drm/amdgpu/userq: fix memory leak in MQD creation error paths

In mes_userq_mqd_create(), the memdup_user() allocations for
IP-specific MQD structs are not freed when subsequent VA validation
fails. The goto free_mqd label only cleans up the MQD BO object and
userq_props.

Fix by adding kfree() before each goto free_mqd on VA validation
failure in the COMPUTE, GFX, and SDMA branches.

Fixes: 9e46b8bb0539 ("drm/amdgpu: validate userq buffer virtual address and size")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Prike Liang <Prike.Liang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 27f5ff9e4a4150d7cf8b4085aedd3b77ddcc5d08)
Cc: stable@vger.kernel.org

diff --git a/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c b/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
index 8c74894254f7acaf71a93ac9f1e8a5a3624b567c..faac21ee5739c08aeb3265b059679fd206d58c17 100644 (file)
--- a/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
+++ b/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
@@ -324,8 +324,10 @@ static int mes_userq_mqd_create(struct amdgpu_usermode_queue *queue,
 
                r = amdgpu_userq_input_va_validate(adev, queue, compute_mqd->eop_va,
                                                   2048);
-               if (r)
+               if (r) {
+                       kfree(compute_mqd);
                        goto free_mqd;
+               }
 
                userq_props->eop_gpu_addr = compute_mqd->eop_va;
                userq_props->hqd_pipe_priority = AMDGPU_GFX_PIPE_PRIO_NORMAL;
@@ -365,12 +367,16 @@ static int mes_userq_mqd_create(struct amdgpu_usermode_queue *queue,
 
                r = amdgpu_userq_input_va_validate(adev, queue, mqd_gfx_v11->shadow_va,
                                                   shadow_info.shadow_size);
-               if (r)
+               if (r) {
+                       kfree(mqd_gfx_v11);
                        goto free_mqd;
+               }
                r = amdgpu_userq_input_va_validate(adev, queue, mqd_gfx_v11->csa_va,
                                                   shadow_info.csa_size);
-               if (r)
+               if (r) {
+                       kfree(mqd_gfx_v11);
                        goto free_mqd;
+               }
 
                kfree(mqd_gfx_v11);
        } else if (queue->queue_type == AMDGPU_HW_IP_DMA) {
@@ -390,8 +396,10 @@ static int mes_userq_mqd_create(struct amdgpu_usermode_queue *queue,
                }
                r = amdgpu_userq_input_va_validate(adev, queue, mqd_sdma_v11->csa_va,
                                                   32);
-               if (r)
+               if (r) {
+                       kfree(mqd_sdma_v11);
                        goto free_mqd;
+               }
 
                userq_props->csa_addr = mqd_sdma_v11->csa_va;
                kfree(mqd_sdma_v11);