From: Matthew Brost <matthew.brost@intel.com>
To: Shuicheng Lin <shuicheng.lin@intel.com>
Cc: <intel-xe@lists.freedesktop.org>,
Francois Dugast <francois.dugast@intel.com>,
Niranjana Vishwanathapura <niranjana.vishwanathapura@intel.com>
Subject: Re: [PATCH 1/1] drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()
Date: Tue, 7 Apr 2026 21:48:02 -0700 [thread overview]
Message-ID: <adXeAg7pjf/D1DmX@gsse-cloud1.jf.intel.com> (raw)
In-Reply-To: <20260408020647.3397933-1-shuicheng.lin@intel.com>
On Wed, Apr 08, 2026 at 02:06:47AM +0000, Shuicheng Lin wrote:
> Two error handling issues exist in xe_exec_queue_create_ioctl():
>
> 1. When xe_hw_engine_group_add_exec_queue() fails, the error path jumps
> to put_exec_queue which skips xe_exec_queue_kill(). If the VM is in
> preempt fence mode, xe_vm_add_compute_exec_queue() has already added
> the queue to the VM's compute exec queue list. Skipping the kill
> leaves the queue on that list, leading to a dangling pointer after
> the queue is freed.
>
> 2. When xa_alloc() fails after xe_hw_engine_group_add_exec_queue() has
> succeeded, the error path does not call
> xe_hw_engine_group_del_exec_queue() to remove the queue from the hw
> engine group list. The queue is then freed while still linked into
> the hw engine group, causing a use-after-free.
>
> Fix both by:
> - Changing the xe_hw_engine_group_add_exec_queue() failure path to jump
> to kill_exec_queue so that xe_exec_queue_kill() properly removes the
> queue from the VM's compute list.
> - Adding a del_hw_engine_group label before kill_exec_queue for the
> xa_alloc() failure path, which removes the queue from the hw engine
> group before proceeding with the rest of the cleanup.
>
> Fixes: 7970cb36966c ("'drm/xe/hw_engine_group: Register hw engine group's exec queues")
> Cc: Francois Dugast <francois.dugast@intel.com>
> Cc: Matthew Brost <matthew.brost@intel.com>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
> Cc: Niranjana Vishwanathapura <niranjana.vishwanathapura@intel.com>
> Assisted-by: Claude:claude-opus-4.6
> Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
> ---
> This is a reimplementation of https://patchwork.freedesktop.org/series/162714/
> Same logic, with improved labeling and a corrected Fixes tag.
> ---
> drivers/gpu/drm/xe/xe_exec_queue.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/xe/xe_exec_queue.c b/drivers/gpu/drm/xe/xe_exec_queue.c
> index b287d0e0e60a..4603ff08d860 100644
> --- a/drivers/gpu/drm/xe/xe_exec_queue.c
> +++ b/drivers/gpu/drm/xe/xe_exec_queue.c
> @@ -1405,7 +1405,7 @@ int xe_exec_queue_create_ioctl(struct drm_device *dev, void *data,
> if (q->vm && q->hwe->hw_engine_group) {
> err = xe_hw_engine_group_add_exec_queue(q->hwe->hw_engine_group, q);
> if (err)
> - goto put_exec_queue;
> + goto kill_exec_queue;
> }
> }
>
> @@ -1416,12 +1416,15 @@ int xe_exec_queue_create_ioctl(struct drm_device *dev, void *data,
> /* user id alloc must always be last in ioctl to prevent UAF */
> err = xa_alloc(&xef->exec_queue.xa, &id, q, xa_limit_32b, GFP_KERNEL);
> if (err)
> - goto kill_exec_queue;
> + goto del_hw_engine_group;
>
> args->exec_queue_id = id;
>
> return 0;
>
> +del_hw_engine_group:
> + if (q->vm && q->hwe && q->hwe->hw_engine_group)
> + xe_hw_engine_group_del_exec_queue(q->hwe->hw_engine_group, q);
> kill_exec_queue:
> xe_exec_queue_kill(q);
> delete_queue_group:
> --
> 2.43.0
>
next prev parent reply other threads:[~2026-04-08 4:48 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 2:06 [PATCH 1/1] drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl() Shuicheng Lin
2026-04-08 2:17 ` ✗ CI.checkpatch: warning for series starting with [1/1] " Patchwork
2026-04-08 2:18 ` ✗ CI.KUnit: failure " Patchwork
2026-04-08 4:48 ` Matthew Brost [this message]
2026-04-10 3:18 ` ✗ CI.checkpatch: warning for series starting with [1/1] drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl() (rev2) Patchwork
2026-04-10 3:19 ` ✓ CI.KUnit: success " Patchwork
2026-04-10 4:10 ` ✓ Xe.CI.BAT: " Patchwork
2026-04-10 9:13 ` ✗ Xe.CI.FULL: failure " Patchwork
2026-04-14 15:47 ` Lin, Shuicheng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=adXeAg7pjf/D1DmX@gsse-cloud1.jf.intel.com \
--to=matthew.brost@intel.com \
--cc=francois.dugast@intel.com \
--cc=intel-xe@lists.freedesktop.org \
--cc=niranjana.vishwanathapura@intel.com \
--cc=shuicheng.lin@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.