1. Patchew
  2. linux
  3. [PATCH 00/62] Bug fixes and refactoring patches related to locking
  4. View patch

[PATCH 12/62] drm/gpusvm.c: Fix a locking bug in an error path

Bart Van Assche posted 62 patches 1 month ago
Only 30 patches received!
[PATCH 12/62] drm/gpusvm.c: Fix a locking bug in an error path
Posted by Bart Van Assche 1 month ago 
From: Bart Van Assche <bvanassche@acm.org>

Only call drm_gpusvm_notifier_unlock() if drm_gpusvm_notifier_lock() was
called first. This has been detected by the Clang thread-safety
analyzer. Compile-tested only.

Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: Himal Prasad Ghimiray <himal.prasad.ghimiray@intel.com>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Fixes: f1d08a586482 ("drm/gpusvm: Introduce a function to scan the current migration state")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
---
 drivers/gpu/drm/drm_gpusvm.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/drm_gpusvm.c b/drivers/gpu/drm/drm_gpusvm.c
index 24180bfdf5a2..e9b79ab2f83c 100644
--- a/drivers/gpu/drm/drm_gpusvm.c
+++ b/drivers/gpu/drm/drm_gpusvm.c
@@ -819,7 +819,7 @@ enum drm_gpusvm_scan_result drm_gpusvm_scan_mm(struct drm_gpusvm_range *range,
 
 		if (!(pfns[i] & HMM_PFN_VALID)) {
 			state = DRM_GPUSVM_SCAN_UNPOPULATED;
-			goto err_free;
+			goto unlock;
 		}
 
 		page = hmm_pfn_to_page(pfns[i]);
@@ -856,9 +856,10 @@ enum drm_gpusvm_scan_result drm_gpusvm_scan_mm(struct drm_gpusvm_range *range,
 		i += 1ul << drm_gpusvm_hmm_pfn_to_order(pfns[i], i, npages);
 	}
 
-err_free:
+unlock:
 	drm_gpusvm_notifier_unlock(range->gpusvm);
 
+err_free:
 	kvfree(pfns);
 	return state;
 }
Re: [PATCH 12/62] drm/gpusvm.c: Fix a locking bug in an error path
Posted by Matthew Brost 1 month ago 
On Mon, Feb 23, 2026 at 02:00:12PM -0800, Bart Van Assche wrote:
> From: Bart Van Assche <bvanassche@acm.org>
> 
> Only call drm_gpusvm_notifier_unlock() if drm_gpusvm_notifier_lock() was
> called first. This has been detected by the Clang thread-safety
> analyzer. Compile-tested only.
> 
> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
> Cc: Matthew Brost <matthew.brost@intel.com>
> Cc: Himal Prasad Ghimiray <himal.prasad.ghimiray@intel.com>
> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
> Fixes: f1d08a586482 ("drm/gpusvm: Introduce a function to scan the current migration state")
> Signed-off-by: Bart Van Assche <bvanassche@acm.org>
> ---
>  drivers/gpu/drm/drm_gpusvm.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/drm_gpusvm.c b/drivers/gpu/drm/drm_gpusvm.c
> index 24180bfdf5a2..e9b79ab2f83c 100644
> --- a/drivers/gpu/drm/drm_gpusvm.c
> +++ b/drivers/gpu/drm/drm_gpusvm.c
> @@ -819,7 +819,7 @@ enum drm_gpusvm_scan_result drm_gpusvm_scan_mm(struct drm_gpusvm_range *range,
>  
>  		if (!(pfns[i] & HMM_PFN_VALID)) {
>  			state = DRM_GPUSVM_SCAN_UNPOPULATED;
> -			goto err_free;
> +			goto unlock;

Indeed a problem but we have this fixed in drm-tip.

git format-patch -1 d287dee565c3c

'drm/gpusvm: Fix unbalanced unlock in drm_gpusvm_scan_mm'

Not sure which tree you are in but this should propagate up to Linus
during the 7.0 cycle.

Matt

>  		}
>  
>  		page = hmm_pfn_to_page(pfns[i]);
> @@ -856,9 +856,10 @@ enum drm_gpusvm_scan_result drm_gpusvm_scan_mm(struct drm_gpusvm_range *range,
>  		i += 1ul << drm_gpusvm_hmm_pfn_to_order(pfns[i], i, npages);
>  	}
>  
> -err_free:
> +unlock:
>  	drm_gpusvm_notifier_unlock(range->gpusvm);
>  
> +err_free:
>  	kvfree(pfns);
>  	return state;
>  }
Re: [PATCH 12/62] drm/gpusvm.c: Fix a locking bug in an error path
Posted by Bart Van Assche 1 month ago 
On 2/23/26 2:11 PM, Matthew Brost wrote:
> On Mon, Feb 23, 2026 at 02:00:12PM -0800, Bart Van Assche wrote:
>> From: Bart Van Assche <bvanassche@acm.org>
>>
>> Only call drm_gpusvm_notifier_unlock() if drm_gpusvm_notifier_lock() was
>> called first. This has been detected by the Clang thread-safety
>> analyzer. Compile-tested only.
>>
>> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
>> Cc: Matthew Brost <matthew.brost@intel.com>
>> Cc: Himal Prasad Ghimiray <himal.prasad.ghimiray@intel.com>
>> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
>> Fixes: f1d08a586482 ("drm/gpusvm: Introduce a function to scan the current migration state")
>> Signed-off-by: Bart Van Assche <bvanassche@acm.org>
>> ---
>>   drivers/gpu/drm/drm_gpusvm.c | 5 +++--
>>   1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/drm_gpusvm.c b/drivers/gpu/drm/drm_gpusvm.c
>> index 24180bfdf5a2..e9b79ab2f83c 100644
>> --- a/drivers/gpu/drm/drm_gpusvm.c
>> +++ b/drivers/gpu/drm/drm_gpusvm.c
>> @@ -819,7 +819,7 @@ enum drm_gpusvm_scan_result drm_gpusvm_scan_mm(struct drm_gpusvm_range *range,
>>   
>>   		if (!(pfns[i] & HMM_PFN_VALID)) {
>>   			state = DRM_GPUSVM_SCAN_UNPOPULATED;
>> -			goto err_free;
>> +			goto unlock;
> 
> Indeed a problem but we have this fixed in drm-tip.
> 
> git format-patch -1 d287dee565c3c
> 
> 'drm/gpusvm: Fix unbalanced unlock in drm_gpusvm_scan_mm'
> 
> Not sure which tree you are in but this should propagate up to Linus
> during the 7.0 cycle.

Thanks Matt for the quick follow-up. This patch series is based on
Linus' master branch. Since a fix has already been queued in the drm-tip
branch, I will drop this patch.

Bart.

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.