From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: drm/amdgpu: Fix resource leaks Date: Fri, 27 Feb 2026 13:15:07 +1000 Message-ID: In-Reply-To: <20260225145154.14168-1-ethantidmore06@gmail.com> References: <20260225145154.14168-1-ethantidmore06@gmail.com> <20260225145154.14168-1-ethantidmore06@gmail.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Patch Review **The Smatch warning is valid.** There are real `ioremap()` leaks on early = error returns in `amdgpu_device_init()`. However, `devm_ioremap()` is the w= rong fix for the following reasons: **1. Use-after-free via DRM device release path** The PCI removal sequence is: ``` amdgpu_pci_remove() =E2=86=92 drm_dev_unplug() =E2=86=92 amdgpu_driver_unload_kms() =E2=86=92 amdgpu_device_fini_hw() return devres_release_all() =E2=86=90 devm_ioremap mapping freed HERE ... [later, when last DRM fd is closed] amdgpu_driver_release_kms() =E2=86=92 amdgpu_device_fini_sw() =E2=86=92 amdgpu_device_ip_fini() =E2=86=90 uses stale adev->rmmio! ``` `amdgpu_device_fini_sw()` is called from the DRM `.release` callback (`amdg= pu_driver_release_kms` at `amdgpu_kms.c:1615`), which fires when the last D= RM fd reference drops. If userspace still has the device open, this runs **= after** `devres_release_all()` has already freed the `devm_ioremap` mapping= . At that point `adev->rmmio` is a dangling pointer. **2. Removal of `adev->rmmio =3D NULL` breaks guards** The patch removes both: ```c - iounmap(adev->rmmio); - adev->rmmio =3D NULL; ``` But `adev->rmmio =3D=3D NULL` is used as a validity check elsewhere, e.g., = in `amdgpu_kms.c:91`: ```c if (adev->rmmio =3D=3D NULL) return; ``` After this patch, `adev->rmmio` is never NULLed, so this guard becomes inef= fective even though the mapping may already have been freed by devm. **3. Removal of `drm_dev_enter()` guard breaks hotplug coordination** The removed code in `amdgpu_device_fini_sw()`: ```c - if (drm_dev_enter(adev_to_drm(adev), &idx)) { - iounmap(adev->rmmio); - adev->rmmio =3D NULL; - drm_dev_exit(idx); - } ``` This `drm_dev_enter()` guard coordinates with `amdgpu_device_unmap_mmio()` = (the hotplug path). When the device is unplugged, `drm_dev_enter()` fails a= nd the `iounmap` is skipped because `amdgpu_device_unmap_mmio()` already ha= ndled it. This careful coordination is lost with the patch. **Suggested fix:** Instead of `devm_ioremap()`, the error paths in `amdgpu_= device_init()` should be fixed with proper `goto` cleanup labels that call = `iounmap(adev->rmmio)`. This addresses the Smatch warning without changing = the resource lifetime semantics. Alternatively, if `devm_ioremap` is desire= d, the entire teardown logic across `fini_hw` / `fini_sw` / `unmap_mmio` ne= eds to be reworked to ensure `adev->rmmio` is never accessed after the PCI = driver unbinds, and `adev->rmmio` must be set to NULL when devm will handle= the unmap. --- Generated by Claude Code Patch Reviewer