From: Dave Airlie <airlied@gmail.com>
To: dri-devel@lists.freedesktop.org
Cc: nouveau@lists.freedesktop.org
Subject: [PATCH 3/3] nouveau/vmm: start tracking if the LPT PTE is valid. (v6)
Date: Tue, 3 Feb 2026 15:25:27 +1000 [thread overview]
Message-ID: <20260203052823.2220053-4-airlied@gmail.com> (raw)
In-Reply-To: <20260203052823.2220053-1-airlied@gmail.com>
From: Dave Airlie <airlied@redhat.com>
When NVK enabled large pages userspace tests were seeing fault
reports at a valid address.
There was a case where an address moving from 64k page to 4k pages
could expose a race between unmapping the 4k page, mapping the 64k
page and unref the 4k pages.
Unref 4k pages would cause the dual-page table handling to always
set the LPTE entry to SPARSE or INVALID, but if we'd mapped a valid
LPTE in the meantime, it would get trashed. Keep track of when
a valid LPTE has been referenced, and don't reset in that case.
This adds an lpte valid tracker and lpte reference count.
Whenever an lpte is referenced, it gets made valid and the ref count
increases, whenever it gets unreference the refcount is tracked.
Link: https://gitlab.freedesktop.org/mesa/mesa/-/issues/14610
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 39 +++++++++++++++----
drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.h | 3 +-
2 files changed, 33 insertions(+), 9 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
index 8b8f4b85e315..ea1191386c6e 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
@@ -242,14 +242,17 @@ nvkm_vmm_unref_sptes(struct nvkm_vmm_iter *it, struct nvkm_vmm_pt *pgt,
if (pgt->pte[pteb].s.sparse) {
TRA(it, "LPTE %05x: U -> S %d PTEs", pteb, ptes);
pair->func->sparse(vmm, pgt->pt[0], pteb, ptes);
- } else
- if (pair->func->invalid) {
- /* If the MMU supports it, restore the LPTE to the
- * INVALID state to tell the MMU there is no point
- * trying to fetch the corresponding SPTEs.
- */
- TRA(it, "LPTE %05x: U -> I %d PTEs", pteb, ptes);
- pair->func->invalid(vmm, pgt->pt[0], pteb, ptes);
+ } else if (!pgt->pte[pteb].s.lpte_valid) {
+ if (pair->func->invalid) {
+ /* If the MMU supports it, restore the LPTE to the
+ * INVALID state to tell the MMU there is no point
+ * trying to fetch the corresponding SPTEs.
+ */
+ TRA(it, "LPTE %05x: U -> I %d PTEs", pteb, ptes);
+ pair->func->invalid(vmm, pgt->pt[0], pteb, ptes);
+ }
+ } else {
+ TRA(it, "LPTE %05x: V %d PTEs", pteb, ptes);
}
}
}
@@ -280,6 +283,15 @@ nvkm_vmm_unref_ptes(struct nvkm_vmm_iter *it, bool pfn, u32 ptei, u32 ptes)
if (desc->type == SPT && (pgt->refs[0] || pgt->refs[1]))
nvkm_vmm_unref_sptes(it, pgt, desc, ptei, ptes);
+ if (desc->type == LPT && (pgt->refs[0] || pgt->refs[1])) {
+ for (u32 lpti = ptei; ptes; lpti++) {
+ pgt->pte[lpti].s.lptes--;
+ if (pgt->pte[lpti].s.lptes == 0)
+ pgt->pte[lpti].s.lpte_valid = false;
+ ptes--;
+ }
+ }
+
/* PT no longer needed? Destroy it. */
if (!pgt->refs[type]) {
it->lvl++;
@@ -332,10 +344,12 @@ nvkm_vmm_ref_sptes(struct nvkm_vmm_iter *it, struct nvkm_vmm_pt *pgt,
* Determine how many LPTEs need to transition state.
*/
pgt->pte[ptei].s.spte_valid = true;
+ pgt->pte[ptei].s.lpte_valid = false;
for (ptes = 1, ptei++; ptei < lpti; ptes++, ptei++) {
if (pgt->pte[ptei].s.spte_valid)
break;
pgt->pte[ptei].s.spte_valid = true;
+ pgt->pte[ptei].s.lpte_valid = false;
}
if (pgt->pte[pteb].s.sparse) {
@@ -374,6 +388,15 @@ nvkm_vmm_ref_ptes(struct nvkm_vmm_iter *it, bool pfn, u32 ptei, u32 ptes)
if (desc->type == SPT)
nvkm_vmm_ref_sptes(it, pgt, desc, ptei, ptes);
+ if (desc->type == LPT) {
+ for (u32 lpti = ptei; ptes; lpti++) {
+ pgt->pte[lpti].s.spte_valid = false;
+ pgt->pte[lpti].s.lpte_valid = true;
+ pgt->pte[lpti].s.lptes++;
+ ptes--;
+ }
+ }
+
return true;
}
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.h b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.h
index a8b08126e8dc..4ec0a3a21169 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.h
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.h
@@ -9,7 +9,8 @@ union nvkm_pte_tracker {
struct {
u32 sparse:1;
u32 spte_valid:1;
- u32 padding:14;
+ u32 lpte_valid:1;
+ u32 lptes:13;
u32 sptes:16;
} s;
};
--
2.52.0
next prev parent reply other threads:[~2026-02-03 5:28 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-03 5:25 nouveau/vmm: fix switching between small and large PTEs Dave Airlie
2026-02-03 5:25 ` [PATCH 1/3] nouveau/vmm: rewrite pte tracker using a struct and bitfields Dave Airlie
2026-02-03 5:25 ` [PATCH 2/3] nouveau/vmm: increase size of vmm pte tracker struct to u32 Dave Airlie
2026-02-03 5:25 ` Dave Airlie [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-02-04 3:00 [PATCH 0/3] nouveau/vmm: fix switching between small and large PTEs (series v2) Dave Airlie
2026-02-04 3:00 ` [PATCH 3/3] nouveau/vmm: start tracking if the LPT PTE is valid. (v6) Dave Airlie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260203052823.2220053-4-airlied@gmail.com \
--to=airlied@gmail.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=nouveau@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox