[PATCH] drm/panthor: Check VMA boundaries for PMD mappings

[PATCH] drm/panthor: Check VMA boundaries for PMD mappings

[Christian A. Ehrhardt]

When checking a different patch[1] sashiko AI pointed out that
panthor needs the same fix[2]:

In the ->huge_fault handler do not install a PMD huge page
mapping if the huge page exceeds the boundaries of the VMA.

[1] https://lore.kernel.org/lkml/20260622215718.1532689-1-lk@c--e.de/
[2] https://sashiko.dev/#/patchset/20260622215718.1532689-1-lk%40c--e.de

Cc: Boris Brezillon <boris.brezillon@collabora.com>
Cc: Steven Price <steven.price@arm.com>
Cc: Liviu Dudau <liviu.dudau@arm.com>
Fixes: 68cbf96b1e9b ("drm/panthor: Part ways with drm_gem_shmem_object")
Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
---
 drivers/gpu/drm/panthor/panthor_gem.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

NOTE:
The panthor version is only compile tested because I don't
have the hardware. However, the code is identical to that
fixed in [1] and I have a reproducer for that.

No need for for stable backports. The code is new in 7.1.

diff --git a/drivers/gpu/drm/panthor/panthor_gem.c b/drivers/gpu/drm/panthor/panthor_gem.c
index a1e2eb1ca7bb..54535bae2b0c 100644
--- a/drivers/gpu/drm/panthor/panthor_gem.c
+++ b/drivers/gpu/drm/panthor/panthor_gem.c
@@ -802,9 +802,13 @@ static vm_fault_t insert_page(struct vm_fault *vmf, unsigned int order, struct p
 	} else if (order == PMD_ORDER) {
 		unsigned long pfn = page_to_pfn(page);
 		unsigned long paddr = pfn << PAGE_SHIFT;
+		struct vm_area_struct *vma = vmf->vma;
+		unsigned long start = ALIGN_DOWN(vmf->address, PMD_SIZE);
+		unsigned long end = start + PMD_SIZE;
+		bool in_range = vma->vm_start <= start && end <= vma->vm_end;
 		bool aligned = (vmf->address & ~PMD_MASK) == (paddr & ~PMD_MASK);
 
-		if (aligned &&
+		if (aligned && in_range &&
 		    folio_test_pmd_mappable(page_folio(page))) {
 			pfn &= PMD_MASK >> PAGE_SHIFT;
 			return vmf_insert_pfn_pmd(vmf, pfn, vmf->flags & FAULT_FLAG_WRITE);
-- 
2.43.0

Re: [PATCH] drm/panthor: Check VMA boundaries for PMD mappings

[Matthew Wilcox]

On Tue, Jun 23, 2026 at 08:19:42PM +0200, Christian A. Ehrhardt wrote:
> The panthor version is only compile tested because I don't
> have the hardware. However, the code is identical to that
> fixed in [1] and I have a reproducer for that.
> 
> No need for for stable backports. The code is new in 7.1.

What documentation did you need to see to persuade you to use
map_pages instead of writing a huge_fault handler?

(yes, you're all Doing It Wrong, please stop, but help us help you)

Re: [PATCH] drm/panthor: Check VMA boundaries for PMD mappings

[Boris Brezillon]

Hi Matthew,

On Tue, 23 Jun 2026 19:33:42 +0100
Matthew Wilcox <willy@infradead.org> wrote:

> On Tue, Jun 23, 2026 at 08:19:42PM +0200, Christian A. Ehrhardt wrote:
> > The panthor version is only compile tested because I don't
> > have the hardware. However, the code is identical to that
> > fixed in [1] and I have a reproducer for that.
> > 
> > No need for for stable backports. The code is new in 7.1.  
> 
> What documentation did you need to see to persuade you to use
> map_pages instead of writing a huge_fault handler?
> 
> (yes, you're all Doing It Wrong, please stop, but help us help you)

We tried [1], but couldn't figure out how to make it work with the
current locking in the gem_shmem logic, so we decided to postpone the
map_page() addition. We plan to get back to it and implement map_page(),
but my understanding is that we still need the fault()+huge_fault() as a
fallback for when we can't acquire the locks we need to service the
fault. Oh, and BTW, we had just the fault() implementation in the
version that was merged, no huge_fault(), but this fault()
implementation was mapping PMDs which led to another issue [2] that
forced us to add this huge_fault() implem.

I'm all for improving that, but if I'm completely honest, there are
times where our MM-related questions are left unanswered ([3] is one
example), and it gets hard to figure out how to do things properly
without proper guidance from the MM experts. I thought [2] was one of
these, but apparently the MM list/maintainers were not Cc-ed on that
one, oops.

Just to be clear, I'm not blaming anyone here (I know how busy subsystem
maintainers are in general), I'm just trying to explain how we ended up
with these new huge_fault() implementations (one being a fork of the
original implementation) that you were not expecting, but also wanted to
point out that we've been pretty transparent about where we were heading
during the submission process, and we didn't get a clear "no, stop
there!" back then.

Anyway, I'll try to get back to this map_pages() implementation, and
see how we can handle the fallback when locks can't be acquired in that
path (I assume this would mean no PMD mapping in the fallback path if
we get rid of huge_fault()).

Regards,

Boris

[1]https://patchew.org/linux/20251015153018.43735-1-loic.molinari@collabora.com/20251015153018.43735-4-loic.molinari@collabora.com/
[2]https://lore.kernel.org/all/20260319015224.46896-1-pedrodemargomes@gmail.com/
[3]https://lore.kernel.org/all/20260319155028.291f3157@fedora/

Re: [PATCH] drm/panthor: Check VMA boundaries for PMD mappings

[Boris Brezillon]

On Tue, 23 Jun 2026 22:03:41 +0200
Boris Brezillon <boris.brezillon@collabora.com> wrote:

> Anyway, I'll try to get back to this map_pages() implementation, and
> see how we can handle the fallback when locks can't be acquired in that
> path (I assume this would mean no PMD mapping in the fallback path if
> we get rid of huge_fault()).

More on that. I had a brief look at map_pages()/fault_around(), and it
seems it's only meant to populate PTE entries, not PMDs. Part of the
perf boost we were looking for when adding huge_fault() was limiting
the number of faults when adjacent pages are touched, but the other
part was limiting the page table depth to optimize page-table walks, so
if we're implementing map_pages() without huge_fault(), we basically
lose the second part of the optimization. I'd need to check how much
perf we leave on the table with that.

Re: [PATCH] drm/panthor: Check VMA boundaries for PMD mappings

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] VMA page offset calculation ignores VMA splits, causing the wrong GEM pages to be mapped
--

commit 0ed0c5c04749e14eb0003e5dbc760b6b5b001ce2
Author: Christian A. Ehrhardt <lk@c--e.de>

drm/panthor: Check VMA boundaries for PMD mappings

In the ->huge_fault handler do not install a PMD huge page mapping if the
huge page exceeds the boundaries of the VMA.

Link: https://lore.kernel.org/lkml/20260622215718.1532689-1-lk@c--e.de/
Link: https://sashiko.dev/#/patchset/20260622215718.1532689-1-lk%40c--e.de

> diff --git a/drivers/gpu/drm/panthor/panthor_gem.c b/drivers/gpu/drm/panthor/panthor_gem.c
> index a1e2eb1ca7bbe..54535bae2b0cf 100644
> --- a/drivers/gpu/drm/panthor/panthor_gem.c
> +++ b/drivers/gpu/drm/panthor/panthor_gem.c
> @@ -802,9 +802,13 @@ static vm_fault_t insert_page(struct vm_fault *vmf, unsigned int order, struct p
>  	} else if (order == PMD_ORDER) {
>  		unsigned long pfn = page_to_pfn(page);
>  		unsigned long paddr = pfn << PAGE_SHIFT;
> +		struct vm_area_struct *vma = vmf->vma;
> +		unsigned long start = ALIGN_DOWN(vmf->address, PMD_SIZE);
> +		unsigned long end = start + PMD_SIZE;
> +		bool in_range = vma->vm_start <= start && end <= vma->vm_end;
>  		bool aligned = (vmf->address & ~PMD_MASK) == (paddr & ~PMD_MASK);
>  
> -		if (aligned &&
> +		if (aligned && in_range &&
>  		    folio_test_pmd_mappable(page_folio(page))) {
>  			pfn &= PMD_MASK >> PAGE_SHIFT;
>  			return vmf_insert_pfn_pmd(vmf, pfn, vmf->flags & FAULT_FLAG_WRITE);

[Severity: High]
This isn't a bug introduced by this patch, but looking further down in
panthor_gem_any_fault():

drivers/gpu/drm/panthor/panthor_gem.c:panthor_gem_any_fault() {
    ...
	/* Offset to faulty address in the VMA. */
	page_offset = vmf->pgoff - vma->vm_pgoff;
    ...
}

Does this VMA page offset calculation ignore VMA splits?

If a userspace process maps a Panthor GEM object and then unmaps the first
page using munmap(), the core memory management subsystem splits the VMA and
increments vma->vm_pgoff by 1.

When a page fault subsequently occurs at the new VMA start address, both
vmf->pgoff and vma->vm_pgoff have advanced by 1, which means page_offset
incorrectly evaluates to 0 instead of 1.

Could this logic error cause the fault handler to map incorrect physical
pages (bo->backing.pages[0] instead of bo->backing.pages[1]) from the GEM
object into userspace memory?

The calculation should probably subtract the GEM object's base fake offset
using drm_vma_node_start(&bo->base.vma_node).

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260623181942.1536598-1-lk@c--e.de?part=1