like the
dynamically allocated entity->stats structure is leaked.
Could an unprivileged user exploit this by repeatedly calling the
DRM_IOCTL_PVR_CREATE_CONTEXT ioctl with invalid parameters to continuously
trigger the error path, potentially causing an out of memory condition?
>
> if (WARN_ON(queue->last_queued_job_scheduled_fence))
> dma_fence_put(queue->last_queued_job_scheduled_fence);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260610-b4-sched_fix-v1-1-c5977a6e0b4c@imgtec.com?part=1
prev parent reply other threads:[~2026-06-10 12:55 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 12:43 [PATCH] drm/imagination: Fix double call to drm_sched_entity_fini() Brajesh Gupta
2026-06-10 12:55 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260610125520.AC27B1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=brajesh.gupta@imgtec.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.