From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 99DFF224FA for ; Sun, 3 May 2026 05:53:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.175 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777787594; cv=none; b=sLo38IAH4y3sBA7SeuT6t7R678XxXRpnWp+ADzqpdluo3CpSkxkVmoA8kbcJVvS1U2AC0MKRX/Z0nMi4Ox386cyGTlJloEQ43kgIzoEvJLFO+RMVZrZ5UKOvPDSlyJ9TWyN/OF4bCCD/f6TPGL6w1gIZVcRAYPM+D0mYVTqkuRU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777787594; c=relaxed/simple; bh=38QkvkMaV86o1VJPT1ueAV1K0ZTz3lgTnBbkLX9sNFk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=kYRDBbT1wKoI9A7/WUXd7lSMR5Sp8NudirYChnv7XjrytcFnx0VjIMBeYN2nxfGjr80tjEDPsedirz2TW/sLslx4mF5ITkRrDwkecnafUW43itLwEWuHWIsOQlRxX9zvR693knWnVpQLsyvlvUM75kG/KTDF9y/Omifzmxou2nU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=DpqvSbfc; arc=none smtp.client-ip=209.85.214.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="DpqvSbfc" Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-2ad4d639db3so12999975ad.0 for ; Sat, 02 May 2026 22:53:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777787593; x=1778392393; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vr7la8q5ouMrDK8fN2eCNj+o3R1myO7B1gFJhcPxQqk=; b=DpqvSbfcjw+GBtsLW0z6rBBRFkNMdTgr0GoVBjkpJNcBWyUGuuzAezA4k79Y9Rz5Ks ThKPzem6yzoMqo9GJPR7kWULdBt5qDP+t9PzfbSeXw3fVo0fb/nZf+Poxk/eqoqvpE4Z FElven1LcEwCf3h4bqq5GpsC6usKRRGmONSiYf4pKZDgsIXQSa6guAM1plpkONfmTurz LpFyokVAH9aXlLf/WeVyEEw34Pb2UjpVs1Rs+z2IiT8a9Jsrf4Q9gW95ua4C+c8fC+V3 H2e/IES6wTzrD+oCiEMqIXTjk+KC+7imWOi3lvvBqSK4QlyKFu8KuyYYj82KDvtFU6H/ YZYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777787593; x=1778392393; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=vr7la8q5ouMrDK8fN2eCNj+o3R1myO7B1gFJhcPxQqk=; b=cxgCjKl3q3dXGYy/c9qtlYNpDvICAdNM9W8csyAy007nYRS8a5S8VXqLHDioys+Si2 vuh2QSqXjbMFG13+mVopFIb9HmughEBm7djkVHJ8kq4xHYTU9xW/3+FH8XLzYG/F9Mpa 4F2KiY+KJYq9rzyE8zEKvVYcbdevcedQKlPQAeNZ4WDX2C9CDwMk1rrjFIu5KjSUCaYj l5/kdn2XxILwKFoq9GJlkrAGKTjdg+zX2tarbKYuKeOR3UlNMK+7HlThrCxk0LrGIUG0 Lulz4AlMjiYWq21T6TfoM5Tio9O3EYUsOJUhItQAYVCFfEFEaVTVDChUzS8kouqaec9D 62mA== X-Forwarded-Encrypted: i=1; AFNElJ9MYzLahQtpVtSsC3BPKm/L96NJ3HtRtvfQAPIWCAYLTNX3JQnvTf+So86Jh5fIrMMR/cXJv/rGrB7UObY=@vger.kernel.org X-Gm-Message-State: AOJu0YxFZkHD0/i4azWAXDpH49Lqm+8Pbgw8hT34DJBHNuVC2Dq7bzoY uxp5q9wHAdghGmmpt6JwX0KDI8hAwVddh9yQbTvHEd6VACeABmwWGRzS X-Gm-Gg: AeBDiev8R3Q9H6PSGkiL0/T+0vt1tMOpr2R0ItvI+XuniUANNSCEOB4MfBhX42MkQXb JaKmS4zllE3tjnVDkcnV4Epy3wtECriPYz6K9IPrmqNKBMdbL3j+WqFNK5bjihN3RZpqSrash+n odcUbEkCeGuR/9B//ZaYhSZwlKKtOtqFhifN+xkiGRFvju1DNI5MPznEPe6+prrTwY1KUht5NKj aeV+kyb2725BQhxeByKJR+RE40z3JVrRAGmoca9NVLdlV+k+CAXyo5R1zug6RfaQzbBiyWas5eO oVz2G6AsuHLUW2+spsnVvdkniAMb9NVKSTRVhoLvPQZcyWYKzx5zfyMlyHfVayRtBfjBC6mnzm4 UnWNGHDN550XVXgjNYKnLi91D+/pGA8ve07YEDbdTty6F3VFMM/SUm5uR+6xHpPNDEQrnbIytR4 CCTOdsNH1DMHGqaMlrxkdFA4h5MsYszKziOvRPqoA= X-Received: by 2002:a17:903:37d0:b0:2b0:5ae9:ee4 with SMTP id d9443c01a7336-2b9f252f85emr49013585ad.5.1777787592888; Sat, 02 May 2026 22:53:12 -0700 (PDT) Received: from vini ([2401:4900:8fcb:edbd:7155:edb6:dac:107e]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b9cae58906sm64894705ad.74.2026.05.02.22.53.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 02 May 2026 22:53:12 -0700 (PDT) From: Vineet Agarwal To: mamin506@gmail.com, lizhi.hou@amd.com, ogabbay@kernel.org Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Vineet Agarwal Subject: [PATCH v3] drm/amdxdna: fix pinned_vm accounting and error handling in user buffer pinning Date: Sun, 3 May 2026 11:20:24 +0530 Message-ID: <20260503055258.643546-1-agarwal.vineet2006@gmail.