From: sashiko-bot@kernel.org
To: "Rob Clark" <robin.clark@oss.qualcomm.com>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v2 2/3] drm/msm: Validate lazy VM is created in GEM_SUBMIT
Date: Thu, 25 Jun 2026 19:32:25 +0000 [thread overview]
Message-ID: <20260625193225.CE24F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260625191537.47965-3-robin.clark@oss.qualcomm.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Critical] The MSM_PARAM_EN_VM_BIND ioctl validation compares an uninitialized context VM against the global VM, failing to prevent VM_BIND enablement on GPUs without per-process page tables.
--
commit 0fcb5ea6b90013aec15c2f186ee0bbf02e4e4818
Author: Rob Clark <robin.clark@oss.qualcomm.com>
drm/msm: Validate lazy VM is created in GEM_SUBMIT
Otherwise a GEM_SUBMIT ioctl before any BOs are mapped could cause a
NPE.
> diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
> index 3c6bc90c3d486..56929e8212008 100644
> --- a/drivers/gpu/drm/msm/msm_gem_submit.c
> +++ b/drivers/gpu/drm/msm/msm_gem_submit.c
[ ... ]
> @@ -572,7 +573,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
> if (args->pad)
> return -EINVAL;
>
> - if (to_msm_vm(ctx->vm)->unusable)
> + if (vm && to_msm_vm(vm)->unusable)
> return UERR(EPIPE, dev, "context is unusable");
[Severity: Critical]
This is a pre-existing issue, but since we are fixing lazy VM access
here, is there a similar issue in adreno_set_param() when handling
MSM_PARAM_EN_VM_BIND?
Looking at drivers/gpu/drm/msm/adreno/adreno_gpu.c:
adreno_set_param()
{
...
case MSM_PARAM_EN_VM_BIND:
/* We can only support VM_BIND with per-process pgtables: */
if (ctx->vm == gpu->vm)
return UERR(EINVAL, drm, "requires per-process pgtables");
Because ctx->vm can be NULL prior to lazy initialization, this check
evaluates to false, allowing the restriction to be bypassed.
Could this allow an unprivileged user to enable userspace management
(VM_BIND) on older GPUs that fall back to the globally shared GPU VM,
and overwrite page tables shared by other processes?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260625191537.47965-1-robin.clark@oss.qualcomm.com?part=2
next prev parent reply other threads:[~2026-06-25 19:32 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 19:15 [PATCH v2 0/3] drm/msm: A couple lazy-vm fixes Rob Clark
2026-06-25 19:15 ` [PATCH v2 1/3] drm/msm: Fix barriers accessing ctx vm Rob Clark
2026-06-25 19:28 ` sashiko-bot
2026-06-25 19:15 ` [PATCH v2 2/3] drm/msm: Validate lazy VM is created in GEM_SUBMIT Rob Clark
2026-06-25 19:32 ` sashiko-bot [this message]
2026-06-25 19:15 ` [PATCH v2 3/3] drm/msm: Validate lazy VM in GEM_NEW Rob Clark
2026-06-25 19:23 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260625193225.CE24F1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=robin.clark@oss.qualcomm.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.