Commit d287dee5 authored Feb 09, 2026 by Maciej Patelczyk Committed by Matthew Brost Feb 10, 2026

drm/gpusvm: Fix unbalanced unlock in drm_gpusvm_scan_mm()



There is a unbalanced lock/unlock to gpusvm notifier lock:
[  931.045868] =====================================
[  931.046509] WARNING: bad unlock balance detected!
[  931.047149] 6.19.0-rc6+xe-**************** #9 Tainted: G     U
[  931.048150] -------------------------------------
[  931.048790] kworker/u5:0/51 is trying to release lock (&gpusvm->notifier_lock) at:
[  931.049801] [<ffffffffa090c0d8>] drm_gpusvm_scan_mm+0x188/0x460 [drm_gpusvm_helper]
[  931.050802] but there are no more locks to release!
[  931.051463]

The drm_gpusvm_notifier_unlock() sits under err_free label and the
first jump to err_free is just before calling the
drm_gpusvm_notifier_lock() causing unbalanced unlock.

Fixes: f1d08a58 ("drm/gpusvm: Introduce a function to scan the current migration state")
Signed-off-by: Maciej Patelczyk <maciej.patelczyk@intel.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20260209123433.1271053-1-maciej.patelczyk@intel.com

parent e04c609e

drivers/gpu/drm/drm_gpusvm.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -819,7 +819,7 @@ enum drm_gpusvm_scan_result drm_gpusvm_scan_mm(struct drm_gpusvm_range *range,

		if (!(pfns[i] & HMM_PFN_VALID)) {
		state = DRM_GPUSVM_SCAN_UNPOPULATED;
		goto err_free;
		break;
		}

		page = hmm_pfn_to_page(pfns[i]);
		@@ -856,9 +856,9 @@ enum drm_gpusvm_scan_result drm_gpusvm_scan_mm(struct drm_gpusvm_range *range,
		i += 1ul << drm_gpusvm_hmm_pfn_to_order(pfns[i], i, npages);
		}

		err_free:
		drm_gpusvm_notifier_unlock(range->gpusvm);

		err_free:
		kvfree(pfns);
		return state;
		}