From: Arvind Yadav <arvind.yadav@intel.com>
To: intel-xe@lists.freedesktop.org
Cc: matthew.brost@intel.com, himal.prasad.ghimiray@intel.com,
thomas.hellstrom@linux.intel.com, pallavi.mishra@intel.com
Subject: [RFC v2 6/9] drm/xe/bo: Prevent mmap of purged buffer objects
Date: Mon, 1 Dec 2025 11:20:16 +0530 [thread overview]
Message-ID: <20251201055309.854074-7-arvind.yadav@intel.com> (raw)
In-Reply-To: <20251201055309.854074-1-arvind.yadav@intel.com>
Fail DRM_IOCTL_XE_GEM_MMAP_OFFSET with -EINVAL when called on purged
buffer objects to provide early error detection instead of allowing
deferred SIGBUS on memory access.
Problem:
The mmap offset ioctl (DRM_IOCTL_XE_GEM_MMAP_OFFSET) returns a file
offset that userspace can pass to mmap() to map GPU memory into its
address space. For purged BOs, the backing store has been freed, but
the VMA node offset remains valid. Without this check:
1. Userspace successfully gets mmap offset for purged BO
2. mmap() succeeds (VMA is created but has no backing pages)
3. Any memory access triggers CPU page fault
4. xe_bo_cpu_fault() detects purged state and returns VM_FAULT_SIGBUS
v2:
- Fix reference counting: use drm_gem_object_put() instead of xe_bo_put()
to properly balance drm_gem_object_lookup() (review feedback).
- Added xe_bo_is_purged(bo) instead of atomic_read.
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Cc: Himal Prasad Ghimiray <himal.prasad.ghimiray@intel.com>
Signed-off-by: Arvind Yadav <arvind.yadav@intel.com>
---
drivers/gpu/drm/xe/xe_bo.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/gpu/drm/xe/xe_bo.c b/drivers/gpu/drm/xe/xe_bo.c
index 7f5bcf114ed4..dbbfb58ac657 100644
--- a/drivers/gpu/drm/xe/xe_bo.c
+++ b/drivers/gpu/drm/xe/xe_bo.c
@@ -3346,6 +3346,7 @@ int xe_gem_mmap_offset_ioctl(struct drm_device *dev, void *data,
struct xe_device *xe = to_xe_device(dev);
struct drm_xe_gem_mmap_offset *args = data;
struct drm_gem_object *gem_obj;
+ struct xe_bo *bo;
if (XE_IOCTL_DBG(xe, args->extensions) ||
XE_IOCTL_DBG(xe, args->reserved[0] || args->reserved[1]))
@@ -3375,6 +3376,16 @@ int xe_gem_mmap_offset_ioctl(struct drm_device *dev, void *data,
if (XE_IOCTL_DBG(xe, !gem_obj))
return -ENOENT;
+ bo = gem_to_xe_bo(gem_obj);
+
+ /*
+ * Reject mmap offset requests for purged BOs.
+ */
+ if (xe_bo_is_purged(bo)) {
+ drm_gem_object_put(gem_obj);
+ return -EINVAL;
+ }
+
/* The mmap offset was set up at BO allocation time. */
args->offset = drm_vma_node_offset_addr(&gem_obj->vma_node);
--
2.43.0
next prev parent reply other threads:[~2025-12-01 5:53 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-01 5:50 [RFC v2 0/9] drm/xe/madvise: Add support for purgeable buffer objects Arvind Yadav
2025-12-01 5:50 ` [RFC v2 1/9] drm/xe/uapi: Add UAPI " Arvind Yadav
2025-12-01 23:00 ` Matthew Brost
2025-12-02 2:55 ` Yadav, Arvind
2025-12-01 5:50 ` [RFC v2 2/9] drm/xe/bo: Add purgeable bo state tracking and field madv to xe_bo Arvind Yadav
2025-12-01 23:02 ` Matthew Brost
2025-12-02 2:56 ` Yadav, Arvind
2025-12-02 18:52 ` Matthew Brost
2025-12-01 5:50 ` [RFC v2 3/9] drm/xe/bo: Prevent purging of shared buffer objects Arvind Yadav
2025-12-01 23:10 ` Matthew Brost
2025-12-02 3:42 ` Yadav, Arvind
2025-12-02 9:42 ` Thomas Hellström
2025-12-02 15:17 ` Matthew Brost
2025-12-02 18:22 ` Yadav, Arvind
2025-12-02 18:35 ` Matthew Brost
2025-12-01 5:50 ` [RFC v2 4/9] drm/xe/madvise: Implement purgeable buffer object support Arvind Yadav
2025-12-02 1:46 ` Matthew Brost
2025-12-02 4:01 ` Yadav, Arvind
2025-12-02 21:39 ` Matthew Brost
2025-12-03 14:01 ` Yadav, Arvind
2025-12-01 5:50 ` [RFC v2 5/9] drm/xe/bo: Handle CPU faults on purged buffer objects Arvind Yadav
2025-12-02 18:42 ` Matthew Brost
2025-12-02 18:48 ` Matthew Brost
2025-12-03 7:25 ` Yadav, Arvind
2025-12-03 16:24 ` Matthew Brost
2025-12-01 5:50 ` Arvind Yadav [this message]
2025-12-02 18:54 ` [RFC v2 6/9] drm/xe/bo: Prevent mmap of " Matthew Brost
2025-12-01 5:50 ` [RFC v2 7/9] drm/xe/vm: Prevent binding " Arvind Yadav
2025-12-02 18:57 ` Matthew Brost
2025-12-03 11:24 ` Yadav, Arvind
2025-12-01 5:50 ` [RFC v2 8/9] drm/xe/uapi: Add UAPI for purgeable bo state to madvise query response Arvind Yadav
2025-12-02 19:01 ` Matthew Brost
2025-12-03 3:54 ` Yadav, Arvind
2025-12-01 5:50 ` [RFC v2 9/9] drm/xe: Add support for querying purgeable BO states Arvind Yadav
2025-12-02 18:36 ` [RFC v2 0/9] drm/xe/madvise: Add support for purgeable buffer objects Souza, Jose
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251201055309.854074-7-arvind.yadav@intel.com \
--to=arvind.yadav@intel.com \
--cc=himal.prasad.ghimiray@intel.com \
--cc=intel-xe@lists.freedesktop.org \
--cc=matthew.brost@intel.com \
--cc=pallavi.mishra@intel.com \
--cc=thomas.hellstrom@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox