drm_gpusvm_get_pages() only stored the local dpagemap into
svm_pages->dpagemap on the success path. If a later page failed (e.g.
-EOPNOTSUPP when ctx->allow_mixed is false) and jumped to err_unmap,
svm_pages->dpagemap was still NULL, so __drm_gpusvm_unmap_pages() skipped
device_unmap() and leaked the device mappings already created.

Assign svm_pages->dpagemap when the first device page is mapped so the
err_unmap path can device_unmap() those mappings.

This issue was found by Sashiko AI review.

Fixes: f70da6f99d4f ("drm/gpusvm: pull out drm_gpusvm_pages substructure")
Cc: [email protected]
Reviewed-by: Matthew Brost <[email protected]>
Signed-off-by: Honglei Huang <[email protected]>
---
 drivers/gpu/drm/drm_gpusvm.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/drm_gpusvm.c b/drivers/gpu/drm/drm_gpusvm.c
index 44bb19658dd..9a06ff7d260 100644
--- a/drivers/gpu/drm/drm_gpusvm.c
+++ b/drivers/gpu/drm/drm_gpusvm.c
@@ -1544,6 +1544,16 @@ int drm_gpusvm_get_pages(struct drm_gpusvm *gpusvm,
                                        err = -EAGAIN;
                                        goto err_unmap;
                                }
+
+                               /*
+                                * Set the dpagemap as soon as the first
+                                * device page is mapped so the err_unmap path
+                                * can device_unmap() the device mappings that
+                                * have already been created.
+                                */
+                               drm_pagemap_get(dpagemap);
+                               drm_pagemap_put(svm_pages->dpagemap);
+                               svm_pages->dpagemap = dpagemap;
                        }
                        svm_pages->dma_addr[j] =
                                dpagemap->ops->device_map(dpagemap,
@@ -1611,12 +1621,8 @@ int drm_gpusvm_get_pages(struct drm_gpusvm *gpusvm,
                        goto err_unmap;
        }
 
-       if (pagemap) {
+       if (pagemap)
                flags.has_devmem_pages = true;
-               drm_pagemap_get(dpagemap);
-               drm_pagemap_put(svm_pages->dpagemap);
-               svm_pages->dpagemap = dpagemap;
-       }
 
        /* WRITE_ONCE pairs with READ_ONCE for opportunistic checks */
        WRITE_ONCE(svm_pages->flags.__flags, flags.__flags);
-- 
2.34.1

Reply via email to