From 2cf0b8c2d0fd7d5864de1cb44d9393547f27ddef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Roberto=20de=20Souza?= <jose.souza@intel.com>
Date: Thu, 18 Dec 2025 09:23:26 -0800
Subject: [PATCH] iris: Fix slab memory leak
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When in alloc_bo_from_slabs() size and alloc_size are different enough to have
different pb_slabs it causes the slab to be put into the reclaim list of a the
smaller pb_slabs when calling iris_bo_unreference(), causing a memory leak of
(alloc_size - size) bytes.

So here storing and using the actual slab size to fix this issue.

Cc: stable
Reviewed-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Signed-off-by: José Roberto de Souza <jose.souza@intel.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/39024>
---
 src/gallium/drivers/iris/iris_bufmgr.c | 4 +++-
 src/gallium/drivers/iris/iris_bufmgr.h | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/gallium/drivers/iris/iris_bufmgr.c b/src/gallium/drivers/iris/iris_bufmgr.c
index 65750f55461..cff00847ac4 100644
--- a/src/gallium/drivers/iris/iris_bufmgr.c
+++ b/src/gallium/drivers/iris/iris_bufmgr.c
@@ -860,6 +860,7 @@ iris_slab_alloc(void *priv,
       bo->zeroed = slab->bo->zeroed;
 
       bo->slab.entry.slab = &slab->base;
+      bo->slab.actual_size = entry_size;
 
       bo->slab.real = iris_get_backing_bo(slab->bo);
 
@@ -1017,6 +1018,7 @@ alloc_bo_from_slabs(struct iris_bufmgr *bufmgr,
       return NULL;
 
    struct iris_bo *bo = container_of(entry, struct iris_bo, slab.entry);
+   assert(get_slabs(bufmgr, bo->slab.actual_size) == slabs);
 
    if (bo->aux_map_address && bo->bufmgr->aux_map_ctx) {
       /* This buffer was associated with an aux-buffer range.  We only allow
@@ -1716,7 +1718,7 @@ iris_bo_unreference(struct iris_bo *bo)
 
       bo->zeroed = false;
       if (bo->gem_handle == 0) {
-         pb_slab_free(get_slabs(bufmgr, bo->size), &bo->slab.entry);
+         pb_slab_free(get_slabs(bufmgr, bo->slab.actual_size), &bo->slab.entry);
       } else {
          simple_mtx_lock(&bufmgr->lock);
 
diff --git a/src/gallium/drivers/iris/iris_bufmgr.h b/src/gallium/drivers/iris/iris_bufmgr.h
index 1c020280468..cb6138b1ebd 100644
--- a/src/gallium/drivers/iris/iris_bufmgr.h
+++ b/src/gallium/drivers/iris/iris_bufmgr.h
@@ -379,6 +379,7 @@ struct iris_bo {
       struct {
          struct pb_slab_entry entry;
          struct iris_bo *real;
+         uint32_t actual_size;
       } slab;
    };
 };