Commit 1cda3c75 authored by Maarten Lankhorst's avatar Maarten Lankhorst
Browse files

drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. 



I saw an oops in xe_gem_fault when running the xe-fast-feedback
testlist against the realtime kernel without debug options enabled.

The panic happens after core_hotunplug unbind-rebind finishes.
Presumably what happens is that a process mmaps, unlocks because
of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left,
causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since
there was nothing left to populate, and then oopses in
"mem_type_is_vram(tbo->resource->mem_type)" because tbo->resource
is NULL.

It's convoluted, but fits the data and explains the oops after
the test exits.

Reviewed-by: default avatarMatthew Auld <matthew.auld@intel.com>
Link: https://lore.kernel.org/r/20250715152057.23254-2-dev@lankhorst.se


Signed-off-by: default avatarMaarten Lankhorst <dev@lankhorst.se>
parent 552dbba1

drivers/gpu/drm/xe/xe_bo.c

+16 −12
Original line number Diff line number Diff line
@@ -1732,21 +1732,25 @@ static vm_fault_t xe_gem_fault(struct vm_fault *vmf) 
		ret = ttm_bo_vm_fault_reserved(vmf, vmf->vma->vm_page_prot,

					       TTM_BO_VM_NUM_PREFAULT);

		drm_dev_exit(idx);

	} else {

		ret = ttm_bo_vm_dummy_page(vmf, vmf->vma->vm_page_prot);

	}



	if (ret == VM_FAULT_RETRY && !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT))

		if (ret == VM_FAULT_RETRY &&

		    !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT))

			goto out;



		/*

		 * ttm_bo_vm_reserve() already has dma_resv_lock.

		 */

	if (ret == VM_FAULT_NOPAGE && mem_type_is_vram(tbo->resource->mem_type)) {

		if (ret == VM_FAULT_NOPAGE &&

		    mem_type_is_vram(tbo->resource->mem_type)) {

			mutex_lock(&xe->mem_access.vram_userfault.lock);

			if (list_empty(&bo->vram_userfault_link))

			list_add(&bo->vram_userfault_link, &xe->mem_access.vram_userfault.list);

				list_add(&bo->vram_userfault_link,

					 &xe->mem_access.vram_userfault.list);

			mutex_unlock(&xe->mem_access.vram_userfault.lock);

		}

	} else {

		ret = ttm_bo_vm_dummy_page(vmf, vmf->vma->vm_page_prot);

	}



	dma_resv_unlock(tbo->base.resv);

out: