RE: [PATCH] drm/amdgpu/userq: fix memory leak in MQD creation error paths
From: Liang, Prike
Date: Sun Mar 15 2026 - 23:32:54 EST
[Public]
Thanks for the fix. We could further refine this by wrapping a unified helper for fetching and validating the userq MQD raw data.
Reviewed-by: Prike Liang <Prike.Liang@xxxxxxx>
Regards,
Prike
> -----Original Message-----
> From: Junrui Luo <moonafterrain@xxxxxxxxxxx>
> Sent: Saturday, March 14, 2026 11:34 PM
> To: Deucher, Alexander <Alexander.Deucher@xxxxxxx>; Koenig, Christian
> <Christian.Koenig@xxxxxxx>; David Airlie <airlied@xxxxxxxxx>; Simona Vetter
> <simona@xxxxxxxx>; Liang, Prike <Prike.Liang@xxxxxxx>
> Cc: amd-gfx@xxxxxxxxxxxxxxxxxxxxx; dri-devel@xxxxxxxxxxxxxxxxxxxxx; linux-
> kernel@xxxxxxxxxxxxxxx; Yuhao Jiang <danisjiang@xxxxxxxxx>;
> stable@xxxxxxxxxxxxxxx; Junrui Luo <moonafterrain@xxxxxxxxxxx>
> Subject: [PATCH] drm/amdgpu/userq: fix memory leak in MQD creation error paths
>
> [Some people who received this message don't often get email from
> moonafterrain@xxxxxxxxxxx. Learn why this is important at
> https://aka.ms/LearnAboutSenderIdentification ]
>
> In mes_userq_mqd_create(), the memdup_user() allocations for IP-specific MQD
> structs are not freed when subsequent VA validation fails. The goto free_mqd label
> only cleans up the MQD BO object and userq_props.
>
> Fix by adding kfree() before each goto free_mqd on VA validation failure in the
> COMPUTE, GFX, and SDMA branches.
>
> Fixes: 9e46b8bb0539 ("drm/amdgpu: validate userq buffer virtual address and size")
> Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
> ---
> drivers/gpu/drm/amd/amdgpu/mes_userqueue.c | 16 ++++++++++++----
> 1 file changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
> b/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
> index 8c74894254f7..faac21ee5739 100644
> --- a/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
> +++ b/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
> @@ -324,8 +324,10 @@ static int mes_userq_mqd_create(struct
> amdgpu_usermode_queue *queue,
>
> r = amdgpu_userq_input_va_validate(adev, queue, compute_mqd-
> >eop_va,
> 2048);
> - if (r)
> + if (r) {
> + kfree(compute_mqd);
> goto free_mqd;
> + }
>
> userq_props->eop_gpu_addr = compute_mqd->eop_va;
> userq_props->hqd_pipe_priority =
> AMDGPU_GFX_PIPE_PRIO_NORMAL; @@ -365,12 +367,16 @@ static int
> mes_userq_mqd_create(struct amdgpu_usermode_queue *queue,
>
> r = amdgpu_userq_input_va_validate(adev, queue, mqd_gfx_v11-
> >shadow_va,
> shadow_info.shadow_size);
> - if (r)
> + if (r) {
> + kfree(mqd_gfx_v11);
> goto free_mqd;
> + }
> r = amdgpu_userq_input_va_validate(adev, queue, mqd_gfx_v11->csa_va,
> shadow_info.csa_size);
> - if (r)
> + if (r) {
> + kfree(mqd_gfx_v11);
> goto free_mqd;
> + }
>
> kfree(mqd_gfx_v11);
> } else if (queue->queue_type == AMDGPU_HW_IP_DMA) { @@ -390,8
> +396,10 @@ static int mes_userq_mqd_create(struct amdgpu_usermode_queue
> *queue,
> }
> r = amdgpu_userq_input_va_validate(adev, queue, mqd_sdma_v11-
> >csa_va,
> 32);
> - if (r)
> + if (r) {
> + kfree(mqd_sdma_v11);
> goto free_mqd;
> + }
>
> userq_props->csa_addr = mqd_sdma_v11->csa_va;
> kfree(mqd_sdma_v11);
>
> ---
> base-commit: 0257f64bdac7fdca30fa3cae0df8b9ecbec7733a
> change-id: 20260314-fixes-f4411ac85e22
>
> Best regards,
> --
> Junrui Luo <moonafterrain@xxxxxxxxxxx>