[PATCH v2] drm/msm: Fix dma_free

public inbox for drm-ai-reviews@public-inbox.freedesktop.org
 help / color / mirror / Atom feed

* [PATCH v2] drm/msm: Fix dma_free_attrs() buffer size
@ 2026-02-26  9:57 Thomas Fourier
  2026-02-27  2:28 ` Claude review: " Claude Code Review Bot
  2026-02-27  2:28 ` Claude Code Review Bot
  0 siblings, 2 replies; 3+ messages in thread
From: Thomas Fourier @ 2026-02-26  9:57 UTC (permalink / raw)
  Cc: Thomas Fourier, stable, Rob Clark, Sean Paul, Konrad Dybcio,
	Akhil P Oommen, Dmitry Baryshkov, Abhinav Kumar, Jessica Zhang,
	Marijn Suijten, David Airlie, Simona Vetter, Jonathan Marek,
	linux-arm-msm, dri-devel, freedreno, linux-kernel

The gpummu->table buffer is alloc'd with size TABLE_SIZE + 32 in
a2xx_gpummu_new() but freed with size TABLE_SIZE in
a2xx_gpummu_destroy().

Change the free size to match the allocation.

Fixes: c2052a4e5c99 ("drm/msm: implement a2xx mmu")
Cc: <stable@vger.kernel.org>
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
---
v1->v2:
  - Fix subject prefix

 drivers/gpu/drm/msm/adreno/a2xx_gpummu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/msm/adreno/a2xx_gpummu.c b/drivers/gpu/drm/msm/adreno/a2xx_gpummu.c
index 0407c9bc8c1b..4467b04527cd 100644
--- a/drivers/gpu/drm/msm/adreno/a2xx_gpummu.c
+++ b/drivers/gpu/drm/msm/adreno/a2xx_gpummu.c
@@ -78,7 +78,7 @@ static void a2xx_gpummu_destroy(struct msm_mmu *mmu)
 {
 	struct a2xx_gpummu *gpummu = to_a2xx_gpummu(mmu);
 
-	dma_free_attrs(mmu->dev, TABLE_SIZE, gpummu->table, gpummu->pt_base,
+	dma_free_attrs(mmu->dev, TABLE_SIZE + 32, gpummu->table, gpummu->pt_base,
 		DMA_ATTR_FORCE_CONTIGUOUS);
 
 	kfree(gpummu);
-- 
2.52.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Claude review: drm/msm: Fix dma_free_attrs() buffer size
  2026-02-26  9:57 [PATCH v2] drm/msm: Fix dma_free_attrs() buffer size Thomas Fourier
@ 2026-02-27  2:28 ` Claude Code Review Bot
  2026-02-27  2:28 ` Claude Code Review Bot
  1 sibling, 0 replies; 3+ messages in thread
From: Claude Code Review Bot @ 2026-02-27  2:28 UTC (permalink / raw)
  To: dri-devel-reviews

Overall Series Review

Subject: drm/msm: Fix dma_free_attrs() buffer size
Author: Thomas Fourier <fourier.thomas@gmail.com>
Patches: 1
Reviewed: 2026-02-27T12:28:53.426085

---

This is a single-patch series that fixes a real DMA buffer size mismatch bug in the Adreno a2xx GPU MMU driver. The fix is correct and minimal. The allocation at line 102 uses `TABLE_SIZE + 32` while the free (before this patch) used only `TABLE_SIZE`. Passing a wrong size to `dma_free_attrs()` can corrupt DMA allocator metadata, potentially causing memory corruption or leaks. The patch is appropriate for stable backport.

---
Generated by Claude Code Patch Reviewer

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Claude review: drm/msm: Fix dma_free_attrs() buffer size
  2026-02-26  9:57 [PATCH v2] drm/msm: Fix dma_free_attrs() buffer size Thomas Fourier
  2026-02-27  2:28 ` Claude review: " Claude Code Review Bot
@ 2026-02-27  2:28 ` Claude Code Review Bot
  1 sibling, 0 replies; 3+ messages in thread
From: Claude Code Review Bot @ 2026-02-27  2:28 UTC (permalink / raw)
  To: dri-devel-reviews

Patch Review

**Verdict: Correct fix, minor style suggestion.**

The bug is clear and verified by reading the full file:

**Allocation** at `a2xx_gpummu_new()` (line 102):
```c
gpummu->table = dma_alloc_attrs(dev, TABLE_SIZE + 32, &gpummu->pt_base,
    GFP_KERNEL | __GFP_ZERO, DMA_ATTR_FORCE_CONTIGUOUS);
```

**Free** (before fix) at `a2xx_gpummu_destroy()` (line 81):
```c
dma_free_attrs(mmu->dev, TABLE_SIZE, gpummu->table, gpummu->pt_base,
    DMA_ATTR_FORCE_CONTIGUOUS);
```

The extra 32 bytes exist to hold a "translation error" address, as shown in `a2xx_gpummu_params()` (line 121):
```c
*tran_error = base + TABLE_SIZE; /* 32-byte aligned */
```

The fix correctly changes the free to `TABLE_SIZE + 32` to match the allocation.

**Minor nit (not blocking):** The magic number `32` is repeated in three places (alloc, free, and implicitly in `a2xx_gpummu_params`). Defining something like `#define TRAN_ERROR_SIZE 32` and using `TABLE_SIZE + TRAN_ERROR_SIZE` would make the relationship clearer and prevent future mismatches. But that's a cleanup suggestion, not something that should hold up this bugfix.

**Reviewed-by worthy.** The Fixes tag and Cc: stable are appropriate.

---
Generated by Claude Code Patch Reviewer

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-02-27  2:28 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-26  9:57 [PATCH v2] drm/msm: Fix dma_free_attrs() buffer size Thomas Fourier
2026-02-27  2:28 ` Claude review: " Claude Code Review Bot
2026-02-27  2:28 ` Claude Code Review Bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox