From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: drm/lima: call drm_mm_init() with a valid allocation range Date: Thu, 04 Jun 2026 14:10:22 +1000 Message-ID: In-Reply-To: <20260601-lima-alloc-fix-v1-1-16d3f3b7b780@axis.com> References: <20260601-lima-alloc-fix-v1-1-16d3f3b7b780@axis.com> <20260601-lima-alloc-fix-v1-1-16d3f3b7b780@axis.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Patch Review **Bug analysis is correct.** `lima_vm_create()` at line 371 calls `drm_mm_i= nit(&vm->mm, dev->va_start, dev->va_end - dev->va_start)` while both values= are still 0, which triggers the `DRM_MM_BUG_ON` in `drm_mm_init()` when `D= RM_DEBUG_MM` is enabled. **Error handling bug =E2=80=94 dlbu_cpu leak on mali450:** After the patch, the initialization order becomes: 1. `va_start` / `va_end` setup 2. `dlbu_cpu` DMA allocation (mali450 only) 3. `lima_vm_create()` If `lima_vm_create()` fails at step 3, the patch does: ```c + ldev->empty_vm =3D lima_vm_create(ldev); + if (!ldev->empty_vm) { + err =3D -ENOMEM; + goto err_out1; + } ``` But `goto err_out1` skips `err_out3` (which frees `dlbu_cpu`) and `err_out2= ` (which puts the VM). The cleanup labels are: ```c err_out3: if (ldev->dlbu_cpu) dma_free_wc(ldev->dev, LIMA_PAGE_SIZE, ldev->dlbu_cpu, ldev->dlbu_dma); err_out2: lima_vm_put(ldev->empty_vm); err_out1: lima_regulator_fini(ldev); ``` On mali450, `dlbu_cpu` was successfully allocated at step 2, so jumping to = `err_out1` leaks that DMA allocation. The correct goto target should be `er= r_out3`, not `err_out1`. Going through `err_out3` will free `dlbu_cpu` if a= llocated, and `err_out2` is safe because `lima_vm_put()` handles NULL: ```c static inline void lima_vm_put(struct lima_vm *vm) { if (vm) kref_put(&vm->refcount, lima_vm_release); } ``` **The existing `dlbu_cpu` failure goto is technically safe but sloppy.** Th= e dlbu_cpu allocation failure path retains `goto err_out2`, which calls `li= ma_vm_put(ldev->empty_vm)` on a not-yet-created VM. This works only because= `lima_vm_put()` has a NULL check and `ldev` is zero-initialized. It would = be cleaner to change this to `goto err_out1`, though it's not a correctness= bug. **Behavioral change on mali450 =E2=80=94 DLBU mapping in empty_vm:** `lima_vm_create()` contains: ```c if (dev->dlbu_cpu) { int err =3D lima_vm_map_page( vm, dev->dlbu_dma, LIMA_VA_RESERVE_DLBU); ``` In the original code, `dlbu_cpu` was NULL when `lima_vm_create()` ran, so t= his mapping was skipped for the `empty_vm`. After the patch, `dlbu_cpu` is = allocated before `lima_vm_create()`, so the DLBU page is now mapped in the = `empty_vm`. This is likely the correct behavior (and the original omission = was an unintentional consequence of the wrong ordering), but the commit mes= sage does not mention this change. **Suggested fix:** Change the `lima_vm_create()` failure goto from `err_out= 1` to `err_out3`: ```c ldev->empty_vm =3D lima_vm_create(ldev); if (!ldev->empty_vm) { err =3D -ENOMEM; - goto err_out1; + goto err_out3; } ``` And optionally clean up the dlbu_cpu failure goto: ```c if (!ldev->dlbu_cpu) { err =3D -ENOMEM; - goto err_out2; + goto err_out1; } ``` --- Generated by Claude Code Patch Reviewer