From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: drm/panthor: Support sparse mappings Date: Tue, 05 May 2026 11:14:08 +1000 Message-ID: In-Reply-To: <20260429183253.66422-6-adrian.larumbe@collabora.com> References: <20260429183253.66422-1-adrian.larumbe@collabora.com> <20260429183253.66422-6-adrian.larumbe@collabora.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Patch Review This is the core patch. Several observations: **Bug: Use-after-free in `panthor_vm_pool_create()` error path** ```c pfile->vms->dummy =3D panthor_dummy_bo_create(pfile->ptdev); if (IS_ERR(pfile->vms->dummy)) { kfree(pfile->vms); return PTR_ERR(pfile->vms->dummy); } ``` After `kfree(pfile->vms)`, the `return PTR_ERR(pfile->vms->dummy)` derefere= nces freed memory. Additionally, `pfile->vms` is left as a dangling pointer= (not set to NULL), which could cause a double-free or crash if `panthor_vm= _pool_destroy()` is called during file cleanup =E2=80=94 it checks `if (!pf= ile->vms)` which would pass on a dangling pointer. Fix: ```c if (IS_ERR(pfile->vms->dummy)) { int ret =3D PTR_ERR(pfile->vms->dummy); kfree(pfile->vms); pfile->vms =3D NULL; return ret; } ``` **Minor: `chunk_size` type in `panthor_vm_map_sparse()`** ```c u32 chunk_size =3D min(size - mapped, SZ_2M - (addr & (SZ_2M - 1))); ``` Both operands to `min()` are `u64`, so the result is `u64`. Assigning to `u= 32` could trigger a truncation warning on some compilers. The value is alwa= ys =E2=89=A4 SZ_2M so it's safe, but using `u64 chunk_size` would be cleane= r and avoids any potential `min()` type-checking issues with the kernel's s= trict `min()` macro. **Nit: uAPI documentation field names** ```c * This flag being set means drm_panthor_vm_bind_op:offset and * drm_panthor_vm_bind_op::handle must both be set to 0. ``` The field names are wrong =E2=80=94 the struct fields are `bo_offset` and `= bo_handle`, not `offset` and `handle`. Also inconsistent colon style (`:off= set` vs `::handle`). Should be: ``` * drm_panthor_vm_bind_op::bo_offset and drm_panthor_vm_bind_op::bo_handle ``` **Design observation: remap path and sparse offset semantics** The comment in the remap path correctly notes that `remap::unmap::offset` a= nd `remap::unmap::keep` from the gpuvm core are unreliable for sparse mappi= ngs (since the VA range can exceed the dummy BO size). The code handles thi= s by routing through `panthor_vm_exec_map_op()`, which for sparse mappings = ignores the gem offset and calls `panthor_vm_map_sparse()` instead. The add= ed `size > 0` guard in the remap branches is a reasonable defensive check. **Lifetime management looks correct**: the dummy BO reference is taken per-= VM in `panthor_vm_pool_create_vm()` and dropped in `panthor_vm_free()`, wit= h the pool holding its own reference dropped in `panthor_vm_pool_destroy()`= . The `if (vm->dummy)` NULL check in `panthor_vm_free()` correctly handles = VMs that were never assigned a dummy BO (e.g., MCU VMs or VMs created befor= e the pool dummy was initialized). --- Generated by Claude Code Patch Reviewer