[PATCH v3 2/2] rust: drm: gpuvm: require Send and Sync for GpuVm's shared data

Mon, 08 Jun 2026 17:33:18 -0700 

GpuVm implements Send and Sync unconditionally, but it shares and drops
T::VmBoData and T::Object across threads: obtain() can return ARefs to
the same bo on several threads, and deferred_cleanup() drops them on
whichever thread calls it. This is unsound unless both are Send + Sync,
so bound both impls accordingly.

Fixes: 82b78182eacf ("rust: drm: add base GPUVM immediate mode abstraction")
Signed-off-by: Sami Tolvanen <[email protected]>
---
 rust/kernel/drm/gpuvm/mod.rs | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/rust/kernel/drm/gpuvm/mod.rs b/rust/kernel/drm/gpuvm/mod.rs
index ae58f6f667c1..398068f2eb4f 100644
--- a/rust/kernel/drm/gpuvm/mod.rs
+++ b/rust/kernel/drm/gpuvm/mod.rs
@@ -74,9 +74,25 @@ pub struct GpuVm<T: DriverGpuVm> {
 
 // SAFETY: The GPUVM api does not assume that it is tied to a specific thread. 
The destructor will
 // drop the `data` field, which is okay because it is guaranteed `Send` by the 
`DriverGpuVm` trait.
-unsafe impl<T: DriverGpuVm> Send for GpuVm<T> {}
-// SAFETY: The GPUVM api is designed to allow &self methods to be called in 
parallel.
-unsafe impl<T: DriverGpuVm> Sync for GpuVm<T> {}
+// `obtain()` called from several threads can return `ARef`s to the same bo, 
aliasing `T::VmBoData`
+// and `T::Object`, and `deferred_cleanup()` can drop them from any thread, so 
both must be
+// `Send + Sync`.
+unsafe impl<T: DriverGpuVm> Send for GpuVm<T>
+where
+    T::VmBoData: Send + Sync,
+    T::Object: Send + Sync,
+{
+}
+// SAFETY: The GPUVM api is designed to allow &self methods to be called in 
parallel. `obtain()`
+// called from several threads can return `ARef`s to the same bo, aliasing 
`T::VmBoData` and
+// `T::Object`, and `deferred_cleanup()` can drop them from any thread, so 
both must be
+// `Send + Sync`.
+unsafe impl<T: DriverGpuVm> Sync for GpuVm<T>
+where
+    T::VmBoData: Send + Sync,
+    T::Object: Send + Sync,
+{
+}
 
 // SAFETY: By type invariants, the allocation is managed by the refcount in 
`self.vm`.
 unsafe impl<T: DriverGpuVm> AlwaysRefCounted for GpuVm<T> {
-- 
2.54.0.1099.g489fc7bff1-goog

Reply via email to