From: sashiko-bot@kernel.org
To: "WenTao Liang" <vulab@iscas.ac.cn>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] fix: drm/nouveau: nvkm_chan_new_: multiple error paths return without releasing acquired references
Date: Fri, 26 Jun 2026 14:53:09 +0000 [thread overview]
Message-ID: <20260626145309.E1D021F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260626143953.48952-1-vulab@iscas.ac.cn>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Critical] Silent failure converting error paths to success, leading to immediate NULL pointer dereference.
- [High] Setting `*pchan = NULL` on error bypasses framework destructors, causing severe memory and GPU resource leaks.
--
commit 36c8694a5768a3efc7f331411db88cf737b0facf
Author: WenTao Liang <vulab@iscas.ac.cn>
fix: drm/nouveau: nvkm_chan_new_: multiple error paths return without releasing acquired references
This commit aims to fix resource leaks in error paths by routing them through
a single cleanup block.
> diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/chan.c b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/chan.c
> index 418a8918bcb8f..1bf595bafa9ac 100644
> --- a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/chan.c
> +++ b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/chan.c
> @@ -410,18 +410,18 @@ nvkm_chan_new_(const struct nvkm_chan_func *func, struct nvkm_runl *runl, int ru
> &chan->inst);
> if (ret) {
> RUNL_DEBUG(runl, "inst %d", ret);
> - return ret;
> + goto done;
> }
>
> /* Initialise virtual address-space. */
> if (func->inst->vmm) {
> if (WARN_ON(vmm->mmu != device->mmu))
> - return -EINVAL;
> + goto done;
[Severity: Critical]
Does this leave the local variable ret set to 0 from the earlier successful
nvkm_gpuobj_new() call?
If so, the function returns success while setting *pchan = NULL. When the
caller receives a successful return code, it might proceed to dereference the
channel, leading to a null pointer dereference:
nvkm_uchan_new() {
...
chan = uchan->chan;
if (chan->func->doorbell_handle) {
...
}
Could we set ret = -EINVAL before jumping to the done label?
[ ... ]
> @@ -443,13 +443,13 @@ nvkm_chan_new_(const struct nvkm_chan_func *func, struct nvkm_runl *runl, int ru
> if (ouserd + chan->func->userd->size >=
> nvkm_memory_size(userd)) {
> RUNL_DEBUG(runl, "ouserd %llx", ouserd);
> - return -EINVAL;
> + goto done;
> }
[Severity: Critical]
Is there a similar missing error code assignment here? It looks like this path
would also return success without initializing the channel.
[ ... ]
> @@ -461,7 +461,7 @@ nvkm_chan_new_(const struct nvkm_chan_func *func, struct nvkm_runl *runl, int ru
>
> if (chan->id < 0) {
> RUNL_ERROR(runl, "!chids");
> - return -ENOSPC;
> + goto done;
> }
[Severity: Critical]
Does this path also need ret = -ENOSPC before jumping to the cleanup block?
[ ... ]
> +done:
> + if (chan->id >= 0)
> + nvkm_chid_put(runl->chid, chan->id, &chan->cgrp->lock);
> + nvkm_memory_unref(&chan->userd.mem);
> + nvkm_vmm_unref(&chan->vmm);
> + nvkm_cgrp_unref(&chan->cgrp);
> + *pchan = NULL;
> + return ret;
> }
[Severity: High]
Does setting *pchan = NULL hide the partially allocated object from the
caller's framework destructor?
When an error occurs, the native destructors like nvkm_object_del() and
nvkm_chan_del() are usually invoked by the framework to clean up. Since the
done block misses freeing the channel struct and initialized GPU objects like
chan->inst, clearing the pointer here seems to prevent the framework from
finishing the cleanup, resulting in a resource leak.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260626143953.48952-1-vulab@iscas.ac.cn?part=1
next prev parent reply other threads:[~2026-06-26 14:53 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-26 14:39 [PATCH] fix: drm/nouveau: nvkm_chan_new_: multiple error paths return without releasing acquired references WenTao Liang
2026-06-26 14:39 ` WenTao Liang
2026-06-26 14:39 ` WenTao Liang
2026-06-26 14:53 ` sashiko-bot [this message]
2026-06-28 3:56 ` WenTao Liang
2026-06-28 3:56 ` WenTao Liang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260626145309.E1D021F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vulab@iscas.ac.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.