Skip to content

Commit a60f5ee

Browse files
airliedairlied
committed
Merge tag 'drm-xe-fixes-2025-08-21-1' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes
- xe_vm_create fixes (Piotr) - Fix vm_bind_ioctl double free (Christoph) Signed-off-by: Dave Airlie <[email protected]> From: Rodrigo Vivi <[email protected]> Link: https://lore.kernel.org/r/[email protected]
2 parents f9915c3 + 111fb43 commit a60f5ee

File tree

4 files changed

+26
-28
lines changed

4 files changed

+26
-28
lines changed

drivers/gpu/drm/xe/xe_migrate.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -408,7 +408,7 @@ struct xe_migrate *xe_migrate_init(struct xe_tile *tile)
408408

409409
/* Special layout, prepared below.. */
410410
vm = xe_vm_create(xe, XE_VM_FLAG_MIGRATION |
411-
XE_VM_FLAG_SET_TILE_ID(tile));
411+
XE_VM_FLAG_SET_TILE_ID(tile), NULL);
412412
if (IS_ERR(vm))
413413
return ERR_CAST(vm);
414414

drivers/gpu/drm/xe/xe_pxp_submit.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -101,7 +101,7 @@ static int allocate_gsc_client_resources(struct xe_gt *gt,
101101
xe_assert(xe, hwe);
102102

103103
/* PXP instructions must be issued from PPGTT */
104-
vm = xe_vm_create(xe, XE_VM_FLAG_GSC);
104+
vm = xe_vm_create(xe, XE_VM_FLAG_GSC, NULL);
105105
if (IS_ERR(vm))
106106
return PTR_ERR(vm);
107107

drivers/gpu/drm/xe/xe_vm.c

Lines changed: 23 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -1640,7 +1640,7 @@ static void xe_vm_free_scratch(struct xe_vm *vm)
16401640
}
16411641
}
16421642

1643-
struct xe_vm *xe_vm_create(struct xe_device *xe, u32 flags)
1643+
struct xe_vm *xe_vm_create(struct xe_device *xe, u32 flags, struct xe_file *xef)
16441644
{
16451645
struct drm_gem_object *vm_resv_obj;
16461646
struct xe_vm *vm;
@@ -1661,9 +1661,10 @@ struct xe_vm *xe_vm_create(struct xe_device *xe, u32 flags)
16611661
vm->xe = xe;
16621662

16631663
vm->size = 1ull << xe->info.va_bits;
1664-
16651664
vm->flags = flags;
16661665

1666+
if (xef)
1667+
vm->xef = xe_file_get(xef);
16671668
/**
16681669
* GSC VMs are kernel-owned, only used for PXP ops and can sometimes be
16691670
* manipulated under the PXP mutex. However, the PXP mutex can be taken
@@ -1794,6 +1795,20 @@ struct xe_vm *xe_vm_create(struct xe_device *xe, u32 flags)
17941795
if (number_tiles > 1)
17951796
vm->composite_fence_ctx = dma_fence_context_alloc(1);
17961797

1798+
if (xef && xe->info.has_asid) {
1799+
u32 asid;
1800+
1801+
down_write(&xe->usm.lock);
1802+
err = xa_alloc_cyclic(&xe->usm.asid_to_vm, &asid, vm,
1803+
XA_LIMIT(1, XE_MAX_ASID - 1),
1804+
&xe->usm.next_asid, GFP_KERNEL);
1805+
up_write(&xe->usm.lock);
1806+
if (err < 0)
1807+
goto err_unlock_close;
1808+
1809+
vm->usm.asid = asid;
1810+
}
1811+
17971812
trace_xe_vm_create(vm);
17981813

