Claude review: drm/gpusvm: Use dma-map IOVA alloc, link, and sync API in GPU SVM

public inbox for drm-ai-reviews@public-inbox.freedesktop.org
 help / color / mirror / Atom feed

From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: drm/gpusvm: Use dma-map IOVA alloc, link, and sync API in GPU SVM
Date: Sun, 12 Apr 2026 09:24:51 +1000	[thread overview]
Message-ID: <review-patch1-20260410205929.3914474-2-matthew.brost@intel.com> (raw)
In-Reply-To: <20260410205929.3914474-2-matthew.brost@intel.com>

Patch Review

**Bug: Incorrect unmap logic for mixed system+device pages**

In `__drm_gpusvm_unmap_pages` (`drm_gpusvm.c:1149-1161`), the conditional structure is wrong when `use_iova` is true and the range contains both system and device pages:

```c
if (!use_iova && addr->proto == DRM_INTERCONNECT_SYSTEM)
    dma_unmap_page(dev,
                   addr->addr,
                   PAGE_SIZE << addr->order,
                   addr->dir);
else if (dpagemap && dpagemap->ops->device_unmap)
    dpagemap->ops->device_unmap(dpagemap,
                                dev, addr);
```

When `use_iova` is true and a system page entry is encountered, `!use_iova` is false, so the first condition fails. The code then falls through to the `else if`, which calls `device_unmap` on a system page address that was already freed by `dma_iova_destroy` above. This is a use-after-free of the IOVA address from the device_unmap callback's perspective.

This can occur when `ctx->allow_mixed` is true and a range contains both device pages (mapped via `device_map`) and system pages (mapped via IOVA). The fix should be:

```c
if (addr->proto == DRM_INTERCONNECT_SYSTEM) {
    if (!use_iova)
        dma_unmap_page(dev, addr->addr,
                       PAGE_SIZE << addr->order,
                       addr->dir);
} else if (dpagemap && dpagemap->ops->device_unmap) {
    dpagemap->ops->device_unmap(dpagemap, dev, addr);
}
```

**Performance gap: IOVA allocation trigger uses `!i` instead of a flag**

In `drm_gpusvm_get_pages` (`drm_gpusvm.c:1552-1557`):

```c
if (!i)
    dma_iova_try_alloc(gpusvm->drm->dev, state,
                       npages * PAGE_SIZE >=
                       HPAGE_PMD_SIZE ?
                       HPAGE_PMD_SIZE : 0,
                       npages * PAGE_SIZE);
```

The `!i` condition means IOVA is only allocated when the very first page (i==0) is a valid system page. If page 0 is invalid (`HMM_PFN_VALID` not set) or is a device page, `i` advances past 0 and IOVA is never allocated for any subsequent system pages. They all fall back to per-page `dma_map_page`. Contrast this with Patch 4's pagemap version which uses a `bool try_alloc` flag that triggers on the first valid page regardless of index -- that pattern would be more robust here.

**Overall**: The structure of adding `state` and `state_offset` to `struct drm_gpusvm_pages` is clean. The initialization at `drm_gpusvm.c:1456-1457` is correct, and the `dma_iova_sync` call after the mapping loop at `drm_gpusvm.c:1590-1594` is properly placed. The fallback path when `dma_use_iova` returns false is correct.

---

---
Generated by Claude Code Patch Reviewer

next prev parent reply	other threads:[~2026-04-11 23:24 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-10 20:59 [PATCH v7 0/5] Use new dma-map IOVA alloc, link, and sync API in GPU SVM and DRM pagemap Matthew Brost
2026-04-10 20:59 ` [PATCH v7 1/5] drm/gpusvm: Use dma-map IOVA alloc, link, and sync API in GPU SVM Matthew Brost
2026-04-11 23:24   ` Claude Code Review Bot [this message]
2026-04-10 20:59 ` [PATCH v7 2/5] drm/pagemap: Drop source_peer_migrates flag and assume true Matthew Brost
2026-04-11 23:24   ` Claude review: " Claude Code Review Bot
2026-04-10 20:59 ` [PATCH v7 3/5] drm/pagemap: Split drm_pagemap_migrate_map_pages into device / system Matthew Brost
2026-04-11 23:24   ` Claude review: " Claude Code Review Bot
2026-04-10 20:59 ` [PATCH v7 4/5] drm/pagemap: Use dma-map IOVA alloc, link, and sync API for DRM pagemap Matthew Brost
2026-04-11 23:24   ` Claude review: " Claude Code Review Bot
2026-04-10 20:59 ` [PATCH v7 5/5] drm/pagemap: Fix drm_pagemap_migrate_unmap_pages kerneldoc Matthew Brost
2026-04-11 23:24   ` Claude review: " Claude Code Review Bot
2026-04-11 23:24 ` Claude review: Use new dma-map IOVA alloc, link, and sync API in GPU SVM and DRM pagemap Claude Code Review Bot
  -- strict thread matches above, loose matches on Subject: below --
2026-04-08 20:15 [PATCH v6 0/5] " Matthew Brost
2026-04-08 20:15 ` [PATCH v6 1/5] drm/gpusvm: Use dma-map IOVA alloc, link, and sync API in GPU SVM Matthew Brost
2026-04-12  2:09   ` Claude review: " Claude Code Review Bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=review-patch1-20260410205929.3914474-2-matthew.brost@intel.com \
    --to=claude-review@example.com \
    --cc=dri-devel-reviews@example.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox