Re: [RFC v3 6/7] drm/xe/vm: Wire MADVISE_AUTORESET notifiers into VM lifecycle

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) 
to consider:
- [High] Unbounded kernel memory leak of `xe_madvise_notifier` structures due 
to missing cleanup on VMA unbind.
--

commit 842ee67ad0fcd26bd2723ff015ee6cb68da543ef
Author: Arvind Yadav <arvind.ya...@intel.com>

drm/xe/vm: Wire MADVISE_AUTORESET notifiers into VM lifecycle

This commit initializes the MADVISE_AUTORESET notifier infrastructure for
fault-mode VMs and handles tear down during VM close. It also collects CPU
mirror VMA ranges to register interval notifiers after dropping the VM lock.

> diff --git a/drivers/gpu/drm/xe/xe_vm_madvise.c 
> b/drivers/gpu/drm/xe/xe_vm_madvise.c
> --- a/drivers/gpu/drm/xe/xe_vm_madvise.c
> +++ b/drivers/gpu/drm/xe/xe_vm_madvise.c
[ ... ]
> @@ -731,6 +806,30 @@ int xe_vm_madvise_ioctl(struct drm_device *dev, void 
> *data, struct drm_file *fil
>  unlock_vm:
>       up_write(&vm->lock);
>  
> +     if (!err) {
> +             for (int i = 0; i < num_notifier_ranges; i++) {
> +                     int ret = xe_vm_madvise_register_notifier_range(vm,
> +                                                     
> notifier_ranges[i].start,
> +                                                     notifier_ranges[i].end);

[Severity: High]
Does this code leak xe_madvise_notifier structures if the VMA is
subsequently unbound?

When userspace calls the MADVISE ioctl on a CPU mirror VMA,
xe_vm_madvise_register_notifier_range() allocates a new notifier and
adds it to the VM madvise_notifier_list.

However, there does not appear to be a hook in the VMA teardown path,
such as xe_vma_destroy(), to remove notifiers associated with a
destroyed GPU VMA. The notifiers are only freed when the entire VM is
destroyed in xe_vm_madvise_fini(), or if they are fully covered by a
newly registered notifier.

Could a userspace application repeatedly bind a VMA, call the MADVISE
ioctl, and unbind the VMA, shifting the address range slightly each
time, to indefinitely accumulate xe_madvise_notifier objects and mmu
interval notifiers until it triggers an out of memory condition?

> +                     if (ret) {
> +                             drm_warn(&vm->xe->drm,
> +                                      "Failed to register madvise notifier 
> [%#llx-%#llx]: %d\n",
> +                                      notifier_ranges[i].start,
> +                                      notifier_ranges[i].end, ret);
[ ... ]

-- 
Sashiko AI review · 
https://sashiko.dev/#/patchset/20260604095012.367231-1-arvind.ya...@intel.com?part=6