From: sashiko-bot@kernel.org
To: "Christoph Hellwig" <hch@lst.de>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH] mm/slab: improve kmem_cache_alloc_bulk
Date: Thu, 28 May 2026 10:12:29 +0000 [thread overview]
Message-ID: <20260528101229.CDDCC1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260528093437.2519248-2-hch@lst.de>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [High] BUG CONFIRMED: MSM UNMAP ioctls fail with -ENOMEM due to 0-size bulk allocation rejection.
Pre-existing issues:
- [High] BUG CONFIRMED: Kernel panic from kfree() on vmalloc pointer in bulk allocation error path.
--
commit 2defa6181f53f2235f7496349b8ea576d0868ab8
Author: Christoph Hellwig <hch@lst.de>
mm/slab: improve kmem_cache_alloc_bulk
This commit changes the return type of kmem_cache_alloc_bulk() from int
to bool. Callers are updated to check for boolean success or failure instead
of comparing the return value against the requested count.
> diff --git a/drivers/gpu/drm/msm/msm_iommu.c b/drivers/gpu/drm/msm/msm_iommu.c
> index 058c71c82cf54..533104d71f6ce 100644
> --- a/drivers/gpu/drm/msm/msm_iommu.c
> +++ b/drivers/gpu/drm/msm/msm_iommu.c
> @@ -330,17 +330,15 @@ static int
> msm_iommu_pagetable_prealloc_allocate(struct msm_mmu *mmu, struct msm_mmu_prealloc *p)
> {
> struct kmem_cache *pt_cache = get_pt_cache(mmu);
> - int ret;
>
> p->pages = kvmalloc_objs(*p->pages, p->count);
> if (!p->pages)
> return -ENOMEM;
>
> - ret = kmem_cache_alloc_bulk(pt_cache, GFP_KERNEL, p->count, p->pages);
> - if (ret != p->count) {
> + if (!kmem_cache_alloc_bulk(pt_cache, GFP_KERNEL, p->count, p->pages)) {
[Severity: High]
If p->count is 0 (which can happen during UNMAP ioctls), kvmalloc_objs()
returns ZERO_SIZE_PTR, which passes the !p->pages check.
However, the updated kmem_cache_alloc_bulk() returns false when size is 0.
Previously, it returned 0, which matched p->count, allowing the function to
succeed. Now, a 0 count evaluates as a failure and incorrectly returns -ENOMEM.
Could this inadvertently break UNMAP ioctls by rejecting 0-size allocations?
> kfree(p->pages);
[Severity: High]
This is a pre-existing issue, but p->pages is allocated using kvmalloc_objs(),
which can fall back to vmalloc for large allocations.
If the allocation was fulfilled by vmalloc, doesn't calling kfree() on this
pointer cause a kernel panic? Should this be changed to kvfree() instead?
> p->pages = NULL;
> - p->count = ret;
> + p->count = 0;
> return -ENOMEM;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260528093437.2519248-2-hch@lst.de?part=1
next prev parent reply other threads:[~2026-05-28 10:12 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-28 9:34 improve the kmem_cache_alloc_bulk API v2 Christoph Hellwig
2026-05-28 9:34 ` [PATCH] mm/slab: improve kmem_cache_alloc_bulk Christoph Hellwig
2026-05-28 10:12 ` sashiko-bot [this message]
2026-05-29 11:54 ` Vlastimil Babka (SUSE)
2026-05-29 13:50 ` Christoph Hellwig
2026-06-01 6:39 ` Harry Yoo
2026-06-01 7:56 ` msm_iommu_pagetable_prealloc_allocate, was: " Christoph Hellwig
2026-06-01 8:16 ` Vlastimil Babka (SUSE)
2026-06-01 11:38 ` Christoph Hellwig
2026-06-01 12:50 ` Vlastimil Babka (SUSE)
2026-06-01 13:32 ` Rob Clark
2026-06-01 14:39 ` Rob Clark
2026-06-03 9:17 ` Vlastimil Babka (SUSE)
2026-06-03 11:13 ` Rob Clark
2026-06-03 16:22 ` Vlastimil Babka (SUSE)
2026-06-04 7:10 ` Harry Yoo
2026-06-04 7:35 ` Vlastimil Babka (SUSE)
2026-06-04 9:36 ` Rob Clark
2026-06-01 11:39 ` Harry Yoo
-- strict thread matches above, loose matches on Subject: below --
2026-05-27 7:02 improve the kmem_cache_alloc_bulk API Christoph Hellwig
2026-05-27 7:02 ` [PATCH] mm/slab: improve kmem_cache_alloc_bulk Christoph Hellwig
2026-05-27 7:27 ` sashiko-bot
2026-05-27 8:06 ` Christoph Hellwig
2026-05-27 7:53 ` bot+bpf-ci
2026-05-27 7:53 ` bot+bpf-ci
2026-05-27 8:51 ` Jesper Dangaard Brouer
2026-05-27 13:56 ` Alexander Lobakin
2026-05-27 14:07 ` Christoph Hellwig
2026-05-27 9:38 ` Vlastimil Babka (SUSE)
2026-05-27 12:20 ` Christoph Hellwig
2026-05-28 8:58 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260528101229.CDDCC1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=hch@lst.de \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.