From 2cf1f6cb5088dcbe0523616169630e2e1f1de574 Mon Sep 17 00:00:00 2001 From: Yiwei Zhang Date: Sun, 31 May 2026 23:07:19 -0700 Subject: [PATCH] venus: fix unbound malloc leak in vn_ring_get_submits Credits to Toshinari Morikawa, and this supersedes https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/41904. ring->free_submits can go unbound for heavy scenes that use 3 or more shm pool allocs for CS storage. This change fixes to loop through the free list for a cached entry, which is good enough in practice since the most recently retired submit is cached at the list head. Cc: mesa-stable Reported-by: Toshinari Morikawa Part-of: --- src/virtio/vulkan/vn_ring.c | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/src/virtio/vulkan/vn_ring.c b/src/virtio/vulkan/vn_ring.c index f3685b17ac3..ff72774d243 100644 --- a/src/virtio/vulkan/vn_ring.c +++ b/src/virtio/vulkan/vn_ring.c @@ -418,22 +418,18 @@ vn_ring_get_id(struct vn_ring *ring) static struct vn_ring_submit * vn_ring_get_submit(struct vn_ring *ring, uint32_t shmem_count) { - const uint32_t min_shmem_count = 2; - struct vn_ring_submit *submit; - - /* TODO this could be simplified if we could omit shmem_count */ - if (shmem_count <= min_shmem_count && - !list_is_empty(&ring->free_submits)) { - submit = - list_first_entry(&ring->free_submits, struct vn_ring_submit, head); - list_del(&submit->head); - } else { - const size_t submit_size = offsetof( - struct vn_ring_submit, shmems[MAX2(shmem_count, min_shmem_count)]); - submit = malloc(submit_size); + list_for_each_entry_safe(struct vn_ring_submit, submit, + &ring->free_submits, head) { + if (submit->shmem_count >= shmem_count) { + list_del(&submit->head); + return submit; + } } - return submit; + const uint32_t min_shmem_count = 2; + const size_t submit_size = offsetof( + struct vn_ring_submit, shmems[MAX2(shmem_count, min_shmem_count)]); + return malloc(submit_size); } static bool