Commit f18719ef4bb7 ("drm/amdgpu: Convert amdgpu userqueue management
from IDR to XArray") introduced a global XArray userq_doorbell_xa for
device-wide queue tracking, but the error paths in amdgpu_userq_create()
were not fully updated to clean up entries from it.- Patch 1 fixes a use-after-free: when xa_alloc() or amdgpu_userq_map_helper() fails, the queue is freed but its pointer remains in userq_doorbell_xa. Any subsequent xa_for_each() iteration (suspend, resume, GPU reset) dereferences the freed pointer. - Patch 2 fixes a resource leak: when xa_store_irq() fails, the error path calls kfree() without first releasing resources from the preceding successful mqd_create() and fence_driver_alloc(). Signed-off-by: Junrui Luo <[email protected]> --- Junrui Luo (2): drm/amdgpu: fix use-after-free in amdgpu_userq_create() error paths drm/amdgpu: fix resource leak in amdgpu_userq_create() xa_store_irq error path drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c | 4 ++++ 1 file changed, 4 insertions(+) --- base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d change-id: 20260411-fixes-30893f27c5aa Best regards, -- Junrui Luo <[email protected]>
