From: sashiko-bot@kernel.org
To: "Rob Clark" <robin.clark@oss.qualcomm.com>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v2 1/3] drm/msm: Fix barriers accessing ctx vm
Date: Thu, 25 Jun 2026 19:28:31 +0000 [thread overview]
Message-ID: <20260625192832.16AA81F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260625191537.47965-2-robin.clark@oss.qualcomm.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Direct access to uninitialized `ctx->vm` in `adreno_set_param` bypasses validation, allowing `VM_BIND` on global VMs.
--
commit be0b70b2e7a9f55182d48578fb53358469060fcb
Author: Rob Clark <robin.clark@oss.qualcomm.com>
drm/msm: Fix barriers accessing ctx vm
This commit adds load-acquire and store-release barriers when accessing
and lazily initializing ctx->vm in msm_context_vm(). This prevents callers
from seeing a partially initialized virtual memory state.
> diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
> index 32d5ebea2596f..ec88155e0ed72 100644
> --- a/drivers/gpu/drm/msm/msm_drv.c
> +++ b/drivers/gpu/drm/msm/msm_drv.c
> @@ -224,18 +224,19 @@ struct drm_gpuvm *msm_context_vm(struct drm_device *dev, struct msm_context *ctx
> {
> static DEFINE_MUTEX(init_lock);
> struct msm_drm_private *priv = dev->dev_private;
> + struct drm_gpuvm *vm = smp_load_acquire(&ctx->vm);
>
> /* Once ctx->vm is created it is valid for the lifetime of the context: */
> - if (ctx->vm)
> - return ctx->vm;
> + if (vm)
> + return vm;
[Severity: High]
This isn't a bug introduced by this patch, but seeing the fixes to ctx->vm
lazy initialization here points to a related problem in adreno_set_param().
Looking at adreno_set_param() in drivers/gpu/drm/msm/adreno/adreno_gpu.c,
there is this check when enabling VM_BIND:
if (ctx->vm == gpu->vm)
return UERR(EINVAL, drm, "requires per-process pgtables");
Since ctx->vm starts as NULL and is lazily initialized, couldn't this
check fail to catch global VMs (since NULL != gpu->vm) if msm_context_vm()
hasn't been called yet?
If unprivileged userspace opts into VM_BIND mode before the VM is
initialized, could this bypass the validation check on platforms without
per-process pagetables, potentially allowing arbitrary mapping in the
global GPU address space?
Should this be using msm_context_vm(dev, ctx) instead to ensure the
VM is instantiated before checking?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260625191537.47965-1-robin.clark@oss.qualcomm.com?part=1
next prev parent reply other threads:[~2026-06-25 19:28 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 19:15 [PATCH v2 0/3] drm/msm: A couple lazy-vm fixes Rob Clark
2026-06-25 19:15 ` [PATCH v2 1/3] drm/msm: Fix barriers accessing ctx vm Rob Clark
2026-06-25 19:28 ` sashiko-bot [this message]
2026-06-25 19:15 ` [PATCH v2 2/3] drm/msm: Validate lazy VM is created in GEM_SUBMIT Rob Clark
2026-06-25 19:32 ` sashiko-bot
2026-06-25 19:15 ` [PATCH v2 3/3] drm/msm: Validate lazy VM in GEM_NEW Rob Clark
2026-06-25 19:23 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260625192832.16AA81F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=robin.clark@oss.qualcomm.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.