From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: drm/gpusvm: Use dma-map IOVA alloc, link, and sync API in GPU SVM
Date: Sun, 12 Apr 2026 09:24:51 +1000
Message-ID: <review-patch1-20260410205929.3914474-2-matthew.brost@intel.com>
In-Reply-To: <20260410205929.3914474-2-matthew.brost@intel.com>
References: <20260410205929.3914474-1-matthew.brost@intel.com> <20260410205929.3914474-2-matthew.brost@intel.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0

Patch Review

**Bug: Incorrect unmap logic for mixed system+device pages**

In `__drm_gpusvm_unmap_pages` (`drm_gpusvm.c:1149-1161`), the conditional structure is wrong when `use_iova` is true and the range contains both system and device pages:

```c
if (!use_iova && addr->proto == DRM_INTERCONNECT_SYSTEM)
    dma_unmap_page(dev,
                   addr->addr,
                   PAGE_SIZE << addr->order,
                   addr->dir);
else if (dpagemap && dpagemap->ops->device_unmap)
    dpagemap->ops->device_unmap(dpagemap,
                                dev, addr);
```

When `use_iova` is true and a system page entry is encountered, `!use_iova` is false, so the first condition fails. The code then falls through to the `else if`, which calls `device_unmap` on a system page address that was already freed by `dma_iova_destroy` above. This is a use-after-free of the IOVA address from the device_unmap callback's perspective.

This can occur when `ctx->allow_mixed` is true and a range contains both device pages (mapped via `device_map`) and system pages (mapped via IOVA). The fix should be:

```c
if (addr->proto == DRM_INTERCONNECT_SYSTEM) {
    if (!use_iova)
        dma_unmap_page(dev, addr->addr,
                       PAGE_SIZE << addr->order,
                       addr->dir);
} else if (dpagemap && dpagemap->ops->device_unmap) {
    dpagemap->ops->device_unmap(dpagemap, dev, addr);
}
```

**Performance gap: IOVA allocation trigger uses `!i` instead of a flag**

In `drm_gpusvm_get_pages` (`drm_gpusvm.c:1552-1557`):

```c
if (!i)
    dma_iova_try_alloc(gpusvm->drm->dev, state,
                       npages * PAGE_SIZE >=
                       HPAGE_PMD_SIZE ?
                       HPAGE_PMD_SIZE : 0,
                       npages * PAGE_SIZE);
```

The `!i` condition means IOVA is only allocated when the very first page (i==0) is a valid system page. If page 0 is invalid (`HMM_PFN_VALID` not set) or is a device page, `i` advances past 0 and IOVA is never allocated for any subsequent system pages. They all fall back to per-page `dma_map_page`. Contrast this with Patch 4's pagemap version which uses a `bool try_alloc` flag that triggers on the first valid page regardless of index -- that pattern would be more robust here.

**Overall**: The structure of adding `state` and `state_offset` to `struct drm_gpusvm_pages` is clean. The initialization at `drm_gpusvm.c:1456-1457` is correct, and the `dma_iova_sync` call after the mapping loop at `drm_gpusvm.c:1590-1594` is properly placed. The fallback path when `dma_use_iova` returns false is correct.

---

---
Generated by Claude Code Patch Reviewer