[PATCH v3 1/2] drm/xe: Assign ioctl xe file handler to vm in xe_vm_create

Rodrigo Vivi rodrigo.vivi at intel.com
Thu Aug 21 14:34:33 UTC 2025 

On Mon, Aug 11, 2025 at 12:43:57PM +0200, Piórkowski, Piotr wrote:
> From: Piotr Piórkowski <piotr.piorkowski at intel.com>
> 
> In several code paths, such as xe_pt_create(), the vm->xef field is used
> to determine whether a VM originates from userspace or the kernel.
> 
> Previously, this handler was only assigned in xe_vm_create_ioctl(),
> after the VM was created by xe_vm_create(). However, xe_vm_create()
> triggers page table creation, and that function assumes vm->xef should
> be already set. This could lead to incorrect origin detection.
> 
> To fix this problem and ensure consistency in the initialization of
> the VM object, let's move the assignment of this handler to
> xe_vm_create.
> 
> v2:
>  - take reference to the xe file object only when xef is not NULL
>  - release the reference to the xe file object on the error path (Matthew)
> 
> Fixes: 7f387e6012b6 ("drm/xe: add XE_BO_FLAG_PINNED_LATE_RESTORE")
> Signed-off-by: Piotr Piórkowski <piotr.piorkowski at intel.com>
> Cc: Matthew Auld <matthew.auld at intel.com>
> ---
>  drivers/gpu/drm/xe/xe_migrate.c    |  2 +-
>  drivers/gpu/drm/xe/xe_pxp_submit.c |  2 +-
>  drivers/gpu/drm/xe/xe_vm.c         | 11 ++++++-----
>  drivers/gpu/drm/xe/xe_vm.h         |  2 +-
>  4 files changed, 9 insertions(+), 8 deletions(-)
> 
> diff --git a/drivers/gpu/drm/xe/xe_migrate.c b/drivers/gpu/drm/xe/xe_migrate.c
> index ac9f4d4988d2..915fccea7aeb 100644
> --- a/drivers/gpu/drm/xe/xe_migrate.c
> +++ b/drivers/gpu/drm/xe/xe_migrate.c
> @@ -411,7 +411,7 @@ int xe_migrate_init(struct xe_migrate *m)
>  
>  	/* Special layout, prepared below.. */
>  	vm = xe_vm_create(xe, XE_VM_FLAG_MIGRATION |
> -			  XE_VM_FLAG_SET_TILE_ID(tile));
> +			  XE_VM_FLAG_SET_TILE_ID(tile), NULL);
>  	if (IS_ERR(vm))
>  		return PTR_ERR(vm);
>  
> diff --git a/drivers/gpu/drm/xe/xe_pxp_submit.c b/drivers/gpu/drm/xe/xe_pxp_submit.c
> index d92ec0f515b0..ca95f2a4d4ef 100644
> --- a/drivers/gpu/drm/xe/xe_pxp_submit.c
> +++ b/drivers/gpu/drm/xe/xe_pxp_submit.c
> @@ -101,7 +101,7 @@ static int allocate_gsc_client_resources(struct xe_gt *gt,
>  	xe_assert(xe, hwe);
>  
>  	/* PXP instructions must be issued from PPGTT */
> -	vm = xe_vm_create(xe, XE_VM_FLAG_GSC);
> +	vm = xe_vm_create(xe, XE_VM_FLAG_GSC, NULL);
>  	if (IS_ERR(vm))
>  		return PTR_ERR(vm);
>  
> diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c
> index 148a2425006f..157e11bd2121 100644
> --- a/drivers/gpu/drm/xe/xe_vm.c
> +++ b/drivers/gpu/drm/xe/xe_vm.c
> @@ -1640,7 +1640,7 @@ static void xe_vm_free_scratch(struct xe_vm *vm)
>  	}
>  }
>  
> -struct xe_vm *xe_vm_create(struct xe_device *xe, u32 flags)
> +struct xe_vm *xe_vm_create(struct xe_device *xe, u32 flags, struct xe_file *xef)
>  {
>  	struct drm_gem_object *vm_resv_obj;
>  	struct xe_vm *vm;
> @@ -1661,9 +1661,10 @@ struct xe_vm *xe_vm_create(struct xe_device *xe, u32 flags)
>  	vm->xe = xe;
>  
>  	vm->size = 1ull << xe->info.va_bits;
> -
>  	vm->flags = flags;
>  
> +	if (xef)
> +		vm->xef = xe_file_get(xef);
>  	/**
>  	 * GSC VMs are kernel-owned, only used for PXP ops and can sometimes be
>  	 * manipulated under the PXP mutex. However, the PXP mutex can be taken
> @@ -1814,6 +1815,8 @@ struct xe_vm *xe_vm_create(struct xe_device *xe, u32 flags)
>  	for_each_tile(tile, xe, id)
>  		xe_range_fence_tree_fini(&vm->rftree[id]);
>  	ttm_lru_bulk_move_fini(&xe->ttm, &vm->lru_bulk_move);
> +	if (vm->xef)
> +		xe_file_put(vm->xef);
>  	kfree(vm);
>  	if (flags & XE_VM_FLAG_LR_MODE)
>  		xe_pm_runtime_put(xe);
> @@ -2097,7 +2100,7 @@ int xe_vm_create_ioctl(struct drm_device *dev, void *data,
>  	if (args->flags & DRM_XE_VM_CREATE_FLAG_FAULT_MODE)
>  		flags |= XE_VM_FLAG_FAULT_MODE;
>  
> -	vm = xe_vm_create(xe, flags);
> +	vm = xe_vm_create(xe, flags, xef);
>  	if (IS_ERR(vm))
>  		return PTR_ERR(vm);
>  
> @@ -2113,8 +2116,6 @@ int xe_vm_create_ioctl(struct drm_device *dev, void *data,
>  		vm->usm.asid = asid;
>  	}
>  
> -	vm->xef = xe_file_get(xef);

Please, next time ensure that this patch works by itself.

Removing this here, without removing
xe_drm_client_add_bo(vm->xef->client, vm->pt_root[id]->bo);

that is below causes a big boom!

[   16.485311] WARNING: CPU: 10 PID: 1650 at drivers/gpu/drm/xe/xe_drm_client.c:135 xe_drm_client_add_bo+0xb0/0xd0 [xe]
[   16.485416] Modules linked in: nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib sunrpc nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ip\
v6 nf_defrag_ipv4 nf_tables qrtr bnep vfat fat intel_uncore_frequency intel_uncore_frequency_common iwlmvm snd_sof_pci_intel_tgl snd_sof_pci_intel_cnl snd_sof_intel_hda_generic soundwire_intel snd_sof_intel_hda_sdw_bpt snd_sof_intel_hda_common s\
nd_soc_hdac_hda snd_sof_intel_hda_mlink x86_pkg_temp_thermal snd_sof_intel_hda intel_powerclamp soundwire_cadence mac80211 snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_soc_acpi_intel_match snd_soc_acpi_intel_sdca_quirks soundwire_gen\
eric_allocation snd_soc_acpi crc8 soundwire_bus coretemp snd_soc_sdca kvm_intel snd_hda_codec_alc662 snd_hda_codec_realtek_lib snd_soc_avs snd_hda_codec_generic snd_hda_codec_intelhdmi snd_hda_codec_hdmi libarc4 snd_soc_hda_codec iwlwifi snd_hda\
_intel snd_hda_ext_core kvm snd_hda_codec cfg80211
[   16.485452]  snd_soc_core snd_hda_core snd_intel_dspcfg btusb snd_compress snd_intel_sdw_acpi ac97_bus spi_nor btrtl snd_hwdep snd_pcm_dmaengine btintel snd_seq btbcm processor_thermal_device_pci irqbypass processor_thermal_device btmtk snd_s\
eq_device rapl processor_thermal_wt_hint iTCO_wdt snd_pcm r8169 intel_cstate platform_temperature_control intel_pmc_bxt mei_gsc_proxy mtd bluetooth mei_hdcp mei_pxp iTCO_vendor_support processor_thermal_rfim ee1004 mei_gsc snd_timer intel_rapl_m\
sr intel_uncore snd i2c_i801 processor_thermal_rapl wmi_bmof realtek gigabyte_wmi pcspkr mei_me intel_rapl_common pmt_crashlog spi_intel_pci soundcore i2c_smbus spi_intel processor_thermal_wt_req mei processor_thermal_power_floor processor_therm\
al_mbox idma64 rfkill intel_pmc_core int340x_thermal_zone pmt_telemetry joydev pmt_discovery pmt_class int3400_thermal intel_hid acpi_thermal_rel acpi_pad intel_pmc_ssram_telemetry acpi_tad sparse_keymap loop nfnetlink zram lz4hc_compress lz4_co\
mpress hid_logitech_hidpp i915 xe intel_vsec
[   16.485496]  drm_ttm_helper drm_suballoc_helper gpu_sched drm_gpuvm drm_exec drm_gpusvm_helper i2c_algo_bit drm_buddy ttm nvme drm_display_helper nvme_core polyval_clmulni ghash_clmulni_intel cec nvme_keyring nvme_auth video wmi pinctrl_alder\
lake hid_logitech_dj i2c_dev fuse
[   16.485512] CPU: 10 UID: 42 PID: 1650 Comm: gnome-shell Not tainted 6.17.0-rc2+ #5 PREEMPT(voluntary) 
[   16.485515] Hardware name: iBUYPOWER INTEL/B660 DS3H AC DDR4-Y1, BIOS F32c 05/28/2025
[   16.485517] RIP: 0010:xe_drm_client_add_bo+0xb0/0xd0 [xe]
[   16.485601] Code: 98 02 00 00 4d 89 65 00 48 8d 7b 08 5b 5d 41 5c 41 5d 41 5e 41 5f e9 bf 23 cd f4 be 01 00 00 00 48 89 df e8 b2 81 3d f4 eb 9e <0f> 0b e9 70 ff ff ff 0f 0b e9 7c ff ff ff be 02 00 00 00 48 89 df
[   16.485603] RSP: 0018:ffffc9cb4c14f9c0 EFLAGS: 00010286
[   16.485605] RAX: ffff8971c3582c00 RBX: ffff8971c324c3a0 RCX: 0000000000000000
[   16.485616] RDX: 0000000000000002 RSI: ffff8971e6453000 RDI: ffff8971c324c3a0
[   16.485618] RBP: ffff8971e6453000 R08: ffff8971d3c578e8 R09: 0000000000000000
[   16.485619] R10: 0000000000000228 R11: ffffc9cb4c14f940 R12: ffff8971c3582c00
[   16.485620] R13: ffff8971f2e56000 R14: ffff89720eb44000 R15: 00000000c0206443
[   16.485622] FS:  00007f9d9769b640(0000) GS:ffff89818821e000(0000) knlGS:0000000000000000
[   16.485624] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   16.485626] CR2: 00007f9d712ab620 CR3: 000000011dc48001 CR4: 0000000000f72ef0
[   16.485627] PKRU: 55555554
[   16.485628] Call Trace:
[   16.485631]  <TASK>
[   16.485633]  xe_vm_create_ioctl+0x152/0x3c0 [xe]

> -
>  	/* Record BO memory for VM pagetable created against client */
>  	for_each_tile(tile, xe, id)
>  		if (vm->pt_root[id])
> diff --git a/drivers/gpu/drm/xe/xe_vm.h b/drivers/gpu/drm/xe/xe_vm.h
> index 3475a118f666..2f213737c7e5 100644
> --- a/drivers/gpu/drm/xe/xe_vm.h
> +++ b/drivers/gpu/drm/xe/xe_vm.h
> @@ -26,7 +26,7 @@ struct xe_sync_entry;
>  struct xe_svm_range;
>  struct drm_exec;
>  
> -struct xe_vm *xe_vm_create(struct xe_device *xe, u32 flags);
> +struct xe_vm *xe_vm_create(struct xe_device *xe, u32 flags, struct xe_file *xef);
>  
>  struct xe_vm *xe_vm_lookup(struct xe_file *xef, u32 id);
>  int xe_vma_cmp_vma_cb(const void *key, const struct rb_node *node);
> -- 
> 2.34.1
>

More information about the Intel-xe mailing list