Re: [PATCH 2/3] drm/amdgpu: block THP for HSA userptr notifiers

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Unaligned user_addr from KFD_IOC_ALLOC_MEMORY_OF_GPU causes VMA tree corruption via split_vma()
--

commit 84a588c64a29eedb721607110e005505178f21fc
Author: Yitao Jiang <jytscientist@hotmail.com>

drm/amdgpu: block THP for HSA userptr notifiers

This commit modifies the registration of HSA userptr interval notifiers
to use the MMU_INTERVAL_NOTIFIER_BLOCK_THP flag. This prevents CPU THP
remaps of active userptr ranges from causing asynchronous GPU work failures.
GFX userptrs continue to use the existing notifier path.

> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c
> index 99bc9ad67d5b8..c0b36164c35e2 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c
[ ... ]
> @@ -130,16 +131,24 @@ static const struct mmu_interval_notifier_ops amdgpu_hmm_hsa_ops = {
>   */
>  int amdgpu_hmm_register(struct amdgpu_bo *bo, unsigned long addr)
>  {
[ ... ]
> +	if (bo->kfd_bo) {
> +		mmap_write_lock(mm);
> +		r = mmu_interval_notifier_insert_locked_flags(&bo->notifier, mm,
> +							      addr, size,
> +							      &amdgpu_hmm_hsa_ops,
> +							      MMU_INTERVAL_NOTIFIER_BLOCK_THP);
[Severity: Critical]
Can addr be unaligned when passed to this function?

A user space process can call the KFD_IOC_ALLOC_MEMORY_OF_GPU ioctl with the
KFD_IOC_ALLOC_MEM_FLAGS_USERPTR flag and provide an unaligned virtual address
in args->mmap_offset. The ioctl handler in kfd_ioctl_alloc_memory_of_gpu()
(in drivers/gpu/drm/amd/amdkfd/kfd_chardev.c) does not enforce page alignment
on this offset:

drivers/gpu/drm/amd/amdkfd/kfd_chardev.c:kfd_ioctl_alloc_memory_of_gpu() {
    ...
    err = amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu(
        dev->adev, args->va_addr, args->size,
        pdd->drm_priv, (struct kgd_mem **) &mem, &offset,
        flags, false);
    ...
}

The unaligned offset propagates through init_user_pages() unmodified as
user_addr, which is eventually passed here as addr to amdgpu_hmm_register().

With the MMU_INTERVAL_NOTIFIER_BLOCK_THP flag added by this patch, the core
MM calls mmu_interval_notifier_block_thp_locked(), which uses this addr as
the start address. It iteratively passes this address to vma_modify_flags()
and subsequently split_vma().

Since VMA boundaries must be strictly page-aligned, split_vma() will corrupt
the VMA tree and break invariants by applying the unaligned address to the new
VMA bounds. This can lead to kernel panics or a local denial-of-service.

Should addr and size be aligned before calling
mmu_interval_notifier_insert_locked_flags(), or should the ioctl enforce
page alignment on user pointers?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/SY1PR01MB10596EB75463208A8E1EBBA0FC0EC2@SY1PR01MB10596.ausprd01.prod.outlook.com?part=2