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260502031746.621606-1-agarwal.vineet2006@gmail.com> References: <20260502031746.621606-1-agarwal.vineet2006@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit amdxdna_get_ubuf() incorrectly accounted mm->pinned_vm using the requested number of pages before pin_user_pages_fast() completed. Since pin_user_pages_fast() can return partial success, this could lead to incorrect accounting and inconsistent cleanup on failure. Additionally, the RLIMIT_MEMLOCK check was performed after pinning, allowing excessive pin attempts before validation. Fix this by: - checking RLIMIT_MEMLOCK before attempting to pin pages - handling partial pinning correctly and ensuring proper cleanup - updating mm->pinned_vm only after all pages are successfully pinned - removing incorrect error-path accounting and double-subtraction Also fix missing rollback when dma_buf_export() fails, which could leave mm->pinned_vm incremented without a corresponding release. This ensures correct pinned memory accounting and consistent error handling aligned with other subsystems using GUP. Signed-off-by: Vineet Agarwal Changes in v3: - Fix missing pinned_vm rollback when dma_buf_export() fails --- drivers/accel/amdxdna/amdxdna_ubuf.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/drivers/accel/amdxdna/amdxdna_ubuf.c b/drivers/accel/amdxdna/amdxdna_ubuf.c index fb999aa25318..efce6b94fb0c 100644 --- a/drivers/accel/amdxdna/amdxdna_ubuf.c +++ b/drivers/accel/amdxdna/amdxdna_ubuf.c @@ -129,7 +129,7 @@ struct dma_buf *amdxdna_get_ubuf(struct drm_device *dev, u32 num_entries, void __user *va_entries) { struct amdxdna_dev *xdna = to_xdna_dev(dev); - unsigned long lock_limit, new_pinned; + unsigned long lock_limit; struct amdxdna_drm_va_entry *va_ent; struct amdxdna_ubuf_priv *ubuf; u32 npages, start = 0; @@ -176,18 +176,17 @@ struct dma_buf *amdxdna_get_ubuf(struct drm_device *dev, ubuf->nr_pages = exp_info.size >> PAGE_SHIFT; lock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT; - new_pinned = atomic64_add_return(ubuf->nr_pages, &ubuf->mm->pinned_vm); - if (new_pinned > lock_limit && !capable(CAP_IPC_LOCK)) { - XDNA_DBG(xdna, "New pin %ld, limit %ld, cap %d", - new_pinned, lock_limit, capable(CAP_IPC_LOCK)); + + if (ubuf->nr_pages + atomic64_read(&ubuf->mm->pinned_vm) > lock_limit && + !capable(CAP_IPC_LOCK)) { ret = -ENOMEM; - goto sub_pin_cnt; + goto free_ent; } ubuf->pages = kvmalloc_objs(*ubuf->pages, ubuf->nr_pages); if (!ubuf->pages) { ret = -ENOMEM; - goto sub_pin_cnt; + goto free_ent; } for (i = 0; i < num_entries; i++) { @@ -196,15 +195,17 @@ struct dma_buf *amdxdna_get_ubuf(struct drm_device *dev, ret = pin_user_pages_fast(va_ent[i].vaddr, npages, FOLL_WRITE | FOLL_LONGTERM, &ubuf->pages[start]); - if (ret < 0 || ret != npages) { + if (ret < 0) + goto destroy_pages; + start += ret; + if (ret != npages) { ret = -ENOMEM; - XDNA_ERR(xdna, "Failed to pin pages ret %d", ret); goto destroy_pages; } - - start += ret; } + atomic64_add(ubuf->nr_pages, &ubuf->mm->pinned_vm); + exp_info.ops = &amdxdna_ubuf_dmabuf_ops; exp_info.priv = ubuf; exp_info.flags = O_RDWR | O_CLOEXEC; @@ -212,6 +213,7 @@ struct dma_buf *amdxdna_get_ubuf(struct drm_device *dev, dbuf = dma_buf_export(&exp_info); if (IS_ERR(dbuf)) { ret = PTR_ERR(dbuf); + atomic64_sub(ubuf->nr_pages, &ubuf->mm->pinned_vm); goto destroy_pages; } kvfree(va_ent); @@ -222,8 +224,6 @@ struct dma_buf *amdxdna_get_ubuf(struct drm_device *dev, if (start) unpin_user_pages(ubuf->pages, start); kvfree(ubuf->pages); -sub_pin_cnt: - atomic64_sub(ubuf->nr_pages, &ubuf->mm->pinned_vm); free_ent: kvfree(va_ent); free_ubuf: -- 2.54.0