Re: [PATCH v2] drm/amdgpu: reject mapping info when BO VA is gone

From: Christian König

Date: Mon Jun 29 2026 - 08:41:10 EST


On 6/25/26 16:26, Yousef Alhouseen wrote:
> Hi Alex, Christian,
>
> Please drop this v2 as well.
>
> I rechecked the target tree and missed the existing !bo_va check in
> AMDGPU_GEM_OP_GET_MAPPING_INFO.

Am I blind? As far as I can see at least the code in drm-misc-next doesn't have such a check.

Regards,
Christian.


> The close-race case is already handled
> before the mapping list walks, so this patch only makes the later check
> unreachable and changes the errno.
>
> Sorry for the churn.
>
> Thanks,
> Yousef
>
> On Thu, 25 Jun 2026 15:53:41 +0200, Yousef Alhouseen
> <alhouseenyousef@xxxxxxxxx> wrote:
>> AMDGPU_GEM_OP_GET_MAPPING_INFO looks up the GEM object from the file
>> handle and then locks the object and VM before resolving the BO-VA. The
>> GEM object reference keeps the BO alive, but it does not keep the
>> per-file handle open.
>>
>> If a racing close drops the last handle reference in that window,
>> amdgpu_gem_object_close() can remove the BO-VA before
>> amdgpu_vm_bo_find() runs. The ioctl then walks the BO-VA mapping lists
>> unconditionally.
>>
>> Return -EINVAL if the BO is no longer associated with this VM.
>>
>> Suggested-by: Christian König <christian.koenig@xxxxxxx>
>> Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
>> ---
>> Changes in v2:
>> - Describe the handle-close race instead of an initially unmapped BO.
>> - Return -EINVAL instead of -ENOENT.
>>
>> drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 6 ++++++
>> 1 file changed, 6 insertions(+)
>>
>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>> index 212c14d99..6f5b6f4c2 100644
>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>> @@ -1087,6 +1087,12 @@ int amdgpu_gem_op_ioctl(struct drm_device *dev, void *data,
>> struct drm_amdgpu_gem_vm_entry *vm_entries;
>> struct amdgpu_bo_va_mapping *mapping;
>> int num_mappings = 0;
>> +
>> + if (!bo_va) {
>> + r = -EINVAL;
>> + goto out_exec;
>> + }
>> +
>> /*
>> * num_entries is set as an input to the size of the user-allocated array of
>> * drm_amdgpu_gem_vm_entry stored at args->value.
>> --
>> 2.54.0