From: Michal Wajdeczko <michal.wajdeczko@intel.com>
To: Satyanarayana K V P <satyanarayana.k.v.p@intel.com>,
<intel-xe@lists.freedesktop.org>
Cc: "Rodrigo Vivi" <rodrigo.vivi@intel.com>,
"Piotr Piórkowski" <piotr.piorkowski@intel.com>,
"Matthew Brost" <matthew.brost@intel.com>,
"Thomas Hellström" <thomas.hellstrom@linux.intel.com>,
"Michał Winiarski" <michal.winiarski@intel.com>,
"Dunajski Bartosz" <bartosz.dunajski@intel.com>,
"Ashutosh Dixit" <ashutosh.dixit@intel.com>,
dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v10 1/3] drm/xe/pf: Restrict device query responses in admin-only PF mode
Date: Wed, 8 Apr 2026 19:13:00 +0200 [thread overview]
Message-ID: <bc61447f-9b95-46b7-8a92-3ee3fa887711@intel.com> (raw)
In-Reply-To: <20260408160514.2388689-6-satyanarayana.k.v.p@intel.com>
On 4/8/2026 6:05 PM, Satyanarayana K V P wrote:
> When a PF is configured in admin-only mode, it is intended for management
> only and must not expose workload-facing capabilities to userspace.
>
> Limit the exposed ioctl set in admin-only PF mode to XE_DEVICE_QUERY and
> XE_OBSERVATION, and suppress capability-bearing query payloads so that
> the userspace cannot discover execution-related device details in this
> mode.
>
> Signed-off-by: Satyanarayana K V P <satyanarayana.k.v.p@intel.com>
> Cc: Michal Wajdeczko <michal.wajdeczko@intel.com>
> Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
> Cc: Piotr Piórkowski <piotr.piorkowski@intel.com>
> Cc: Matthew Brost <matthew.brost@intel.com>
> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
> Cc: Michał Winiarski <michal.winiarski@intel.com>
> Cc: Dunajski Bartosz <bartosz.dunajski@intel.com>
> Cc: Ashutosh Dixit <ashutosh.dixit@intel.com>
> Cc: dri-devel@lists.freedesktop.org
> Acked-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
> Acked-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
>
> ---
> V9 -> V10:
> - Moved some parts of admin_only_pf mode under CONFIG_PCI_IOV config
> option (Michal).
> - Updated commit message.
>
> V8 -> V9:
> - Memory regions are skipped in case of admin_only_pf mode (Michal)
> - removed .dumb_create, .dumb_map_offset and .show_fdinfo device specific
> operations in admin-only mode (Michal).
>
> V7 -> V8:
> - Fixed issues reported by CI.Hooks
> - Updated commit message (Ashutosh)
> - Removed gem_prime_import from admin_only_driver structure (Michal)
>
> V6 -> V7:
> - Allowed xe_observation_ioctl as well with admin-only PF (Ashutosh,
> Michal).
> - Updated commit message with steps to enable admin-only mode (Rodrigo).
>
> V5 -> V6:
> - Updated commit message.
> - Return number of engines and memory regions as zero instead of
> returning query size as zero (Michal Wajdeczko).
> - Allow all other query IOCTLs excepts query_engines and
> query_mem_regions (Michal Wajdeczko).
>
> V4 -> V5:
> - Updated commit message (Matt B).
> - Introduced new driver_admin_only_pf structure (Michal Wajdeczko).
> - Updated all query configs (Michal Wajdeczko).
> - Renamed xe_device_is_admin_only() to xe_device_is_admin_only_pf()
> - Fixed other review comments (Michal Wajdeczko).
>
> V3 -> V4:
> - Suppressed device capabilities in admin-only PF mode. (Wajdeczko)
>
> V2 -> V3:
> - Introduced new helper function xe_debugfs_create_files() to create
> debugfs entries based on admin_only_pf mode or normal mode.
>
> V1 -> V2:
> - Rebased to latest drm-tip.
> - Update update_minor_dev() to debugfs_minor_dev().
