From: sashiko-bot@kernel.org
To: "Thomas Hellström" <thomas.hellstrom@linux.intel.com>
Cc: hannes@cmpxchg.org, dri-devel@lists.freedesktop.org,
tj@kernel.org, mkoutny@suse.com
Subject: Re: [PATCH v7 1/6] drm/amdgpu: Fix init ordering in amdgpu_vram_mgr_init()
Date: Fri, 03 Jul 2026 13:26:40 +0000 [thread overview]
Message-ID: <20260703132641.2F3801F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260703130541.2686-2-thomas.hellstrom@linux.intel.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The patch resolves a panic when `drmm_cgroup_register_region()` fails, but leaves an identical teardown vulnerability if `gpu_buddy_init()` fails.
--
commit 3650035d068659ae5cf730d3debae46e3ebe9589
Author: Thomas Hellström <thomas.hellstrom@linux.intel.com>
drm/amdgpu: Fix init ordering in amdgpu_vram_mgr_init()
This commit fixes a kernel panic on the module load error path by moving
drmm_cgroup_register_region() after the list and buddy allocator are fully
initialized. This prevents the teardown path from dereferencing uninitialized
pointers if the cgroup registration fails.
Closes: https://sashiko.dev/#/patchset/20260428073116.15687-1-thomas.hellstrom@linux.intel.com?part=4
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c
[ ... ]
> @@ -935,6 +932,10 @@ int amdgpu_vram_mgr_init(struct amdgpu_device *adev)
> err = gpu_buddy_init(&mgr->mm, man->size, PAGE_SIZE);
> if (err)
> return err;
[Severity: High]
This isn't a bug introduced by this patch, but while fixing the teardown
vulnerability for the cgroup registration, does this leave an identical
teardown vulnerability if gpu_buddy_init() fails?
If gpu_buddy_init() fails, it frees the memory but leaves dangling pointers
and a non-zero mm->n_roots:
drivers/gpu/buddy.c:gpu_buddy_init() {
...
out_free_roots:
while (root_count--)
gpu_block_free(mm, mm->roots[root_count]);
kfree(mm->roots);
out_free_tree:
while (i--)
kfree(mm->free_trees[i]);
kfree(mm->free_trees);
return -ENOMEM;
}
Since adev->mman.initialized is already set to true by the caller
(amdgpu_ttm_init()), returning this error triggers the driver's teardown path
which unconditionally calls gpu_buddy_fini():
drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c:amdgpu_vram_mgr_fini() {
...
if (!adev->gmc.is_app_apu)
gpu_buddy_fini(&mgr->mm);
...
}
This would lead to a use-after-free, NULL pointer dereference, and
double-free when gpu_buddy_fini() iterates up to the non-zero mm->n_roots:
drivers/gpu/buddy.c:gpu_buddy_fini() {
...
for (i = 0; i < mm->n_roots; ++i) {
order = ilog2(size) - ilog2(mm->chunk_size);
start = gpu_buddy_block_offset(mm->roots[i]);
...
}
Should gpu_buddy_init() clear mm->n_roots and zero the pointers on error,
or should amdgpu_vram_mgr_init() clear its state upon this failure?
> + man->cg = drmm_cgroup_register_region(adev_to_drm(adev), "vram", adev->gmc.real_vram_size);
> + if (IS_ERR(man->cg))
> + return PTR_ERR(man->cg);
> +
> ttm_set_driver_manager(&adev->mman.bdev, TTM_PL_VRAM, &mgr->manager);
> ttm_resource_manager_set_used(man, true);
> return 0;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260703130541.2686-1-thomas.hellstrom@linux.intel.com?part=1
next prev parent reply other threads:[~2026-07-03 13:26 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-03 13:05 [PATCH v7 0/6] Add reclaim to the dmem cgroup controller Thomas Hellström
2026-07-03 13:05 ` [PATCH v7 1/6] drm/amdgpu: Fix init ordering in amdgpu_vram_mgr_init() Thomas Hellström
2026-07-03 13:08 ` Christian König
2026-07-03 13:11 ` Thomas Hellström
2026-07-03 13:26 ` sashiko-bot [this message]
2026-07-03 13:05 ` [PATCH v7 2/6] cgroup/dmem: Introduce struct dmem_cgroup_init for region initialization Thomas Hellström
2026-07-03 13:05 ` [PATCH v7 3/6] cgroup/dmem: Add reclaim callback for lowering max below current usage Thomas Hellström
2026-07-03 13:24 ` sashiko-bot
2026-07-03 13:05 ` [PATCH v7 4/6] drm/ttm: Hook up a cgroup-aware reclaim callback for the dmem controller Thomas Hellström
2026-07-03 13:19 ` sashiko-bot
2026-07-03 13:05 ` [PATCH v7 5/6] drm/xe: Wire up dmem cgroup reclaim for VRAM manager Thomas Hellström
2026-07-03 13:05 ` [PATCH v7 6/6] drm/amdgpu: " Thomas Hellström
2026-07-03 13:25 ` sashiko-bot
2026-07-03 14:37 ` [PATCH v7 0/6] Add reclaim to the dmem cgroup controller Thadeu Lima de Souza Cascardo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260703132641.2F3801F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=hannes@cmpxchg.org \
--cc=mkoutny@suse.com \
--cc=sashiko-reviews@lists.linux.dev \
--cc=thomas.hellstrom@linux.intel.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox