Commit 97e16068 authored Dec 11, 2025 by Ashutosh Dixit

drm/xe/oa: Move default oa unit assignment earlier during stream open



De-referencing param.oa_unit, when an OA unit id is not provided during
stream open, results in NPD below.

  Oops: general protection fault, probably for non-canonical address...
  KASAN: null-ptr-deref in range...
  RIP: 0010:xe_oa_stream_open_ioctl+0x169/0x38a0
   xe_observation_ioctl+0x19f/0x270
   drm_ioctl_kernel+0x1f4/0x410

Fix this by moving default oa unit assignment before the dereference.

Reported-by: Peter Senna Tschudin <peter.senna@linux.intel.com>
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6840


Fixes: c7e269aa ("drm/xe/oa: Allow exec_queue's to be specified only for OAG OA unit")
Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
Reviewed-by: Harish Chegondi <harish.chegondi@intel.com>
Link: https://patch.msgid.link/20251212061850.1565459-2-ashutosh.dixit@intel.com

parent 487524c8

drivers/gpu/drm/xe/xe_oa.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -1967,10 +1967,6 @@ static int xe_oa_assign_hwe(struct xe_oa oa, struct xe_oa_open_param param)
		enum xe_hw_engine_id id;
		int ret = 0;

		/* If not provided, OA unit defaults to OA unit 0 as per uapi */
		if (!param->oa_unit)
		param->oa_unit = &xe_root_mmio_gt(oa->xe)->oa.oa_unit[0];

		/* When we have an exec_q, get hwe from the exec_q */
		if (param->exec_q) {
		param->hwe = xe_gt_hw_engine(param->exec_q->gt, param->exec_q->class,
		@@ -2036,6 +2032,10 @@ int xe_oa_stream_open_ioctl(struct drm_device dev, u64 data, struct drm_file f
		if (ret)
		return ret;

		/* If not provided, OA unit defaults to OA unit 0 as per uapi */
		if (!param.oa_unit)
		param.oa_unit = &xe_root_mmio_gt(oa->xe)->oa.oa_unit[0];

		if (param.exec_queue_id > 0) {
		/* An exec_queue is only needed for OAR/OAC functionality on OAG */
		if (XE_IOCTL_DBG(oa->xe, param.oa_unit->type != DRM_XE_OA_UNIT_TYPE_OAG))