> ---
> drivers/gpu/drm/xe/xe_device.c | 62 +++++++++++++++++++++++++++++--
> drivers/gpu/drm/xe/xe_device.h | 1 +
> drivers/gpu/drm/xe/xe_hw_engine.c | 3 ++
> drivers/gpu/drm/xe/xe_query.c | 8 +++-
> 4 files changed, 69 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/gpu/drm/xe/xe_device.c b/drivers/gpu/drm/xe/xe_device.c
> index cbce1d0ffe48..b0bbb079ca8e 100644
> --- a/drivers/gpu/drm/xe/xe_device.c
> +++ b/drivers/gpu/drm/xe/xe_device.c
> @@ -25,6 +25,7 @@
> #include "regs/xe_regs.h"
> #include "xe_bo.h"
> #include "xe_bo_evict.h"
> +#include "xe_configfs.h"
> #include "xe_debugfs.h"
> #include "xe_defaults.h"
> #include "xe_devcoredump.h"
> @@ -390,7 +391,7 @@ bool xe_is_xe_file(const struct file *file)
> return file->f_op == &xe_driver_fops;
> }
>
> -static struct drm_driver driver = {
> +static struct drm_driver regular_driver = {
> .driver_features =
> DRIVER_GEM |
> DRIVER_RENDER | DRIVER_SYNCOBJ |
> @@ -415,6 +416,42 @@ static struct drm_driver driver = {
> .patchlevel = DRIVER_PATCHLEVEL,
> };
>
> +#ifdef CONFIG_PCI_IOV
> +static const struct drm_ioctl_desc xe_ioctls_admin_only[] = {
> + DRM_IOCTL_DEF_DRV(XE_DEVICE_QUERY, xe_query_ioctl, DRM_RENDER_ALLOW),
> + DRM_IOCTL_DEF_DRV(XE_OBSERVATION, xe_observation_ioctl, DRM_RENDER_ALLOW),
> +};
> +
> +static struct drm_driver admin_only_driver = {
> + .driver_features =
> + DRIVER_GEM | DRIVER_RENDER | DRIVER_GEM_GPUVA,
> + .open = xe_file_open,
> + .postclose = xe_file_close,
> + .ioctls = xe_ioctls_admin_only,
> + .num_ioctls = ARRAY_SIZE(xe_ioctls_admin_only),
> + .fops = &xe_driver_fops,
> + .name = DRIVER_NAME,
> + .desc = DRIVER_DESC,
> + .major = DRIVER_MAJOR,
> + .minor = DRIVER_MINOR,
> + .patchlevel = DRIVER_PATCHLEVEL,
> +};
> +#endif
> +
> +/**
> + * xe_device_is_admin_only() - Check whether device is admin only or not.
> + * @xe: the &xe_device to check
> + *
> + * Return: true if the device is admin only, false otherwise.
> + */
> +bool xe_device_is_admin_only(const struct xe_device *xe)
> +{
> +#ifdef CONFIG_PCI_IOV
> + return xe->drm.driver == &admin_only_driver;
> +#endif
> + return false;
nit: maybe put this under #else ?
or better, provide an inline with false in .h
#ifdef CONFIG_PCI_IOV
bool xe_device_is_admin_only(const struct xe_device *xe);
#else
static inline bool xe_device_is_admin_only(const struct xe_device *xe)
{
return false;
}
#endif
> +}
> +
> static void xe_device_destroy(struct drm_device *dev, void *dummy)
> {
> struct xe_device *xe = to_xe_device(dev);
> @@ -439,16 +476,26 @@ static void xe_device_destroy(struct drm_device *dev, void *dummy)
> struct xe_device *xe_device_create(struct pci_dev *pdev,
> const struct pci_device_id *ent)
> {
> + struct drm_driver *driver = ®ular_driver;
> struct xe_device *xe;
> int err;
>
> - xe_display_driver_set_hooks(&driver);
> +#ifdef CONFIG_PCI_IOV
> + /*
> + * Since XE device is not initialized yet, read from configfs
> + * directly to decide whether we are in admin-only PF mode or not.
> + */
> + if (xe_configfs_admin_only_pf(pdev))
> + driver = &admin_only_driver;
> +#endif
> +
> + xe_display_driver_set_hooks(driver);
>
> - err = aperture_remove_conflicting_pci_devices(pdev, driver.name);
> + err = aperture_remove_conflicting_pci_devices(pdev, driver->name);
> if (err)
> return ERR_PTR(err);
>
> - xe = devm_drm_dev_alloc(&pdev->dev, &driver, struct xe_device, drm);
> + xe = devm_drm_dev_alloc(&pdev->dev, driver, struct xe_device, drm);
> if (IS_ERR(xe))
> return xe;
>
> @@ -708,6 +755,13 @@ int xe_device_probe_early(struct xe_device *xe)
>
> xe_sriov_probe_early(xe);
>
> +#ifdef CONFIG_PCI_IOV
nit: not sure if we need this #ifdef here as for !PCI_IOV below code should be
optimized-out by the compiler anyway, since is_admin_only will be always false
> + if (xe_device_is_admin_only(xe) && !IS_SRIOV_PF(xe)) {
> + xe_err(xe, "Can't run Admin-only mode without SR-IOV PF mode!\n");
> + return -ENODEV;
> + }
> +#endif
> +
> if (IS_SRIOV_VF(xe))
> vf_update_device_info(xe);
>
> diff --git a/drivers/gpu/drm/xe/xe_device.h b/drivers/gpu/drm/xe/xe_device.h
> index e4b9de8d8e95..c220f2f1352f 100644
> --- a/drivers/gpu/drm/xe/xe_device.h
> +++ b/drivers/gpu/drm/xe/xe_device.h
> @@ -43,6 +43,7 @@ static inline struct xe_device *ttm_to_xe_device(struct ttm_device *ttm)
> return container_of(ttm, struct xe_device, ttm);
> }
>
> +bool xe_device_is_admin_only(const struct xe_device *xe);
nit: can we move it little down, maybe at closer to xe_device_wmb?
