Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider: - [Critical] Unaligned user_addr from KFD_IOC_ALLOC_MEMORY_OF_GPU causes VMA tree corruption via split_vma() --
commit 84a588c64a29eedb721607110e005505178f21fc Author: Yitao Jiang <[email protected]> drm/amdgpu: block THP for HSA userptr notifiers This commit modifies the registration of HSA userptr interval notifiers to use the MMU_INTERVAL_NOTIFIER_BLOCK_THP flag. This prevents CPU THP remaps of active userptr ranges from causing asynchronous GPU work failures. GFX userptrs continue to use the existing notifier path. > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c > b/drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c > index 99bc9ad67d5b8..c0b36164c35e2 100644 > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c [ ... ] > @@ -130,16 +131,24 @@ static const struct mmu_interval_notifier_ops > amdgpu_hmm_hsa_ops = { > */ > int amdgpu_hmm_register(struct amdgpu_bo *bo, unsigned long addr) > { [ ... ] > + if (bo->kfd_bo) { > + mmap_write_lock(mm); > + r = mmu_interval_notifier_insert_locked_flags(&bo->notifier, mm, > + addr, size, > + > &amdgpu_hmm_hsa_ops, > + > MMU_INTERVAL_NOTIFIER_BLOCK_THP); [Severity: Critical] Can addr be unaligned when passed to this function? A user space process can call the KFD_IOC_ALLOC_MEMORY_OF_GPU ioctl with the KFD_IOC_ALLOC_MEM_FLAGS_USERPTR flag and provide an unaligned virtual address in args->mmap_offset. The ioctl handler in kfd_ioctl_alloc_memory_of_gpu() (in drivers/gpu/drm/amd/amdkfd/kfd_chardev.c) does not enforce page alignment on this offset: drivers/gpu/drm/amd/amdkfd/kfd_chardev.c:kfd_ioctl_alloc_memory_of_gpu() { ... err = amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu( dev->adev, args->va_addr, args->size, pdd->drm_priv, (struct kgd_mem **) &mem, &offset, flags, false); ... } The unaligned offset propagates through init_user_pages() unmodified as user_addr, which is eventually passed here as addr to amdgpu_hmm_register(). With the MMU_INTERVAL_NOTIFIER_BLOCK_THP flag added by this patch, the core MM calls mmu_interval_notifier_block_thp_locked(), which uses this addr as the start address. It iteratively passes this address to vma_modify_flags() and subsequently split_vma(). Since VMA boundaries must be strictly page-aligned, split_vma() will corrupt the VMA tree and break invariants by applying the unaligned address to the new VMA bounds. This can lead to kernel panics or a local denial-of-service. Should addr and size be aligned before calling mmu_interval_notifier_insert_locked_flags(), or should the ioctl enforce page alignment on user pointers? -- Sashiko AI review · https://sashiko.dev/#/patchset/sy1pr01mb10596eb75463208a8e1ebba0fc0...@sy1pr01mb10596.ausprd01.prod.outlook.com?part=2
