From: sashiko-bot@kernel.org
To: "Robert Mader" <robert.mader@collabora.com>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [RFC PATCH 1/2] dma-buf/udmabuf: Introduce CONFIG_UDMABUF_SIZE_LIMIT_MBYTES
Date: Sat, 11 Jul 2026 14:58:44 +0000 [thread overview]
Message-ID: <20260711145844.A5EE31F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260711144814.8205-1-robert.mader@collabora.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [Low] CONFIG_UDMABUF_SIZE_LIMIT_MBYTES lacks a dependency on CONFIG_UDMABUF.
- [Low] Missing range constraint on UDMABUF_SIZE_LIMIT_MBYTES allows negative values, bypassing size validation.
Pre-existing issues:
- [High] Concurrent calls to DMA_BUF_IOCTL_SYNC trigger a race condition in begin_cpu_udmabuf, leading to a memory leak.
--
--- Patch [1]: [RFC PATCH 1/2] dma-buf/udmabuf: Introduce CONFIG_UDMABUF_SIZE_LIMIT_MBYTES ---
commit 258354f822e15700d93d45826a3e51b308dd35b8
Author: Robert Mader <robert.mader@collabora.com>
dma-buf/udmabuf: Introduce CONFIG_UDMABUF_SIZE_LIMIT_MBYTES
This patch introduces a new Kconfig option, CONFIG_UDMABUF_SIZE_LIMIT_MBYTES,
to allow distributions to configure the maximum size limit for udmabufs at
compile time. The limit defaults to 64MB and was previously only configurable
via the kernel command line.
> diff --git a/drivers/dma-buf/Kconfig b/drivers/dma-buf/Kconfig
> index 7efc0f0d07126..35f0779cdc801 100644
> --- a/drivers/dma-buf/Kconfig
> +++ b/drivers/dma-buf/Kconfig
> @@ -40,6 +40,12 @@ config UDMABUF
> A driver to let userspace turn memfd regions into dma-bufs.
> Qemu can use this to create host dmabufs for guest framebuffers.
>
> +config UDMABUF_SIZE_LIMIT_MBYTES
> + int "Size limit in Mega Bytes"
> + default 64
[Severity: Low]
Should this config have a 'depends on UDMABUF' directive?
Without it, users might be prompted to configure the size limit even
when the UDMABUF driver itself is disabled, polluting the global config.
[Severity: Low]
Could a user configure a negative value here and bypass the size limits?
If this is set to a negative value, it appears it will wrap around to a
massive value when cast to u64 in udmabuf_create():
drivers/dma-buf/udmabuf.c:udmabuf_create() {
...
pglimit = ((u64)size_limit_mb * 1024 * 1024) >> PAGE_SHIFT;
...
}
Would it be safer to add a range constraint to the Kconfig definition?
> + help
> + Maximum size of a udmabuf, in megabytes. Default is 64.
> +
> config DMABUF_DEBUG
> bool "DMA-BUF debug checks"
> depends on DMA_SHARED_BUFFER
[ ... ]
> diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
> index bced421c0d658..a831533263621 100644
> --- a/drivers/dma-buf/udmabuf.c
> +++ b/drivers/dma-buf/udmabuf.c
> @@ -20,7 +20,11 @@ static int list_limit = 1024;
> module_param(list_limit, int, 0644);
> MODULE_PARM_DESC(list_limit, "udmabuf_create_list->count limit. Default is 1024.");
>
> +#ifdef CONFIG_UDMABUF_SIZE_LIMIT_MBYTES
> +static int size_limit_mb = CONFIG_UDMABUF_SIZE_LIMIT_MBYTES;
> +#else
> static int size_limit_mb = 64;
> +#endif
> module_param(size_limit_mb, int, 0644);
> MODULE_PARM_DESC(size_limit_mb, "Max size of a dmabuf, in megabytes. Default is 64.");
>
[Severity: High]
This is a pre-existing issue, but can concurrent calls to
DMA_BUF_IOCTL_SYNC cause a memory leak?
Looking at begin_cpu_udmabuf(), the scatter-gather table pointer is
checked and assigned without locks:
drivers/dma-buf/udmabuf.c:begin_cpu_udmabuf() {
...
if (!ubuf->sg) {
ubuf->sg = get_sg_table(dev, buf, direction);
...
}
If multiple threads invoke the ioctl simultaneously, could they bypass
the check, allocate multiple tables, and overwrite ubuf->sg, permanently
leaking the previously allocated tables and mappings?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260711144814.8205-1-robert.mader@collabora.com?part=1
next prev parent reply other threads:[~2026-07-11 14:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-11 14:48 [RFC PATCH 1/2] dma-buf/udmabuf: Introduce CONFIG_UDMABUF_SIZE_LIMIT_MBYTES Robert Mader
2026-07-11 14:48 ` [RFC PATCH 2/2] dma-buf/udmabuf: Increase default size limit to 256MB Robert Mader
2026-07-11 14:58 ` sashiko-bot [this message]
2026-07-13 9:12 ` [RFC PATCH 1/2] dma-buf/udmabuf: Introduce CONFIG_UDMABUF_SIZE_LIMIT_MBYTES Christian König
2026-07-13 10:17 ` Robert Mader
2026-07-14 6:42 ` Kasireddy, Vivek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260711145844.A5EE31F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=robert.mader@collabora.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.