kernel/linux.git/drivers/gpu/drm/xe/xe_dma_buf.c, branch linux-7.0.y

drm/xe/dma-buf: fix UAF with retry loop

2026-05-23T11:09:42+00:00

commit 155a372a1cc50fa93387c5d3cdfd614a61e1afd1 upstream. Retry doesn't work here, since bo will be freed on error, leading to UAF. However, now that we do the alloc & init before the attach, we can now combine this as one unit and have the init do the alloc for us. This should make the retry safe. Reported by Sashiko. v2: Fix up the error unwind (CI) Closes: https://sashiko.dev/#/patchset/20260506184332.86743-2-matthew.auld%40intel.com Fixes: eb289a5f6cc6 ("drm/xe: Convert xe_dma_buf.c for exhaustive eviction") Signed-off-by: Matthew Auld Cc: Thomas Hellström Cc: Matthew Brost Cc: # v6.18+ Reviewed-by: Thomas Hellström Link: https://patch.msgid.link/20260508102635.149172-4-matthew.auld@intel.com (cherry picked from commit 479669418253e0f27f8cf5db01a731352ea592e7) Signed-off-by: Rodrigo Vivi Signed-off-by: Greg Kroah-Hartman

drm/xe/dma-buf: handle empty bo and UAF races

2026-05-23T11:09:42+00:00

commit 981bedbbe61364fcc3a3b87ebaf648a66cd07108 upstream. There look to be some nasty races here when triggering the invalidate_mappings hook: 1) We do xe_bo_alloc() followed by the attach, before the actual full bo init step in xe_dma_buf_init_obj(). However the bo is visible on the attachments list after the attach. This is bad since exporter driver, say amdgpu, can at any time call back into our invalidate_mappings hook, with an empty/bogus bo, leading to potential bugs/crashes. 2) Similar to 1) but here we get a UAF, when the invalidate_mappings hook is triggered. For example, we get as far as xe_bo_init_locked() but this fails in some way. But here the bo will be freed on error, but we still have it attached from dma-buf pov, so if the invalidate_mappings is now triggered then the bo we access is gone and we trigger UAF and more bugs/crashes. To fix this, move the attach step until after we actually have a fully set up buffer object. Note that the bo is not published to userspace until later, so not sure what the comment "Don't publish the bo until we have a valid attachment", is referring to. We have at least two different customers reporting hitting a NULL ptr deref in evict_flags when importing something from amdgpu, followed by triggering the evict flow. Hit rate is also pretty low, which would hint at some kind of race, so something like 1) or 2) might explain this. v2: - Shuffle the order of the ops slightly (no functional change) - Improve the comment to better explain the ordering (Matt B) Assisted-by: Gemini:gemini-3 #debug Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/work_items/7903 Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/work_items/4055 Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Signed-off-by: Matthew Auld Cc: Thomas Hellström Cc: Matthew Brost Cc: # v6.8+ Reviewed-by: Matthew Brost Acked-by: Thomas Hellström Link: https://patch.msgid.link/20260508102635.149172-3-matthew.auld@intel.com (cherry picked from commit af1f2ad0c59fe4e2f924c526f66e968289d77971) Signed-off-by: Rodrigo Vivi Signed-off-by: Greg Kroah-Hartman

drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()

2026-05-17T15:16:31+00:00

commit 111ab678471bf1f90d078d5513bb086b70596c3c upstream. When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it. Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4.6 Reviewed-by: Mattheq Brost Link: https://patch.msgid.link/20260408175255.3402838-5-shuicheng.lin@intel.com Signed-off-by: Shuicheng Lin (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51) Signed-off-by: Rodrigo Vivi Signed-off-by: Greg Kroah-Hartman

drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure

2026-05-17T15:16:31+00:00

commit 93a528f67ce5095bcab46a69839eca97f43dd352 upstream. When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error. xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed. Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning. v2: Add comments to explain the free logic. Fixes: eb289a5f6cc6 ("drm/xe: Convert xe_dma_buf.c for exhaustive eviction") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4.6 Reviewed-by: Matthew Brost Link: https://patch.msgid.link/20260408175255.3402838-4-shuicheng.lin@intel.com Signed-off-by: Shuicheng Lin (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9) Signed-off-by: Rodrigo Vivi Signed-off-by: Greg Kroah-Hartman

drm/xe/bo: Don't include the CCS metadata in the dma-buf sg-table

2025-12-15T13:16:39+00:00

Some Xe bos are allocated with extra backing-store for the CCS metadata. It's never been the intention to share the CCS metadata when exporting such bos as dma-buf. Don't include it in the dma-buf sg-table. Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Cc: Rodrigo Vivi Cc: Matthew Brost Cc: Maarten Lankhorst Cc: # v6.8+ Signed-off-by: Thomas Hellström Reviewed-by: Matthew Brost Reviewed-by: Karol Wachowski Link: https://patch.msgid.link/20251209204920.224374-1-thomas.hellstrom@linux.intel.com (cherry picked from commit a4ebfb9d95d78a12512b435a698ee6886d712571) Signed-off-by: Thomas Hellström

drm/xe/dma-buf: Allow pinning of p2p dma-buf

2025-09-22T12:30:07+00:00

RDMA NICs typically requires the VRAM dma-bufs to be pinned in VRAM for pcie-p2p communication, since they don't fully support the move_notify() scheme. We would like to support that. However allowing unaccounted pinning of VRAM creates a DOS vector so up until now we haven't allowed it. However with cgroups support in TTM, the amount of VRAM allocated to a cgroup can be limited, and since also the pinned memory is accounted as allocated VRAM we should be safe. An analogy with system memory can be made if we observe the similarity with kernel system memory that is allocated as the result of user-space action and that is accounted using __GFP_ACCOUNT. Ideally, to be more flexible, we would add a "pinned_memory", or possibly "kernel_memory" limit to the dmem cgroups controller, that would additionally limit the memory that is pinned in this way. If we let that limit default to the dmem::max limit we can introduce that without needing to care about regressions. Considering that we already pin VRAM in this way for at least page-table memory and LRC memory, and the above path to greater flexibility, allow this also for dma-bufs. v2: - Update comments about pinning in the dma-buf kunit test (Niranjana Vishwanathapura) Cc: Dave Airlie Cc: Simona Vetter Cc: Joonas Lahtinen Cc: Maarten Lankhorst Cc: Matthew Brost Cc: Rodrigo Vivi Cc: Lucas De Marchi Cc: Niranjana Vishwanathapura Signed-off-by: Thomas Hellström Acked-by: Simona Vetter Reviewed-by: Maarten Lankhorst Link: https://lore.kernel.org/r/20250918092207.54472-4-thomas.hellstrom@linux.intel.com

Merge tag 'drm-xe-next-2025-09-19' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-next

2025-09-21T22:21:42+00:00

UAPI Changes: - Drop L3 bank mask reporting from the media GT on Xe3 and later. Only do that for the primary GT. No userspace needs or uses it for media and some platforms may report bogus values. - Add SLPC power_profile sysfs interface with support for base and power_saving modes (Vinay Belgaumkar, Rodrigo Vivi) - Add configfs attributes to add post/mid context-switch commands (Lucas De Marchi) Cross-subsystem Changes: - Fix hmm_pfn_to_map_order() usage in gpusvm and refactor APIs to align with pieces previous handled by xe_hmm (Matthew Auld) Core Changes: - Add MEI driver for Late Binding Firmware Update/Upload (Alexander Usyskin) Driver Changes: - Fix GuC CT teardown wrt TLB invalidation (Satyanarayana) - Fix CCS save/restore on VF (Satyanarayana) - Increase default GuC crash buffer size (Zhanjun) - Allow to clear GT stats in debugfs to aid debugging (Matthew Brost) - Add more SVM GT stats to debugfs (Matthew Brost) - Fix error handling in VMA attr query (Himal) - Move sa_info in debugfs to be per tile (Michal Wajdeczko) - Limit number of retries upon receiving NO_RESPONSE_RETRY from GuC to avoid endless loop (Michal Wajdeczko) - Fix configfs handling for survivability_mode undoing user choice when unbinding the module (Michal Wajdeczko) - Refactor configfs attribute visibility to future-proof it and stop exposing survivability_mode if not applicable (Michal Wajdeczko) - Constify some functions (Harish Chegondi, Michal Wajdeczko) - Add/extend more HW workarounds for Xe2 and Xe3 (Harish Chegondi, Tangudu Tilak Tirumalesh) - Replace xe_hmm with gpusvm (Matthew Auld) - Improve fake pci and WA kunit handling for testing new platforms (Michal Wajdeczko) - Reduce unnecessary PTE writes when migrating (Sanjay Yadav) - Cleanup GuC interface definitions and log message (John Harrison) - Small improvements around VF CCS (Michal Wajdeczko) - Enable bus mastering for the I2C controller (Raag Jadav) - Prefer devm_mutex of hand rolling it (Christophe JAILLET) - Drop sysfs and debugfs attributes not available for VF (Michal Wajdeczko) - GuC CT devm actions improvements (Michal Wajdeczko) - Recommend new GuC versions for PTL and BMG (Julia Filipchuk) - Improveme driver handling for exhaustive eviction using new xe_validation wrapper around drm_exec (Thomas Hellström) - Add and use printk wrappers for tile and device (Michal Wajdeczko) - Better document workaround handling in Xe (Lucas De Marchi) - Improvements on ARRAY_SIZE and ERR_CAST usage (Lucas De Marchi, Fushuai Wang) - Align CSS firmware headers with the GuC APIs (John Harrison) - Test GuC to GuC (G2G) communication to aid debug in pre-production firmware (John Harrison) - Bail out driver probing if GuC fails to load (John Harrison) - Allow error injection in xe_pxp_exec_queue_add() (Daniele Ceraolo Spurio) - Minor refactors in xe_svm (Shuicheng Lin) - Fix madvise ioctl error handling (Shuicheng Lin) - Use attribute groups to simplify sysfs registration (Michal Wajdeczko) - Add Late Binding Firmware implementation in Xe to work together with the MEI component (Badal Nilawar, Daniele Ceraolo Spurio, Rodrigo Vivi) - Fix build with CONFIG_MODULES=n (Lucas De Marchi) Signed-off-by: Dave Airlie From: Lucas De Marchi Link: https://lore.kernel.org/r/c2et6dnkst2apsgt46dklej4nprqdukjosb55grpaknf3pvcxy@t7gtn3hqtp6n

Merge tag 'v6.17-rc6' into drm-next

2025-09-15T07:51:07+00:00

This is a backmerge of Linux 6.17-rc6, needed for msm, also requested by misc. Signed-off-by: Dave Airlie

xe: populate buffers before exporting them.

2025-09-11T00:04:58+00:00

Before exporting a buffer, make sure it has been populated with pages at least once. While discussing cgroups we noticed a problem where you could export a BO to a dma-buf without having it ever being backed or accounted for. This meant in low memory situations or eventually with cgroups, a lower privledged process might cause the compositor to try and allocate a lot of memory on it's behalf and this could fail. At least make sure the exporter has managed to allocate the RAM at least once before exporting the object. This only applies currently to TTM_PL_SYSTEM objects, because GTT objects get populated on first validate, and VRAM doesn't use TT. Cc: Thomas Hellström Signed-off-by: Dave Airlie Reviewed-by: Thomas Hellström Signed-off-by: Dave Airlie Link: https://lore.kernel.org/r/20250904021643.2050497-4-airlied@gmail.com

drm/xe: Rename ___xe_bo_create_locked()

2025-09-10T07:16:04+00:00

Don't start external function names with underscores. Rename to xe_bo_init_locked(). Signed-off-by: Thomas Hellström Reviewed-by: Matthew Brost Link: https://lore.kernel.org/r/20250908101246.65025-10-thomas.hellstrom@linux.intel.com