drm/xe/hmm: Don't dereference struct page pointers without notifier lock

	}

}

static int xe_alloc_sg(struct xe_device *xe, struct sg_table *st,

		       struct hmm_range *range, struct rw_semaphore *notifier_sem)

{

	unsigned long i, npages, hmm_pfn;

	unsigned long num_chunks = 0;

	int ret;

	/* HMM docs says this is needed. */

	ret = down_read_interruptible(notifier_sem);

	if (ret)

		return ret;

	if (mmu_interval_read_retry(range->notifier, range->notifier_seq)) {

		up_read(notifier_sem);

		return -EAGAIN;

	}

	npages = xe_npages_in_range(range->start, range->end);

	for (i = 0; i < npages;) {

		unsigned long len;

		hmm_pfn = range->hmm_pfns[i];

		xe_assert(xe, hmm_pfn & HMM_PFN_VALID);

		len = 1UL << hmm_pfn_to_map_order(hmm_pfn);

		/* If order > 0 the page may extend beyond range->start */

		len -= (hmm_pfn & ~HMM_PFN_FLAGS) & (len - 1);

		i += len;

		num_chunks++;

	}

	up_read(notifier_sem);

	return sg_alloc_table(st, num_chunks, GFP_KERNEL);

}

/**

 * xe_build_sg() - build a scatter gather table for all the physical pages/pfn

 * in a hmm_range. dma-map pages if necessary. dma-address is save in sg table

 * @range: the hmm range that we build the sg table from. range->hmm_pfns[]

 * has the pfn numbers of pages that back up this hmm address range.

 * @st: pointer to the sg table.

 * @notifier_sem: The xe notifier lock.

 * @write: whether we write to this range. This decides dma map direction

 * for system pages. If write we map it bi-diretional; otherwise

 * DMA_TO_DEVICE

 * Returns 0 if successful; -ENOMEM if fails to allocate memory

 */

static int xe_build_sg(struct xe_device *xe, struct hmm_range *range,

		       struct sg_table *st, bool write)

		       struct sg_table *st,

		       struct rw_semaphore *notifier_sem,

		       bool write)

{

	unsigned long npages = xe_npages_in_range(range->start, range->end);

	struct device *dev = xe->drm.dev;

	struct page **pages;

	u64 i, npages;

	int ret;

	struct scatterlist *sgl;

	struct page *page;

	unsigned long i, j;

	npages = xe_npages_in_range(range->start, range->end);

	pages = kvmalloc_array(npages, sizeof(*pages), GFP_KERNEL);

	if (!pages)

		return -ENOMEM;

	lockdep_assert_held(notifier_sem);

	for (i = 0; i < npages; i++) {

		pages[i] = hmm_pfn_to_page(range->hmm_pfns[i]);

		xe_assert(xe, !is_device_private_page(pages[i]));

	}

	i = 0;

	for_each_sg(st->sgl, sgl, st->nents, j) {

		unsigned long hmm_pfn, size;

	ret = sg_alloc_table_from_pages_segment(st, pages, npages, 0, npages << PAGE_SHIFT,

						xe_sg_segment_size(dev), GFP_KERNEL);

	if (ret)

		goto free_pages;

		hmm_pfn = range->hmm_pfns[i];

		page = hmm_pfn_to_page(hmm_pfn);

		xe_assert(xe, !is_device_private_page(page));

	ret = dma_map_sgtable(dev, st, write ? DMA_BIDIRECTIONAL : DMA_TO_DEVICE,

			      DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_NO_KERNEL_MAPPING);

	if (ret) {

		sg_free_table(st);

		st = NULL;

		size = 1UL << hmm_pfn_to_map_order(hmm_pfn);

		size -= page_to_pfn(page) & (size - 1);

		i += size;

		if (unlikely(j == st->nents - 1)) {

			if (i > npages)

				size -= (i - npages);

			sg_mark_end(sgl);

		}

		sg_set_page(sgl, page, size << PAGE_SHIFT, 0);

	}

	xe_assert(xe, i == npages);

free_pages:

	kvfree(pages);

	return ret;

	return dma_map_sgtable(dev, st, write ? DMA_BIDIRECTIONAL : DMA_TO_DEVICE,

			       DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_NO_KERNEL_MAPPING);

}

/**

	if (ret)

		goto free_pfns;

	ret = xe_build_sg(vm->xe, &hmm_range, &userptr->sgt, write);

	ret = xe_alloc_sg(vm->xe, &userptr->sgt, &hmm_range, &vm->userptr.notifier_lock);

	if (ret)

		goto free_pfns;

	ret = down_read_interruptible(&vm->userptr.notifier_lock);

	if (ret)

		goto free_st;

	if (mmu_interval_read_retry(hmm_range.notifier, hmm_range.notifier_seq)) {

		ret = -EAGAIN;

		goto out_unlock;

	}

	ret = xe_build_sg(vm->xe, &hmm_range, &userptr->sgt,

			  &vm->userptr.notifier_lock, write);

	if (ret)

		goto out_unlock;

	xe_mark_range_accessed(&hmm_range, write);

	userptr->sg = &userptr->sgt;

	userptr->notifier_seq = hmm_range.notifier_seq;

	up_read(&vm->userptr.notifier_lock);

	kvfree(pfns);

	return 0;

out_unlock:

	up_read(&vm->userptr.notifier_lock);

free_st:

	sg_free_table(&userptr->sgt);

free_pfns:

	kvfree(pfns);

	return ret;

}