Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues: - [High] Accessing `nvbo->bo.resource->mem_type` and `nvbo->offset` without holding the BO reservation lock can lead to race conditions and a NULL pointer dereference. -- commit 764469ad454388a56166a4dfcafbe464a44fc502 Author: Dave Airlie <[email protected]> nouveau/gem: reserve the bo in the info ioctl around the vma lookup This commit adds a buffer object reservation lock around the vma lookup in the non-uvmm path to prevent a use-after-free against the gem close path. Cc: [email protected] > diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c > b/drivers/gpu/drm/nouveau/nouveau_gem.c > index 20dba02d6175b..c5a24dff4b69b 100644 > --- a/drivers/gpu/drm/nouveau/nouveau_gem.c > +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c > @@ -313,11 +313,20 @@ nouveau_gem_info(struct drm_file *file_priv, struct > drm_gem_object *gem, > rep->offset = nvbo->offset; [Severity: High] This isn't a bug introduced by this patch, but is it safe to access the buffer object resource right before this section? In nouveau_gem_info(), when checking the domains, the code dereferences nvbo->bo.resource: else if (nvbo->bo.resource->mem_type == TTM_PL_TT) rep->domain = NOUVEAU_GEM_DOMAIN_GART; else ... rep->offset = nvbo->offset; Because this happens before the newly added ttm_bo_reserve() lock is acquired, could a concurrent buffer object move or pipeline gutting free the resource and set bo.resource to NULL? If so, accessing the memory type without the lock and without a NULL check could lead to a NULL pointer dereference. Should the reservation be moved higher up to protect these accesses as well? > if (vmm->vmm.object.oclass >= NVIF_CLASS_VMM_NV50 && > !nouveau_cli_uvmm(cli)) { > + int ret; > + > + ret = ttm_bo_reserve(&nvbo->bo, false, false, NULL); > + if (ret) > + return ret; [ ... ] -- Sashiko AI review ยท https://sashiko.dev/#/patchset/[email protected]?part=1
