[PATCH 0/2] drm/amdgpu: fix error handling bugs in amdgpu_userq_create()

Next message: Junrui Luo: "[PATCH 1/2] drm/amdgpu: fix use-after-free in amdgpu_userq_create() error paths"
Previous message: Guangshuo Li: "[PATCH] IB/mlx4: Fix refcount leak in add_port() error path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Junrui Luo

Date: Sat Apr 11 2026 - 05:26:41 EST

Commit f18719ef4bb7 ("drm/amdgpu: Convert amdgpu userqueue management
from IDR to XArray") introduced a global XArray userq_doorbell_xa for
device-wide queue tracking, but the error paths in amdgpu_userq_create()
were not fully updated to clean up entries from it.

- Patch 1 fixes a use-after-free: when xa_alloc() or
amdgpu_userq_map_helper() fails, the queue is freed but its pointer
remains in userq_doorbell_xa. Any subsequent xa_for_each() iteration
(suspend, resume, GPU reset) dereferences the freed pointer.

- Patch 2 fixes a resource leak: when xa_store_irq() fails, the error
path calls kfree() without first releasing resources from the preceding
successful mqd_create() and fence_driver_alloc().

Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
Junrui Luo (2):
drm/amdgpu: fix use-after-free in amdgpu_userq_create() error paths
drm/amdgpu: fix resource leak in amdgpu_userq_create() xa_store_irq error path

drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c | 4 ++++
1 file changed, 4 insertions(+)
---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260411-fixes-30893f27c5aa

Best regards,
--
Junrui Luo <moonafterrain@xxxxxxxxxxx>