this is not the most important xe_device function, and prototypes here
are just for high-level create/probe/remove/shutdown functions
and if we go with the inline in .h then it could be placed near the eof
> struct xe_device *xe_device_create(struct pci_dev *pdev,
> const struct pci_device_id *ent);
> int xe_device_probe_early(struct xe_device *xe);
> diff --git a/drivers/gpu/drm/xe/xe_hw_engine.c b/drivers/gpu/drm/xe/xe_hw_engine.c
> index 6dd05fac6595..2f9c1c063f16 100644
> --- a/drivers/gpu/drm/xe/xe_hw_engine.c
> +++ b/drivers/gpu/drm/xe/xe_hw_engine.c
> @@ -1026,6 +1026,9 @@ bool xe_hw_engine_is_reserved(struct xe_hw_engine *hwe)
> struct xe_gt *gt = hwe->gt;
> struct xe_device *xe = gt_to_xe(gt);
>
> + if (xe_device_is_admin_only(xe))
> + return true;
> +
> if (hwe->class == XE_ENGINE_CLASS_OTHER)
> return true;
>
> diff --git a/drivers/gpu/drm/xe/xe_query.c b/drivers/gpu/drm/xe/xe_query.c
> index d84d6a422c45..0dc5a9bb481a 100644
> --- a/drivers/gpu/drm/xe/xe_query.c
> +++ b/drivers/gpu/drm/xe/xe_query.c
> @@ -231,6 +231,9 @@ static size_t calc_mem_regions_size(struct xe_device *xe)
> u32 num_managers = 1;
> int i;
>
> + if (xe_device_is_admin_only(xe))
> + return sizeof(struct drm_xe_query_mem_regions);
> +
> for (i = XE_PL_VRAM0; i <= XE_PL_VRAM1; ++i)
> if (ttm_manager_type(&xe->ttm, i))
> num_managers++;
> @@ -259,6 +262,9 @@ static int query_mem_regions(struct xe_device *xe,
> if (XE_IOCTL_DBG(xe, !mem_regions))
> return -ENOMEM;
>
> + if (xe_device_is_admin_only(xe))
> + goto out;
> +
> man = ttm_manager_type(&xe->ttm, XE_PL_TT);
> mem_regions->mem_regions[0].mem_class = DRM_XE_MEM_REGION_CLASS_SYSMEM;
> /*
> @@ -296,7 +302,7 @@ static int query_mem_regions(struct xe_device *xe,
> mem_regions->num_mem_regions++;
> }
> }
> -
> +out:
nit: "Choose label names which say what the goto does" - see [1]
so maybe as this is not pure 'out' but we're also doing copying:
goto user_copy;
...
user_copy:
[1] https://docs.kernel.org/process/coding-style.html#centralized-exiting-of-functions
> if (!copy_to_user(query_ptr, mem_regions, size))
> ret = 0;
> else
next prev parent reply other threads:[~2026-04-08 17:13 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 16:05 [PATCH v10 0/3] Do not create drm device for PF only admin mode Satyanarayana K V P
2026-04-08 16:05 ` [PATCH v10 1/3] drm/xe/pf: Restrict device query responses in admin-only PF mode Satyanarayana K V P
2026-04-08 17:13 ` Michal Wajdeczko [this message]
2026-04-08 16:05 ` [PATCH v10 2/3] drm/xe/tests: Fix pf_set_admin_mode() after sriov.pf.admin_only removal Satyanarayana K V P
2026-04-08 17:25 ` Michal Wajdeczko
2026-04-08 16:05 ` [PATCH v10 3/3] drm/xe/pf: Derive admin-only PF mode from xe_device state Satyanarayana K V P
2026-04-08 16:18 ` ✗ CI.KUnit: failure for Do not create drm device for PF only admin mode (rev9) Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bc61447f-9b95-46b7-8a92-3ee3fa887711@intel.com \
--to=michal.wajdeczko@intel.com \
--cc=ashutosh.dixit@intel.com \
--cc=bartosz.dunajski@intel.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-xe@lists.freedesktop.org \
--cc=matthew.brost@intel.com \
--cc=michal.winiarski@intel.com \
--cc=piotr.piorkowski@intel.com \
--cc=rodrigo.vivi@intel.com \
--cc=satyanarayana.k.v.p@intel.com \
--cc=thomas.hellstrom@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.