Commit dd8c01e4 authored by Matthew Auld's avatar Matthew Auld
Browse files

drm/xe/userptr: properly setup pfn_flags_mask 



Currently we just leave it uninitialised, which at first looks harmless,
however we also don't zero out the pfn array, and with pfn_flags_mask
the idea is to be able set individual flags for a given range of pfn or
completely ignore them, outside of default_flags. So here we end up with
pfn[i] & pfn_flags_mask, and if both are uninitialised we might get back
an unexpected flags value, like asking for read only with default_flags,
but getting back write on top, leading to potentially bogus behaviour.

To fix this ensure we zero the pfn_flags_mask, such that hmm only
considers the default_flags and not also the initial pfn[i] value.

v2 (Thomas):
 - Prefer proper initializer.

Fixes: 81e058a3 ("drm/xe: Introduce helper to populate userptr")
Signed-off-by: default avatarMatthew Auld <matthew.auld@intel.com>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: Thomas Hellström <thomas.hellstrom@intel.com>
Cc: <stable@vger.kernel.org> # v6.10+
Reviewed-by: default avatarThomas Hellström <thomas.hellstrom@linux.intel.com>
Reviewed-by: default avatarTejas Upadhyay <tejas.upadhyay@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250226174748.294285-2-matthew.auld@intel.com
parent 18778b5f

drivers/gpu/drm/xe/xe_hmm.c

+10 −8
Original line number Diff line number Diff line
@@ -166,13 +166,20 @@ int xe_hmm_userptr_populate_range(struct xe_userptr_vma *uvma, 
{

	unsigned long timeout =

		jiffies + msecs_to_jiffies(HMM_RANGE_DEFAULT_TIMEOUT);

	unsigned long *pfns, flags = HMM_PFN_REQ_FAULT;

	unsigned long *pfns;

	struct xe_userptr *userptr;

	struct xe_vma *vma = &uvma->vma;

	u64 userptr_start = xe_vma_userptr(vma);

	u64 userptr_end = userptr_start + xe_vma_size(vma);

	struct xe_vm *vm = xe_vma_vm(vma);

	struct hmm_range hmm_range;

	struct hmm_range hmm_range = {

		.pfn_flags_mask = 0, /* ignore pfns */

		.default_flags = HMM_PFN_REQ_FAULT,

		.start = userptr_start,

		.end = userptr_end,

		.notifier = &uvma->userptr.notifier,

		.dev_private_owner = vm->xe,

	};

	bool write = !xe_vma_read_only(vma);

	unsigned long notifier_seq;

	u64 npages;
@@ -199,19 +206,14 @@ int xe_hmm_userptr_populate_range(struct xe_userptr_vma *uvma, 
		return -ENOMEM;



	if (write)

		flags |= HMM_PFN_REQ_WRITE;

		hmm_range.default_flags |= HMM_PFN_REQ_WRITE;



	if (!mmget_not_zero(userptr->notifier.mm)) {

		ret = -EFAULT;

		goto free_pfns;

	}



	hmm_range.default_flags = flags;

	hmm_range.hmm_pfns = pfns;

	hmm_range.notifier = &userptr->notifier;

	hmm_range.start = userptr_start;

	hmm_range.end = userptr_end;

	hmm_range.dev_private_owner = vm->xe;



	while (true) {

		hmm_range.notifier_seq = mmu_interval_read_begin(&userptr->notifier);