[PATCH 0/3] drm/msm/adreno: fix preempt teardown races and cleanup

Next message: Mark Brown: "Re: [PATCH] Revert &quot;ASoC: rockchip: rockchip_sai: Use guard() for spin locks&quot;"
Previous message: Fan Wu: "[PATCH 1/3] drm/msm/adreno: sync preempt watchdog timer on teardown"
Next in thread: Fan Wu: "[PATCH 3/3] drm/msm/a5xx: make preempt_fini idempotent"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Fan Wu

Date: Wed Jun 17 2026 - 09:23:22 EST

This short series fixes three issues in the A5XX/A6XX preemption
teardown/error paths.

Patch 1 fixes a use-after-free: the preemption watchdog timer
(a5xx_preempt_timer / a6xx_preempt_timer) can fire during GPU teardown
and dereference the a5xx_gpu/a6xx_gpu container after it has been freed.
timer_shutdown_sync() is added to both destroy paths, and the timer is
initialized at GPU allocation so it is valid on every teardown path.

Patch 2 fixes a buffer leak: a6xx_destroy() never called
a6xx_preempt_fini(), so the per-ring preempt_bo/preempt_smmu_bo and the
preempt_postamble_bo were never released. a6xx_preempt_fini() now
releases all of them, clears the pointers, and is called from
a6xx_destroy().

Patch 3 makes a5xx_preempt_fini() idempotent. It is called from three
sites (init error, a5xx_ucode_load when WHERE_AM_I is unavailable, and
a5xx_destroy) but does not null the GEM buffer pointers after put, so a
second call double-frees them.

Patches 2 and 3 build on patch 1; apply in order.

Fan Wu (3):
drm/msm/adreno: sync preempt watchdog timer on teardown
drm/msm/a6xx: free all preempt buffers on teardown
drm/msm/a5xx: make preempt_fini idempotent

drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 2 ++
drivers/gpu/drm/msm/adreno/a5xx_gpu.h | 1 +
drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 16 +++++++++++++++-
drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 5 +++++
drivers/gpu/drm/msm/adreno/a6xx_gpu.h | 1 +
drivers/gpu/drm/msm/adreno/a6xx_preempt.c | 21 ++++++++++++++++++---
6 files changed, 42 insertions(+), 4 deletions(-)

--
2.34.1