All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Honglei Huang" <honghuan@amd.com>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v8 2/5] drm/gpusvm: embed struct drm_device into drm_gpusvm_pages
Date: Tue, 30 Jun 2026 03:47:51 +0000	[thread overview]
Message-ID: <20260630034752.288651F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260630033132.361144-3-honghuan@amd.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [High] Device memory DMA mappings are leaked if an error occurs during the mapping loop in `drm_gpusvm_get_pages()`.
- [High] An uninitialized memory read occurs in `__drm_gpusvm_unmap_pages()` if IOVA allocation succeeds but linking fails on the very first page.
--

commit 4fe6a3e14e9c6c05c83b0d432b653dc56d06006d
Author: Honglei Huang <honghuan@amd.com>

drm/gpusvm: embed struct drm_device into drm_gpusvm_pages

Embeds the drm_device into drm_gpusvm_pages so that the pages object explicitly owns the drm handle. It routes DMA operations through svm_pages->drm instead of gpusvm->drm.

> diff --git a/drivers/gpu/drm/drm_gpusvm.c b/drivers/gpu/drm/drm_gpusvm.c
> index abdfdaaf5e23c..604554e40f62d 100644
> --- a/drivers/gpu/drm/drm_gpusvm.c
> +++ b/drivers/gpu/drm/drm_gpusvm.c

[ ... ]

> @@ -1532,10 +1541,10 @@ int drm_gpusvm_get_pages(struct drm_gpusvm *gpusvm,
>  			}
>  			svm_pages->dma_addr[j] =
>  				dpagemap->ops->device_map(dpagemap,
> -							  gpusvm->drm->dev,
> +							  svm_pages->drm->dev,
>  							  page, order,
>  							  dma_dir);
> -			if (dma_mapping_error(gpusvm->drm->dev,
> +			if (dma_mapping_error(svm_pages->drm->dev,
>  					      svm_pages->dma_addr[j].addr)) {
>  				err = -EFAULT;
>  				goto err_unmap;

[Severity: High]
This isn't a bug introduced by this patch, but does this leak device memory DMA mappings if an error occurs here?

If dma_mapping_error() fails (or if a later operation fails and jumps to err_unmap), __drm_gpusvm_unmap_pages() is called. However, svm_pages->dpagemap is not updated until the very end of drm_gpusvm_get_pages() on the success path.

Because svm_pages->dpagemap is still NULL in the error path, __drm_gpusvm_unmap_pages() evaluates the condition else if (dpagemap && dpagemap->ops->device_unmap) as false and silently skips cleanup for all successfully mapped device memory pages.

> @@ -1555,11 +1564,11 @@ int drm_gpusvm_get_pages(struct drm_gpusvm *gpusvm,
>  			}
>  
>  			if (!i)
> -				dma_iova_try_alloc(gpusvm->drm->dev, state,
> +				dma_iova_try_alloc(svm_pages->drm->dev, state,
>  						   0, npages * PAGE_SIZE);
>  
>  			if (dma_use_iova(state)) {
> -				err = dma_iova_link(gpusvm->drm->dev, state,
> +				err = dma_iova_link(svm_pages->drm->dev, state,
>  						    hmm_pfn_to_phys(pfns[i]),
>  						    svm_pages->state_offset,
>  						    PAGE_SIZE << order,

[Severity: High]
This is a pre-existing issue, but can this lead to an uninitialized memory read if linking fails on the very first page?

If dma_iova_try_alloc() succeeds but dma_iova_link() fails on the first iteration (i == 0), the code jumps to err_unmap with num_dma_mapped = 0 before initializing svm_pages->dma_addr[0].

The error path then calls __drm_gpusvm_unmap_pages(..., 0). Because use_iova is true, it unconditionally evaluates svm_pages->dma_addr[0].dir to call dma_iova_destroy(), reading from the uninitialized memory of the dma_addr array (which was allocated via kvmalloc_objs without zeroing).

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260630033132.361144-1-honghuan@amd.com?part=2

  reply	other threads:[~2026-06-30  3:47 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29  2:29 [PATCH v7 0/5] drm/gpusvm: split MM and device state across gpusvm/range/pages Honglei Huang
2026-06-29  2:29 ` [PATCH v7 1/5] drm/gpusvm: split MM state flags out of drm_gpusvm_pages_flags Honglei Huang
2026-06-29  2:29 ` [PATCH v7 2/5] drm/gpusvm: embed struct drm_device into drm_gpusvm_pages Honglei Huang
2026-06-29  2:29 ` [PATCH v7 3/5] drm/xe: have xe_svm_range embed one drm_gpusvm_pages Honglei Huang
2026-06-29  2:29 ` [PATCH v7 4/5] drm/gpusvm: move struct drm_gpusvm_pages out of struct drm_gpusvm_range Honglei Huang
2026-06-29 16:27   ` Matthew Brost
2026-06-29  2:29 ` [PATCH v7 5/5] drm/gpusvm: let the drm_gpusvm core context purely MM level Honglei Huang
2026-06-29 18:51 ` ✗ CI.KUnit: failure for drm/gpusvm: split MM and device state across gpusvm/range/pages (rev2) Patchwork
2026-06-30  3:31 ` [PATCH v8 0/5] drm/gpusvm: split MM and device state across gpusvm/range/pages Honglei Huang
2026-06-30  3:31   ` [PATCH v8 1/5] drm/gpusvm: split MM state flags out of drm_gpusvm_pages_flags Honglei Huang
2026-06-30  3:31   ` [PATCH v8 2/5] drm/gpusvm: embed struct drm_device into drm_gpusvm_pages Honglei Huang
2026-06-30  3:47     ` sashiko-bot [this message]
2026-06-30  3:31   ` [PATCH v8 3/5] drm/xe: have xe_svm_range embed one drm_gpusvm_pages Honglei Huang
2026-06-30  3:31   ` [PATCH v8 4/5] drm/gpusvm: move struct drm_gpusvm_pages out of struct drm_gpusvm_range Honglei Huang
2026-06-30  3:58     ` sashiko-bot
2026-06-30  3:31   ` [PATCH v8 5/5] drm/gpusvm: let the drm_gpusvm core context purely MM level Honglei Huang
  -- strict thread matches above, loose matches on Subject: below --
2026-06-30  3:37 [PATCH v8 0/5] drm/gpusvm: split MM and device state across gpusvm/range/pages Honglei Huang
2026-06-30  3:37 ` [PATCH v8 2/5] drm/gpusvm: embed struct drm_device into drm_gpusvm_pages Honglei Huang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260630034752.288651F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=honghuan@amd.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.