Re: [PATCH v6 1/6] drm/amdgpu: Fix init ordering in amdgpu_vram_mgr_init()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Thomas Hellström" <thomas.hellstrom@linux.intel.com>
Cc: tj@kernel.org, mkoutny@suse.com, hannes@cmpxchg.org,
	dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v6 1/6] drm/amdgpu: Fix init ordering in amdgpu_vram_mgr_init()
Date: Thu, 11 Jun 2026 17:45:13 +0000	[thread overview]
Message-ID: <20260611174513.F03BB1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260611173301.17473-2-thomas.hellstrom@linux.intel.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Incomplete Fix / NULL Pointer Dereference or Use-After-Free on Error Path
--

commit 2ee86f69ec7f41352206d6f701597e5f22e81241
Author: Thomas Hellström <thomas.hellstrom@linux.intel.com>

drm/amdgpu: Fix init ordering in amdgpu_vram_mgr_init()

drmm_cgroup_register_region() is called before INIT_LIST_HEAD() and
gpu_buddy_init() in amdgpu_vram_mgr_init(). If it fails, the function
returns early and bypasses those initializations.

Closes: https://sashiko.dev/#/patchset/20260428073116.15687-1-thomas.hellstrom@linux.intel.com?part=4

> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c
> index 2a241a5b12c42..ac3f71d77140a 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c

[ ... ]

> @@ -935,6 +932,10 @@ int amdgpu_vram_mgr_init(struct amdgpu_device *adev)
>  	if (err)
>  		return err;

[Severity: High]
This isn't a bug introduced by this patch, but does this still leave a
use-after-free or NULL pointer dereference on the error path if
gpu_buddy_init() fails?

If gpu_buddy_init() fails, it cleans up its partial allocations but leaves
mgr->mm.free_trees as a dangling pointer or NULL.

Because adev->mman.initialized is set to true before amdgpu_vram_mgr_init()
is called, the error teardown path unconditionally calls amdgpu_ttm_fini(),
which calls amdgpu_vram_mgr_fini():

drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c:amdgpu_vram_mgr_fini() {
    ...
	if (!adev->gmc.is_app_apu)
		gpu_buddy_fini(&mgr->mm);
    ...
}

This calls gpu_buddy_fini() which accesses mm->free_trees:

drivers/gpu/buddy.c:gpu_buddy_fini() {
    ...
	for_each_free_tree(i)
		kfree(mm->free_trees[i]);
    ...
}

Could this dereference the uninitialized or dangling mm->free_trees pointer
and cause a kernel panic during module load error handling?

> +	man->cg = drmm_cgroup_register_region(adev_to_drm(adev), "vram", adev->gmc.real_vram_size);
> +	if (IS_ERR(man->cg))
> +		return PTR_ERR(man->cg);
> +
>  	ttm_set_driver_manager(&adev->mman.bdev, TTM_PL_VRAM, &mgr->manager);
>  	ttm_resource_manager_set_used(man, true);
>  	return 0;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260611173301.17473-1-thomas.hellstrom@linux.intel.com?part=1

next prev parent reply	other threads:[~2026-06-11 17:45 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-11 17:32 [PATCH v6 0/6] [PATCH v6 0/6] Add reclaim to the dmem cgroup controller Thomas Hellström
2026-06-11 17:32 ` [PATCH v6 1/6] drm/amdgpu: Fix init ordering in amdgpu_vram_mgr_init() Thomas Hellström
2026-06-11 17:45   ` sashiko-bot [this message]
2026-06-11 17:32 ` [PATCH v6 2/6] cgroup/dmem: Introduce struct dmem_cgroup_init for region initialization Thomas Hellström
2026-06-11 17:32 ` [PATCH v6 3/6] cgroup/dmem: Add reclaim callback for lowering max below current usage Thomas Hellström
2026-06-11 18:01   ` sashiko-bot
2026-06-11 17:32 ` [PATCH v6 4/6] drm/ttm: Hook up a cgroup-aware reclaim callback for the dmem controller Thomas Hellström
2026-06-11 17:33 ` [PATCH v6 5/6] drm/xe: Wire up dmem cgroup reclaim for VRAM manager Thomas Hellström
2026-06-11 17:33 ` [PATCH v6 6/6] drm/amdgpu: " Thomas Hellström
2026-06-11 18:32   ` sashiko-bot
2026-06-11 19:41   ` Thomas Hellström
2026-06-11 20:00 ` ✗ CI.checkpatch: warning for Add reclaim to the dmem cgroup controller (rev6) Patchwork
2026-06-11 20:02 ` ✓ CI.KUnit: success " Patchwork
2026-06-11 20:49 ` ✓ Xe.CI.BAT: " Patchwork

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260611174513.F03BB1F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=hannes@cmpxchg.org \
    --cc=mkoutny@suse.com \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=thomas.hellstrom@linux.intel.com \
    --cc=tj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.