From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: drm/xe/xe_vm: Implement xe_vm_get_property_ioctl
Date: Wed, 11 Mar 2026 13:13:00 +1000 [thread overview]
Message-ID: <review-patch4-20260310144914.7525-10-jonathan.cavitt@intel.com> (raw)
In-Reply-To: <20260310144914.7525-10-jonathan.cavitt@intel.com>
Patch Review
**TOCTOU race in `xe_vm_get_property_helper`.** The function reads `vm->faults.len` under spinlock, releases it, then checks `args->size > size`. Meanwhile, `fill_faults()` acquires the lock again. Between the two lock acquisitions, new faults could be added, making the list longer than expected. The check `args->size > size` would have passed with the old (smaller) size, but `fill_faults` then iterates the (now longer) list — this is safe because `fill_faults` has its own `count` limit, but the logic is unnecessarily convoluted and fragile.
**`copy_to_user` of potentially uninitialized data.** In `fill_faults()`:
```c
fault_list = kcalloc(count, sizeof(struct xe_vm_fault), GFP_KERNEL);
```
The array is zero-initialized via `kcalloc`, and then partially filled. But the `copy_to_user` copies `args->size` bytes, which is the full requested size. If fewer faults exist than `count`, the remaining entries are zeroed (from kcalloc), which is fine. However, this means userspace has no way to know how many entries were actually filled vs. zero-padded. The ioctl should communicate the actual count back (e.g., updating `args->size` to reflect the actual bytes written).
**`xe_to_user_fault_type` and `xe_to_user_fault_level` are no-ops.** These functions just return their argument unchanged:
```c
static u8 xe_to_user_fault_type(u8 fault_type) { return fault_type; }
static u8 xe_to_user_fault_level(u8 fault_level) { return fault_level; }
```
If the intent is to have a place to insert future mapping logic, a comment explaining this would help. Otherwise, these are dead abstractions.
**Missing `extensions` and `pad` validation.** The ioctl checks `reserved[0..2]` but doesn't validate `args->extensions == 0` or `args->pad == 0`. All MBZ fields should be checked to preserve future extensibility.
**Faults are never cleared.** The fault list accumulates up to 50 entries and is only cleared on VM destruction (`xe_vm_close_and_put`). There's no mechanism for userspace to acknowledge/clear faults after reading them. This means repeated queries return the same stale data, and once 50 faults are recorded, no new faults are ever visible. This is a significant usability limitation that should at least be documented in the uAPI, or better, a clear-on-read or explicit clear mechanism should be added.
---
Generated by Claude Code Patch Reviewer
next prev parent reply other threads:[~2026-03-11 3:13 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-10 14:49 [PATCH v37 0/4] drm/xe/xe_vm: Implement xe_vm_get_property_ioctl Jonathan Cavitt
2026-03-10 14:49 ` [PATCH v37 1/4] drm/xe/xe_pagefault: Disallow writes to read-only VMAs Jonathan Cavitt
2026-03-11 3:12 ` Claude review: " Claude Code Review Bot
2026-03-10 14:49 ` [PATCH v37 2/4] drm/xe/uapi: Define drm_xe_vm_get_property Jonathan Cavitt
2026-03-11 3:12 ` Claude review: " Claude Code Review Bot
2026-03-10 14:49 ` [PATCH v37 3/4] drm/xe/xe_vm: Add per VM fault info Jonathan Cavitt
2026-03-11 3:13 ` Claude review: " Claude Code Review Bot
2026-03-10 14:49 ` [PATCH v37 4/4] drm/xe/xe_vm: Implement xe_vm_get_property_ioctl Jonathan Cavitt
2026-03-11 3:13 ` Claude Code Review Bot [this message]
2026-03-11 3:12 ` Claude review: " Claude Code Review Bot
-- strict thread matches above, loose matches on Subject: below --
2026-03-24 15:29 [PATCH v39 0/4] " Jonathan Cavitt
2026-03-24 15:29 ` [PATCH v39 4/4] " Jonathan Cavitt
2026-03-24 20:46 ` Claude review: " Claude Code Review Bot
2026-03-24 20:46 ` Claude Code Review Bot
2026-03-20 18:35 [PATCH v38 0/4] " Jonathan Cavitt
2026-03-20 18:35 ` [PATCH v38 4/4] " Jonathan Cavitt
2026-03-21 17:27 ` Claude review: " Claude Code Review Bot
2026-03-21 17:27 ` Claude Code Review Bot
2026-03-06 15:55 [PATCH v36 0/4] " Jonathan Cavitt
2026-03-06 15:56 ` [PATCH v36 4/4] " Jonathan Cavitt
2026-03-08 22:42 ` Claude review: " Claude Code Review Bot
2026-03-08 22:42 ` Claude Code Review Bot
2026-02-23 17:21 [PATCH v35 0/4] " Jonathan Cavitt
2026-02-23 17:21 ` [PATCH v35 4/4] " Jonathan Cavitt
2026-02-24 0:00 ` Claude review: " Claude Code Review Bot
2026-02-23 23:59 ` Claude Code Review Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=review-patch4-20260310144914.7525-10-jonathan.cavitt@intel.com \
--to=claude-review@example.com \
--cc=dri-devel-reviews@example.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox