From: sashiko-bot@kernel.org
To: "Thomas Hellström" <thomas.hellstrom@linux.intel.com>
Cc: dri-devel@lists.freedesktop.org, hannes@cmpxchg.org,
mkoutny@suse.com, tj@kernel.org
Subject: Re: [PATCH v7 4/6] drm/ttm: Hook up a cgroup-aware reclaim callback for the dmem controller
Date: Fri, 03 Jul 2026 13:19:59 +0000 [thread overview]
Message-ID: <20260703132000.2993D1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260703130541.2686-5-thomas.hellstrom@linux.intel.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] `ttm_resource_manager_set_dmem_region()` fails to clear the cgroup region pointer when passed `NULL`, leaving a dangling pointer that can cause a use-after-free.
--
commit 02822c8c1770f6a971fca6d0ddb57472d4eea596
Author: Thomas Hellström <thomas.hellstrom@linux.intel.com>
drm/ttm: Hook up a cgroup-aware reclaim callback for the dmem controller
This commit introduces functionality to evict buffer objects charged to a
specific dmem cgroup pool from a resource manager's LRU. It adds
ttm_resource_manager_set_dmem_region() to associate a dmem cgroup region
with a resource manager, and provides a reclaim callback that drivers can
wire up to TTM eviction.
> diff --git a/drivers/gpu/drm/ttm/ttm_resource.c b/drivers/gpu/drm/ttm/ttm_resource.c
> index 154d6739256f8..ad00723e99ef1 100644
> --- a/drivers/gpu/drm/ttm/ttm_resource.c
> +++ b/drivers/gpu/drm/ttm/ttm_resource.c
[ ... ]
> +void ttm_resource_manager_set_dmem_region(struct ttm_resource_manager *man,
> + struct dmem_cgroup_region *region)
> +{
> + if (!IS_ERR_OR_NULL(region))
> + man->cg = region;
> +}
> +EXPORT_SYMBOL(ttm_resource_manager_set_dmem_region);
[Severity: High]
The v5 changelog mentions handling a NULL region here to clear the reclaim
callback and prevent use-after-free bugs. However, if region is NULL,
!IS_ERR_OR_NULL(region) evaluates to false.
Does this skip the assignment and fail to clear man->cg, leaving a dangling
pointer if a driver tries to detach the region before teardown?
Should this code check !IS_ERR(region) instead, or unconditionally assign
man->cg = NULL when the passed region is NULL?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260703130541.2686-1-thomas.hellstrom@linux.intel.com?part=4
next prev parent reply other threads:[~2026-07-03 13:20 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-03 13:05 [PATCH v7 0/6] Add reclaim to the dmem cgroup controller Thomas Hellström
2026-07-03 13:05 ` [PATCH v7 1/6] drm/amdgpu: Fix init ordering in amdgpu_vram_mgr_init() Thomas Hellström
2026-07-03 13:08 ` Christian König
2026-07-03 13:11 ` Thomas Hellström
2026-07-03 13:26 ` sashiko-bot
2026-07-03 13:05 ` [PATCH v7 2/6] cgroup/dmem: Introduce struct dmem_cgroup_init for region initialization Thomas Hellström
2026-07-03 13:05 ` [PATCH v7 3/6] cgroup/dmem: Add reclaim callback for lowering max below current usage Thomas Hellström
2026-07-03 13:24 ` sashiko-bot
2026-07-03 13:05 ` [PATCH v7 4/6] drm/ttm: Hook up a cgroup-aware reclaim callback for the dmem controller Thomas Hellström
2026-07-03 13:19 ` sashiko-bot [this message]
2026-07-03 13:05 ` [PATCH v7 5/6] drm/xe: Wire up dmem cgroup reclaim for VRAM manager Thomas Hellström
2026-07-03 13:05 ` [PATCH v7 6/6] drm/amdgpu: " Thomas Hellström
2026-07-03 13:25 ` sashiko-bot
2026-07-03 14:37 ` [PATCH v7 0/6] Add reclaim to the dmem cgroup controller Thadeu Lima de Souza Cascardo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260703132000.2993D1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=hannes@cmpxchg.org \
--cc=mkoutny@suse.com \
--cc=sashiko-reviews@lists.linux.dev \
--cc=thomas.hellstrom@linux.intel.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox