Re: [PATCH v5 1/2] drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Matthew Auld <matthew.auld@intel.com>
To: Jia Yao <jia.yao@intel.com>, intel-xe@lists.freedesktop.org
Cc: stable@vger.kernel.org, "Shuicheng Lin" <shuicheng.lin@intel.com>,
	"Mathew Alwin" <alwin.mathew@intel.com>,
	"Michal Mrozek" <michal.mrozek@intel.com>,
	"Matthew Brost" <matthew.brost@intel.com>,
	"José Roberto de Souza" <jose.souza@intel.com>
Subject: Re: [PATCH v5 1/2] drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise
Date: Mon, 16 Mar 2026 10:59:10 +0000	[thread overview]
Message-ID: <4b32f17a-811e-453e-ac0a-e5fae77fea6a@intel.com> (raw)
In-Reply-To: <20260316072257.255372-2-jia.yao@intel.com>

On 16/03/2026 07:22, Jia Yao wrote:
> Add validation in xe_vm_madvise_ioctl() to reject PAT indices with
> XE_COH_NONE coherency mode when applied to CPU cached memory.
> 
> Using coh_none with CPU cached buffers is a security issue. When the
> kernel clears pages before reallocation, the clear operation stays in
> CPU cache (dirty). GPU with coh_none can bypass CPU caches and read
> stale sensitive data directly from DRAM, potentially leaking data from
> previously freed pages of other processes.
> 
> This aligns with the existing validation in vm_bind path
> (xe_vm_bind_ioctl_validate_bo).
> 
> v2(Matthew brost)
> - Add fixes
> - Move one debug print to better place
> 
> v3(Matthew Auld)
> - Should be drm/xe/uapi
> - More Cc
> 
> v4(Shuicheng Lin)
> - Fix kmem leak issues by the way
> 
> v5
> - Remove kmem leak because it has been merged by other patch
> 
> Fixes: ada7486c5668 ("drm/xe: Implement madvise ioctl for xe")
> Cc: stable@vger.kernel.org # v6.18
> Cc: Shuicheng Lin <shuicheng.lin@intel.com>
> Cc: Mathew Alwin <alwin.mathew@intel.com>
> Cc: Michal Mrozek <michal.mrozek@intel.com>
> Cc: Matthew Brost <matthew.brost@intel.com>
> Cc: Matthew Auld <matthew.auld@intel.com>
> Signed-off-by: Jia Yao <jia.yao@intel.com>
> Acked-by: Michal Mrozek <michal.mrozek@intel.com>
> Acked-by: José Roberto de Souza <jose.souza@intel.com>
> ---
>   drivers/gpu/drm/xe/xe_vm_madvise.c | 46 +++++++++++++++++++++++++++++-
>   1 file changed, 45 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/xe/xe_vm_madvise.c b/drivers/gpu/drm/xe/xe_vm_madvise.c
> index 869db304d96d..5d0acaad924c 100644
> --- a/drivers/gpu/drm/xe/xe_vm_madvise.c
> +++ b/drivers/gpu/drm/xe/xe_vm_madvise.c
> @@ -365,6 +365,43 @@ static void xe_madvise_details_fini(struct xe_madvise_details *details)
>   	drm_pagemap_put(details->dpagemap);
>   }
>   
> +static bool check_pat_args_are_sane(struct xe_device *xe,
> +				    struct xe_vmas_in_madvise_range *madvise_range,
> +				    u16 pat_index)
> +{
> +	u16 coh_mode = xe_pat_index_get_coh_mode(xe, pat_index);
> +	int i;
> +
> +	/*
> +	 * Using coh_none with CPU cached buffers is not allowed.
> +	 * Otherwise CPU page clearing can be bypassed, which is a
> +	 * security issue. GPU can directly access system memory and
> +	 * bypass CPU caches, potentially reading stale sensitive data
> +	 * from previously freed pages.
> +	 */
> +	if (coh_mode != XE_COH_NONE)
> +		return true;
> +
> +	for (i = 0; i < madvise_range->num_vmas; i++) {
> +		struct xe_vma *vma = madvise_range->vmas[i];
> +		struct xe_bo *bo = xe_vma_bo(vma);
> +
> +		if (bo) {
> +			/* BO with WB caching + COH_NONE is not allowed */
> +			if (XE_IOCTL_DBG(xe, bo->cpu_caching == DRM_XE_GEM_CPU_CACHING_WB))
> +				return false;
> +			/* Imported dma-buf without caching info, assume cached */
> +			if (XE_IOCTL_DBG(xe, !bo->cpu_caching))
> +				return false;
> +		} else if (XE_IOCTL_DBG(xe, xe_vma_is_cpu_addr_mirror(vma) ||
> +					    xe_vma_is_userptr(vma)))
> +			/* System memory (userptr/SVM) is always CPU cached */
> +			return false;
> +	}
> +
> +	return true;
> +}
> +
>   static bool check_bo_args_are_sane(struct xe_vm *vm, struct xe_vma **vmas,
>   				   int num_vmas, u32 atomic_val)
>   {
> @@ -455,6 +492,14 @@ int xe_vm_madvise_ioctl(struct drm_device *dev, void *data, struct drm_file *fil
>   	if (err || !madvise_range.num_vmas)
>   		goto madv_fini;
>   
> +	if (args->type == DRM_XE_MEM_RANGE_ATTR_PAT) {
> +		if (!check_pat_args_are_sane(xe, &madvise_range,
> +					     args->pat_index.val)) {
> +			err = -EINVAL;
> +			goto free_vmas;
> +		}
> +	}
> +
>   	if (madvise_range.has_bo_vmas) {
>   		if (args->type == DRM_XE_MEM_RANGE_ATTR_ATOMIC) {
>   			if (!check_bo_args_are_sane(vm, madvise_range.vmas,
> @@ -500,7 +545,6 @@ int xe_vm_madvise_ioctl(struct drm_device *dev, void *data, struct drm_file *fil
>   		drm_exec_fini(&exec);
>   free_vmas:
>   	kfree(madvise_range.vmas);
> -	madvise_range.vmas = NULL;

Do we really need this change?

Otherwise,
Reviewed-by: Matthew Auld <matthew.auld@intel.com>

>   madv_fini:
>   	xe_madvise_details_fini(&details);
>   unlock_vm:

next prev parent reply	other threads:[~2026-03-16 10:59 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20260129000147.339361-1-jia.yao@intel.com>
2026-01-30 22:07 ` [PATCH v3] drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise Jia Yao
2026-02-03  2:54   ` Lin, Shuicheng
2026-02-04 15:13   ` Souza, Jose
2026-02-03 15:48 ` [PATCH v4] " Jia Yao
2026-02-03 16:38   ` Matthew Auld
2026-02-03 16:59     ` Yao, Jia
2026-03-10 14:50   ` Mrozek, Michal
2026-03-16  7:22 ` [PATCH v5 0/2] drm/xe: PAT index validation for CPU_ADDR_MIRROR and Jia Yao
2026-03-16  7:22   ` [PATCH v5 1/2] drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise Jia Yao
2026-03-16 10:59     ` Matthew Auld [this message]
2026-03-16 15:29       ` Lin, Shuicheng
2026-03-16  7:22   ` [PATCH v5 2/2] drm/xe: Reject coh_none PAT index for CPU_ADDR_MIRROR Jia Yao
2026-03-16 11:40     ` Matthew Auld
2026-03-16 16:42 ` [PATCH v5 0/2] drm/xe: PAT index validation for CPU_ADDR_MIRROR and madvise Jia Yao
2026-03-16 16:42   ` [PATCH v6 1/2] drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise Jia Yao
2026-03-16 16:42   ` [PATCH v6 2/2] drm/xe: Reject coh_none PAT index for CPU_ADDR_MIRROR Jia Yao
2026-03-17 10:45     ` Matthew Auld
2026-03-19 11:58 ` [PATCH v7 0/2] drm/xe: PAT index validation for CPU_ADDR_MIRROR and madvise Jia Yao
2026-03-19 11:58   ` [PATCH v7 1/2] drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise Jia Yao
2026-03-19 11:58   ` [PATCH v7 2/2] drm/xe: Reject coh_none PAT index for CPU_ADDR_MIRROR Jia Yao

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4b32f17a-811e-453e-ac0a-e5fae77fea6a@intel.com \
    --to=matthew.auld@intel.com \
    --cc=alwin.mathew@intel.com \
    --cc=intel-xe@lists.freedesktop.org \
    --cc=jia.yao@intel.com \
    --cc=jose.souza@intel.com \
    --cc=matthew.brost@intel.com \
    --cc=michal.mrozek@intel.com \
    --cc=shuicheng.lin@intel.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox