From: sashiko-bot@kernel.org
To: "Philipp Stanner" <phasta@kernel.org>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] drm/sched: Remove useless BUG_ON()
Date: Thu, 25 Jun 2026 12:11:01 +0000 [thread overview]
Message-ID: <20260625121102.3AB3A1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260625120151.1757146-2-phasta@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Invalid pointer calculation and subsequent dereference when no schedulers are ready.
--
commit 9f3c42b74323f1ffa6b677518014a9ecac0a6163
Author: Philipp Stanner <phasta@kernel.org>
drm/sched: Remove useless BUG_ON()
This commit removes a BUG_ON() in drm_sched_job_arm() that checks for a NULL
entity pointer, reasoning that a NULL pointer exception will happen anyway
and it is better not to explicitly crash the entire kernel.
> diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c
> index 818d3d4434b57..da9210632d81e 100644
> --- a/drivers/gpu/drm/scheduler/sched_main.c
> +++ b/drivers/gpu/drm/scheduler/sched_main.c
> @@ -646,7 +646,6 @@ void drm_sched_job_arm(struct drm_sched_job *job)
> struct drm_gpu_scheduler *sched;
> struct drm_sched_entity *entity = job->entity;
>
> - BUG_ON(!entity);
> drm_sched_entity_select_rq(entity);
> sched = container_of(entity->rq, typeof(*sched), rq);
[Severity: High]
This is a pre-existing issue, but can this container_of() produce a negative
pointer if all schedulers are not ready?
If an entity has multiple schedulers and all of them have ready == false (for
example, during a GPU reset), drm_sched_pick_best() returns NULL:
drm_sched_entity_select_rq() {
...
sched = drm_sched_pick_best(entity->sched_list, entity->num_sched_list);
rq = sched ? &sched->rq : NULL;
if (rq != entity->rq) {
drm_sched_rq_remove_entity(entity->rq, entity);
entity->rq = rq;
}
...
}
When drm_sched_entity_select_rq() returns, entity->rq is NULL. Back in
drm_sched_job_arm(), the container_of() calculation yields an invalid negative
pointer because rq is not at offset 0 of struct drm_gpu_scheduler.
Later, when drm_sched_entity_push_job() is called, it recomputes this negative
pointer and dereferences it, causing an immediate page fault:
drm_sched_entity_push_job() {
...
struct drm_gpu_scheduler *sched =
container_of(entity->rq, typeof(*sched), rq);
...
atomic_inc(sched->score);
...
}
Is there a way to safely handle the case where no schedulers are ready here?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260625120151.1757146-2-phasta@kernel.org?part=1
prev parent reply other threads:[~2026-06-25 12:11 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 12:01 [PATCH] drm/sched: Remove useless BUG_ON() Philipp Stanner
2026-06-25 12:11 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260625121102.3AB3A1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=phasta@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.