From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6AFF32BE655 for ; Sun, 3 May 2026 04:49:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.178 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777783790; cv=none; b=D1ClY4LDfF8vDKRVw+k3pX8rbyA/Y2Smfv5Vn5Uja369gD5qIOYsdyqyBNxvywJElm9UfKarohrj9Bc8rGS4gT0U1lTeFTV6tJQeHIIyjy/KJ5iHxFZt3n2TUMNmcMYHnIbyYGQR7Lv/gr0ArCcPVtozSSlDs2JN7ieQUox2mmI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777783790; c=relaxed/simple; bh=pqOoZjA8doybAQKh6W0MHKlUXySrdkA3t/fl4LG79NQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=KtxSrrQKAuF6UQk7gkEZEPjjUQofqgJ1CdpThbsVt9VcdzOuv0GxQ6BMNgW2RytETt8KabmjHMOIxPs9jSYa52fWdg1uERxXyqKBYgpSCe8sKR/LnaSplz+PZuqpii9YHCxG8pXFCReTXxkPXhvjDnLsZBLk73/0ujDDtsFUaVE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dpWyxTad; arc=none smtp.client-ip=209.85.210.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dpWyxTad" Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-835b78c3797so27469b3a.2 for ; Sat, 02 May 2026 21:49:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777783789; x=1778388589; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZrHQKdnz194dJR6cw9s2lksjM+dXghqleIL2qZmETl8=; b=dpWyxTad+5UE0AE/SGTda7MioEpCRdl3D1jeeJNnd7fNWJn7LvoCjdAIRek5zB90f9 JzgyYjaI6SNiqANxcEVQULP3x3ZRHisAc6wrvXRFVg07GBJOykNQtxhgNPz4kInjlSsd fUCo+YZ2gEbYwsQxh2PTsb+ZyyF3263vqZAZ+zCcG7cxV3/+mzoC5gcyX0zrFbVBCVmE 77RhfUAcQGR2RH1eXWLcIBn7Mmk3VVgOY/YLnPV4PodUjUNnnLS6vcQNX4Wp19WO9fmQ 8NDJodAt44hLGWqbgVblRHCMCY94VnWZPrg9hrval0PVJ8UTfgeTQnPTk2iSSO8mpfO2 f8TQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777783789; x=1778388589; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ZrHQKdnz194dJR6cw9s2lksjM+dXghqleIL2qZmETl8=; b=LtayTnJLCEAPmf6jDXPczAKbOtDy1qC6eUcLGpjouihBOT4S/VB1W1MayUM1upI5Nx JuyqIS3JTgy22VHFhkCFU+lLAMnWzZ18rR/h3TbJN5/wpYbc19DsSMuBsLAu1UbNER6v XBsov0pztBR7lfITtnZjlcCfNJO6x7uXqa9NaioNVqqop0lyY4U5JwPPMDSGfon4HRfY kBHsoJFiLDhPkyVmbV9cAmCJA9OpeN93yZGEfOhY7er5aGxT9SH2rp7T7h69WhBOo+BM CXzLe1sTxg78II6o2TO+PEL+MImVSPLzyGy9mlOtathKJ7RME0cXtS7ULqRnumMC8IfU 5M8Q== X-Forwarded-Encrypted: i=1; AFNElJ9nluFWFx2RRxawP2x5xNx45sBnlol+NkPdFu9FCkGzM2f9liZZq8qoL6MoIsOZOllEFLuCYX48vA0Tqsc=@vger.kernel.org X-Gm-Message-State: AOJu0YyZHiUI5sS1RtVckg1mNzg+efhl1oT4ah+7ZLd4Nca5KS0oBvB+ bU+ktJ+Y81j31374onBsZIr0RLY/+wrAYXw7RwK2kVG5Z9nMX961TlCk X-Gm-Gg: AeBDieuzvNSeG8+sHzbt8Pln0O6ivxl9kpEBjcNdpVkuKngBrbXlKABcwyUuso4wNe4 4k554ROkBH0r3NnZKItdJcJcVxipTV5VwxG6aV5PFy40LEhVexldAux9spNj9IkcRST5e0Gp+OX UWGwukkscnwk+7aK9eeVO/HUC3tsJiLp4lmbP3VKDNEPpBTWbZISj9BE8jrvUZ/WKngxL8jfc40 nIPpdwoNWSJf5Q5fzSP/C1noI08LypoE7VnY4aZybi3Ft36X2nXlUPQEhZP6X4OgMVCCKxiBlcW 4JGprRxZEhC6T46He6j5Tc/wZzxpitWE5Rc1JgE4qMPHCr43c3S3eScM4ACvJXPOLKnAmqsYfJ1 jJp/WmNwc2mCprCiXXygUFHSTXcB+TWyMj/3JuYafJtD0ISzqteOriqpRSmdIEoIMbt+4+sTzgw 07I0j0xWVYiGilGgTyUVW5V37O537QbjIjiu0msNwEFyv6LeMD+Q== X-Received: by 2002:a05:6a21:e098:b0:398:b346:b13 with SMTP id adf61e73a8af0-3a7f1a71ce3mr4874859637.16.1777783788697; Sat, 02 May 2026 21:49:48 -0700 (PDT) Received: from vini ([2401:4900:8fcb:edbd:7155:edb6:dac:107e]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-83515b00b28sm7011337b3a.42.2026.05.02.21.49.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 02 May 2026 21:49:48 -0700 (PDT) From: Vineet Agarwal To: mamin506@gmail.com, lizhi.hou@amd.com, ogabbay@kernel.org Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Vineet Agarwal Subject: [PATCH] drm/amdxdna: fix pinned_vm accounting and error handling in user buffer pinning Date: Sun, 3 May 2026 10:19:27 +0530 Message-ID: <20260503044931.634219-1-agarwal.vineet2006@gmail.