kernel/linux.git/drivers/gpu/drm/v3d/v3d_submit.c, branch v7.1

drm/v3d: Release indirect CSD GEM reference on CPU job free

2026-05-18T22:59:51+00:00

v3d_get_cpu_indirect_csd_params() takes a reference to the indirect BO via drm_gem_object_lookup() and stashes it in cpu_job->indirect_csd.indirect, but nothing on the CPU job teardown path ever drops that reference. Drop the extra reference in v3d_cpu_job_free(). The NULL check covers ioctl errors before the lookup ran and CPU job types other than V3D_CPU_JOB_TYPE_INDIRECT_CSD, which leave the field zero-initialised. Cc: stable@vger.kernel.org Fixes: 18b8413b25b7 ("drm/v3d: Create a CPU job extension for a indirect CSD job") Assisted-by: Claude:claude-opus-4.7 Reviewed-by: Iago Toral Quiroga Link: https://patch.msgid.link/20260515-v3d-cpu-job-leaks-v1-2-7f147cbbf935@igalia.com Signed-off-by: Maíra Canal

drm/v3d: Fix use-after-free of CPU job query arrays on error path

2026-05-18T22:59:46+00:00

The CPU job ioctl's fail label calls kvfree() on cpu_job's timestamp and performance query arrays after v3d_job_cleanup(), which drops the job's last reference and frees cpu_job. Reading cpu_job at that point is a use-after-free. Also, on the early v3d_job_init() failure path, it is a NULL dereference, since v3d_job_deallocate() zeroes the local pointer. In the success path, the arrays are released from the scheduler's .free_job callback, but on the error path, they are freed manually, as the job was never pushed to the scheduler. While the success path deals with this correctly, the fail path doesn't. On top of that, the manual kvfree() calls only free the array storage; they don't drm_syncobj_put() the per-query syncobjs that v3d_timestamp_query_info_free() and v3d_performance_query_info_free() release on the success path. So the same fail path that triggers the use-after-free also leaks one syncobj reference per query. Unify the CPU job teardown into the CPU job's kref destructor, mirroring v3d_render_job_free(). The scheduler's .free_job slot reverts to the generic v3d_sched_job_free() and the fail label drops the manual kvfree() calls, leaving a single teardown path that is reached from both the scheduler and the ioctl error path. That removes the use-after-free, the NULL dereference, and the syncobj leak by construction. Cc: stable@vger.kernel.org Fixes: 9ba0ff3e083f ("drm/v3d: Create a CPU job extension for the timestamp query job") Assisted-by: Claude:claude-opus-4.7 Reviewed-by: Iago Toral Quiroga Link: https://patch.msgid.link/20260515-v3d-cpu-job-leaks-v1-1-7f147cbbf935@igalia.com Signed-off-by: Maíra Canal

Merge tag 'drm-fixes-2026-04-24' of https://gitlab.freedesktop.org/drm/kernel

2026-04-24T18:44:52+00:00

Pull more drm fixes from Dave Airlie: "These are the regular fixes that have built up over last couple of weeks, all pretty minor and spread all over. atomic: - raise the vblank timeout to avoid it on virtual drivers - fix colorop duplication bridge: - stm_lvds: state check fix - dw-mipi-dsi: bridge reference leak fix panel: - visionx-rm69299: init fix dma-fence: - fix sparse warning dma-buf: - UAF fix panthor: - mapping fix arcgpu: - device_node reference leak fix nouveau: - memory leak in error path fix - overflow in reloc path for old hw fix hv: - Kconfig fix v3d: - infinite loop fix" * tag 'drm-fixes-2026-04-24' of https://gitlab.freedesktop.org/drm/kernel: drm/nouveau: fix u32 overflow in pushbuf reloc bounds check MAINTAINERS: split hisilicon maintenance and add Yongbang Shi for hibmc-drm matainers drm/v3d: Reject empty multisync extension to prevent infinite loop drm/panel: visionox-rm69299: Make use of prepare_prev_first drm/drm_atomic: duplicate colorop states if plane color pipeline in use drm/nouveau: fix nvkm_device leak on aperture removal failure hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS dma-fence: Silence sparse warning in dma_fence_describe drm/bridge: dw-mipi-dsi: Fix bridge leak when host attach fails drm/arcpgu: fix device node leak drm/panthor: Fix outdated function documentation drm/panthor: Extend VM locked region for remap case to be a superset dma-buf: fix UAF in dma_buf_put() tracepoint drm/bridge: stm_lvds: Do not fail atomic_check on disabled connector drm/atomic: Increase timeout in drm_atomic_helper_wait_for_vblanks()

drm/v3d: Reject empty multisync extension to prevent infinite loop

2026-04-19T22:07:29+00:00

v3d_get_extensions() walks a userspace-provided singly-linked list of ioctl extensions without any bound on the chain length. A local user can craft a self-referential extension (ext->next == &ext) with zero in_sync_count and out_sync_count, which bypasses the existing duplicate- extension guard: if (se->in_sync_count || se->out_sync_count) return -EINVAL; The guard never fires because v3d_get_multisync_post_deps() returns immediately when count is zero, leaving both fields at zero on every iteration. The result is an infinite loop in kernel context, blocking the calling thread and pegging a CPU core indefinitely. Fix this by rejecting a multisync extension where both in_sync_count and out_sync_count are zero in v3d_get_multisync_submit_deps(). An empty multisync carries no synchronization information and serves no useful purpose, so returning -EINVAL for such an extension is the correct defense against this attack vector. Fixes: e4165ae8304e ("drm/v3d: add multiple syncobjs support") Cc: stable@vger.kernel.org Signed-off-by: Ashutosh Desai Link: https://patch.msgid.link/20260415050000.3816128-1-ashutoshdesai993@gmail.com Signed-off-by: Maíra Canal