17991814
return vm;
@@ -1814,6 +1829,8 @@ struct xe_vm *xe_vm_create(struct xe_device *xe, u32 flags)
18141829
for_each_tile(tile, xe, id)
18151830
xe_range_fence_tree_fini(&vm->rftree[id]);
18161831
ttm_lru_bulk_move_fini(&xe->ttm, &vm->lru_bulk_move);
1832+
if (vm->xef)
1833+
xe_file_put(vm->xef);
18171834
kfree(vm);
18181835
if (flags & XE_VM_FLAG_LR_MODE)
18191836
xe_pm_runtime_put(xe);
@@ -2059,9 +2076,8 @@ int xe_vm_create_ioctl(struct drm_device *dev, void *data,
20592076
struct xe_device *xe = to_xe_device(dev);
20602077
struct xe_file *xef = to_xe_file(file);
20612078
struct drm_xe_vm_create *args = data;
2062-
struct xe_tile *tile;
20632079
struct xe_vm *vm;
2064-
u32 id, asid;
2080+
u32 id;
20652081
int err;
20662082
u32 flags = 0;
20672083

@@ -2097,29 +2113,10 @@ int xe_vm_create_ioctl(struct drm_device *dev, void *data,
20972113
if (args->flags & DRM_XE_VM_CREATE_FLAG_FAULT_MODE)
20982114
flags |= XE_VM_FLAG_FAULT_MODE;
20992115

2100-
vm = xe_vm_create(xe, flags);
2116+
vm = xe_vm_create(xe, flags, xef);
21012117
if (IS_ERR(vm))
21022118
return PTR_ERR(vm);
21032119

2104-
if (xe->info.has_asid) {
2105-
down_write(&xe->usm.lock);
2106-
err = xa_alloc_cyclic(&xe->usm.asid_to_vm, &asid, vm,
2107-
XA_LIMIT(1, XE_MAX_ASID - 1),
2108-
&xe->usm.next_asid, GFP_KERNEL);
2109-
up_write(&xe->usm.lock);
2110-
if (err < 0)
2111-
goto err_close_and_put;
2112-
2113-
vm->usm.asid = asid;
2114-
}
2115-
2116-
vm->xef = xe_file_get(xef);
2117-
2118-
/* Record BO memory for VM pagetable created against client */
2119-
for_each_tile(tile, xe, id)
2120-
if (vm->pt_root[id])
2121-
xe_drm_client_add_bo(vm->xef->client, vm->pt_root[id]->bo);
2122-
21232120
#if IS_ENABLED(CONFIG_DRM_XE_DEBUG_MEM)
21242121
/* Warning: Security issue - never enable by default */
21252122
args->reserved[0] = xe_bo_main_addr(vm->pt_root[0]->bo, XE_PAGE_SIZE);
@@ -3421,6 +3418,7 @@ static int vm_bind_ioctl_check_args(struct xe_device *xe, struct xe_vm *vm,
34213418
free_bind_ops:
34223419
if (args->num_binds > 1)
34233420
kvfree(*bind_ops);
3421+
*bind_ops = NULL;
34243422
return err;
34253423
}
34263424

@@ -3527,7 +3525,7 @@ int xe_vm_bind_ioctl(struct drm_device *dev, void *data, struct drm_file *file)
35273525
struct xe_exec_queue *q = NULL;
35283526
u32 num_syncs, num_ufence = 0;
35293527
struct xe_sync_entry *syncs = NULL;
3530-
struct drm_xe_vm_bind_op *bind_ops;
3528+
struct drm_xe_vm_bind_op *bind_ops = NULL;
35313529
struct xe_vma_ops vops;
35323530
struct dma_fence *fence;
35333531
int err;

drivers/gpu/drm/xe/xe_vm.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ struct xe_sync_entry;
2626
struct xe_svm_range;
2727
struct drm_exec;
2828

29-
struct xe_vm *xe_vm_create(struct xe_device *xe, u32 flags);
29+
struct xe_vm *xe_vm_create(struct xe_device *xe, u32 flags, struct xe_file *xef);
3030

3131
struct xe_vm *xe_vm_lookup(struct xe_file *xef, u32 id);
3232
int xe_vma_cmp_vma_cb(const void *key, const struct rb_node *node);

0 commit comments

Comments
 (0)