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260502031746.621606-1-agarwal.vineet2006@gmail.com> References: <20260502031746.621606-1-agarwal.vineet2006@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit amdxdna_get_ubuf() incorrectly accounted mm->pinned_vm using the requested number of pages before pin_user_pages_fast() completed. Additionally, the RLIMIT_MEMLOCK check was performed after pinning, and error handling for partial pinning could lead to inconsistent cleanup. Fix this by: - checking RLIMIT_MEMLOCK before attempting to pin pages - ensuring partially pinned pages are properly tracked and released - accounting mm->pinned_vm only after successful pinning - removing incorrect error-path accounting and double-subtraction The RLIMIT_MEMLOCK check is performed conservatively against the requested number of pages to prevent excessive pinning attempts. This ensures mm->pinned_vm remains consistent and aligns the driver with expected GUP and memory accounting semantics. Signed-off-by: Vineet Agarwal Changes in v2: - Move RLIMIT_MEMLOCK check before pinning - Fix partial pin handling and cleanup paths - Remove incorrect pinned_vm accounting in error paths - Ensure symmetric accounting between pin and release - Drop unused pinned_total variable --- drivers/accel/amdxdna/amdxdna_ubuf.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/drivers/accel/amdxdna/amdxdna_ubuf.c b/drivers/accel/amdxdna/amdxdna_ubuf.c index fb999aa25318..571708f78cfe 100644 --- a/drivers/accel/amdxdna/amdxdna_ubuf.c +++ b/drivers/accel/amdxdna/amdxdna_ubuf.c @@ -129,7 +129,7 @@ struct dma_buf *amdxdna_get_ubuf(struct drm_device *dev, u32 num_entries, void __user *va_entries) { struct amdxdna_dev *xdna = to_xdna_dev(dev); - unsigned long lock_limit, new_pinned; + unsigned long lock_limit; struct amdxdna_drm_va_entry *va_ent; struct amdxdna_ubuf_priv *ubuf; u32 npages, start = 0; @@ -176,18 +176,17 @@ struct dma_buf *amdxdna_get_ubuf(struct drm_device *dev, ubuf->nr_pages = exp_info.size >> PAGE_SHIFT; lock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT; - new_pinned = atomic64_add_return(ubuf->nr_pages, &ubuf->mm->pinned_vm); - if (new_pinned > lock_limit && !capable(CAP_IPC_LOCK)) { - XDNA_DBG(xdna, "New pin %ld, limit %ld, cap %d", - new_pinned, lock_limit, capable(CAP_IPC_LOCK)); + + if (ubuf->nr_pages + atomic64_read(&ubuf->mm->pinned_vm) > lock_limit && + !capable(CAP_IPC_LOCK)) { ret = -ENOMEM; - goto sub_pin_cnt; + goto free_ent; } ubuf->pages = kvmalloc_objs(*ubuf->pages, ubuf->nr_pages); if (!ubuf->pages) { ret = -ENOMEM; - goto sub_pin_cnt; + goto free_ent; } for (i = 0; i < num_entries; i++) { @@ -196,15 +195,17 @@ struct dma_buf *amdxdna_get_ubuf(struct drm_device *dev, ret = pin_user_pages_fast(va_ent[i].vaddr, npages, FOLL_WRITE | FOLL_LONGTERM, &ubuf->pages[start]); - if (ret < 0 || ret != npages) { + if (ret < 0) + goto destroy_pages; + start += ret; + if (ret != npages) { ret = -ENOMEM; - XDNA_ERR(xdna, "Failed to pin pages ret %d", ret); goto destroy_pages; } - - start += ret; } + atomic64_add(ubuf->nr_pages, &ubuf->mm->pinned_vm); + exp_info.ops = &amdxdna_ubuf_dmabuf_ops; exp_info.priv = ubuf; exp_info.flags = O_RDWR | O_CLOEXEC; @@ -222,8 +223,6 @@ struct dma_buf *amdxdna_get_ubuf(struct drm_device *dev, if (start) unpin_user_pages(ubuf->pages, start); kvfree(ubuf->pages); -sub_pin_cnt: - atomic64_sub(ubuf->nr_pages, &ubuf->mm->pinned_vm); free_ent: kvfree(va_ent); free_ubuf: -- 2.54.0