drm/v3d: Hold v3d_stats references in each job

2026-03-13T21:02:32+00:00

Have each job hold its own references to the per-fd and global stats objects. This eliminates the need for `queue_lock` protection in the stats update path, since the job's stats pointers are guaranteed to remain valid for the job's entire lifetime regardless of file descriptor closure. Signed-off-by: Tvrtko Ursulin Reviewed-by: Iago Toral Quiroga Link: https://patch.msgid.link/20260306-v3d-reset-locking-improv-v3-4-49864fe00692@igalia.com Co-developed-by: Maíra Canal Signed-off-by: Maíra Canal

Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses

2026-02-22T16:26:33+00:00

Conversion performed via this Coccinelle script: // SPDX-License-Identifier: GPL-2.0-only // Options: --include-headers-for-types --all-includes --include-headers --keep-comments virtual patch @gfp depends on patch && !(file in "tools") && !(file in "samples")@ identifier ALLOC = {kmalloc_obj,kmalloc_objs,kmalloc_flex, kzalloc_obj,kzalloc_objs,kzalloc_flex, kvmalloc_obj,kvmalloc_objs,kvmalloc_flex, kvzalloc_obj,kvzalloc_objs,kvzalloc_flex}; @@ ALLOC(... - , GFP_KERNEL ) $ make coccicheck MODE=patch COCCI=gfp.cocci Build and boot tested x86_64 with Fedora 42's GCC and Clang: Linux version 6.19.0+ (user@host) (gcc (GCC) 15.2.1 20260123 (Red Hat 15.2.1-7), GNU ld version 2.44-12.fc42) #1 SMP PREEMPT_DYNAMIC 1970-01-01 Linux version 6.19.0+ (user@host) (clang version 20.1.8 (Fedora 20.1.8-4.fc42), LLD 20.1.8) #1 SMP PREEMPT_DYNAMIC 1970-01-01 Signed-off-by: Kees Cook Signed-off-by: Linus Torvalds

Convert more 'alloc_obj' cases to default GFP_KERNEL arguments

2026-02-22T04:03:00+00:00

This converts some of the visually simpler cases that have been split over multiple lines. I only did the ones that are easy to verify the resulting diff by having just that final GFP_KERNEL argument on the next line. Somebody should probably do a proper coccinelle script for this, but for me the trivial script actually resulted in an assertion failure in the middle of the script. I probably had made it a bit _too_ trivial. So after fighting that far a while I decided to just do some of the syntactically simpler cases with variations of the previous 'sed' scripts. The more syntactically complex multi-line cases would mostly really want whitespace cleanup anyway. Signed-off-by: Linus Torvalds

treewide: Replace kmalloc with kmalloc_obj for non-scalar types

2026-02-21T09:02:28+00:00

This is the result of running the Coccinelle script from scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to avoid scalar types (which need careful case-by-case checking), and instead replace kmalloc-family calls that allocate struct or union object instances: Single allocations: kmalloc(sizeof(TYPE), ...) are replaced with: kmalloc_obj(TYPE, ...) Array allocations: kmalloc_array(COUNT, sizeof(TYPE), ...) are replaced with: kmalloc_objs(TYPE, COUNT, ...) Flex array allocations: kmalloc(struct_size(PTR, FAM, COUNT), ...) are replaced with: kmalloc_flex(*PTR, FAM, COUNT, ...) (where TYPE may also be *VAR) The resulting allocations no longer return "void *", instead returning "TYPE *". Signed-off-by: Kees Cook

drm/v3d: Convert v3d logging to device-based DRM helpers

2026-01-19T10:12:25+00:00

Replace legacy DRM_DEBUG/INFO/WARN/ERROR logging with the corresponding device-based drm_dbg(), drm_info(), drm_warn() and drm_err() helpers. For some messages, adjust the log level to better reflect their severity. This allows filtering via drm.debug, reduces log spam, and helps differentiate v3d logs from vc4 logs. Reviewed-by: Iago Toral Quiroga Link: https://patch.msgid.link/20260112-v3d-drm-debug-v2-2-8ef6244c97bb@igalia.com Signed-off-by: Maíra Canal

drm/v3d: Consolidate CPU job validation in a function

2026-01-19T10:12:25+00:00

All CPU job extension parsers duplicate the same validation procedure: ensure the extension is attached to a CPU job (not a GPU job) and that only a single CPU job extension is associated with a given job. Create a function to consolidate these checks and reduce the boilerplate across the various CPU job extension handlers. While here, convert the legacy DRM_DEBUG with a more appropriate drm_dbg(). Reviewed-by: Iago Toral Quiroga Link: https://patch.msgid.link/20260112-v3d-drm-debug-v2-1-8ef6244c97bb@igalia.com Signed-off-by: Maíra Canal