From: Matthew Auld <matthew.auld@intel.com>
To: Sanjay Yadav <sanjay.kumar.yadav@intel.com>,
dri-devel@lists.freedesktop.org
Cc: intel-xe@lists.freedesktop.org,
"Christian König" <christian.koenig@amd.com>,
"Arunpravin Paneer Selvam" <Arunpravin.PaneerSelvam@amd.com>
Subject: Re: [PATCH 1/2] drm/buddy: Prevent BUG_ON by validating rounded allocation
Date: Tue, 6 Jan 2026 16:04:23 +0000 [thread overview]
Message-ID: <60ab8e82-a079-4ca1-adcc-ee50cfc5641d@intel.com> (raw)
In-Reply-To: <20251222065238.1661415-5-sanjay.kumar.yadav@intel.com>
On 22/12/2025 06:52, Sanjay Yadav wrote:
> When DRM_BUDDY_CONTIGUOUS_ALLOCATION is set, the requested size is
> rounded up to the next power-of-two via roundup_pow_of_two().
> Similarly, for non-contiguous allocations with large min_block_size,
> the size is aligned up via round_up(). Both operations can produce a
> rounded size that exceeds mm->size, which later triggers
> BUG_ON(order > mm->max_order).
>
> Example scenarios:
> - 9G CONTIGUOUS allocation on 10G VRAM memory:
> roundup_pow_of_two(9G) = 16G > 10G
> - 9G allocation with 8G min_block_size on 10G VRAM memory:
> round_up(9G, 8G) = 16G > 10G
>
> Fix this by checking the rounded size against mm->size. For
> non-contiguous or range allocations where size > mm->size is invalid,
> return -EINVAL immediately. For contiguous allocations without range
> restrictions, allow the request to fall through to the existing
> __alloc_contig_try_harder() fallback.
>
> This ensures invalid user input returns an error or uses the fallback
> path instead of hitting BUG_ON.
>
> Cc: Christian König <christian.koenig@amd.com>
> Cc: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam@amd.com>
> Suggested-by: Matthew Auld <matthew.auld@intel.com>
> Signed-off-by: Sanjay Yadav <sanjay.kumar.yadav@intel.com>
I think we should maybe add a fixes tag:
Fixes: 0a1844bf0b53 ("drm/buddy: Improve contiguous memory allocation")
Cc: <stable@vger.kernel.org> # v6.7+
?
I don't think current xe can actually trigger this yet, but not sure if
amdgpu or something can somehow trigger this in some obscure case.
We could maybe also add:
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6712
So it auto-closes plus gives some more context that this fix was
motivated from code inspection and not some user report. Otherwise I
think the change looks reasonable,
Reviewed-by: Matthew Auld <matthew.auld@intel.com>
> ---
> drivers/gpu/drm/drm_buddy.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c
> index 2f279b46bd2c..5141348fc6c9 100644
> --- a/drivers/gpu/drm/drm_buddy.c
> +++ b/drivers/gpu/drm/drm_buddy.c
> @@ -1155,6 +1155,15 @@ int drm_buddy_alloc_blocks(struct drm_buddy *mm,
> order = fls(pages) - 1;
> min_order = ilog2(min_block_size) - ilog2(mm->chunk_size);
>
> + if (order > mm->max_order || size > mm->size) {
> + if ((flags & DRM_BUDDY_CONTIGUOUS_ALLOCATION) &&
> + !(flags & DRM_BUDDY_RANGE_ALLOCATION))
> + return __alloc_contig_try_harder(mm, original_size,
> + original_min_size, blocks);
> +
> + return -EINVAL;
> + }
> +
> do {
> order = min(order, (unsigned int)fls(pages) - 1);
> BUG_ON(order > mm->max_order);
next prev parent reply other threads:[~2026-01-06 16:04 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-22 6:52 [PATCH 0/2] drm/buddy: Fix BUG_ON from oversized rounded allocations Sanjay Yadav
2025-12-22 6:52 ` [PATCH 1/2] drm/buddy: Prevent BUG_ON by validating rounded allocation Sanjay Yadav
2026-01-06 16:04 ` Matthew Auld [this message]
2026-01-07 9:40 ` Arunpravin Paneer Selvam
2026-01-07 10:37 ` Yadav, Sanjay Kumar
2025-12-22 6:52 ` [PATCH 2/2] drm/tests/drm_buddy: Add tests for allocations exceeding max_order Sanjay Yadav
2026-01-06 16:08 ` Matthew Auld
2025-12-23 5:35 ` ✓ CI.KUnit: success for drm/buddy: Fix BUG_ON from oversized rounded allocations Patchwork
2025-12-23 5:50 ` ✗ CI.checksparse: warning " Patchwork
2025-12-23 6:11 ` ✓ Xe.CI.BAT: success " Patchwork
2025-12-23 16:14 ` ✓ Xe.CI.Full: " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=60ab8e82-a079-4ca1-adcc-ee50cfc5641d@intel.com \
--to=matthew.auld@intel.com \
--cc=Arunpravin.PaneerSelvam@amd.com \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-xe@lists.freedesktop.org \
--cc=sanjay.kumar.yadav@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox