This commit fixes the NULL pointer dereference issue that would have
happened on the split of GPU mapping due to partial unmap of an evicted
BO. There is a logic to handle the partial unmap of huge pages when the
GPU mapping is split. That logic was not being completely skipped for
the VMA of an evicted BO and that resulted in a NPD possibility for the
'bo->backing.pages' pointer, which is set to NULL when pages of a
BO are released on eviction.

Following dump was seen when a partial unmap was exercised for an
evicted BO.
Unable to handle kernel paging request at virtual address 0000000000002000
Mem abort info:
  ESR = 0x0000000096000004
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x04: level 0 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=00000008842e8000
[0000000000002000] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1]  SMP
<snip>
pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : iova_mapped_as_huge_page+0x20/0x68 [panthor]
lr : panthor_gpuva_sm_step_remap+0x39c/0x498 [panthor]
sp : ffff800086193920
x29: ffff800086193920 x28: ffff800086193a18 x27: ffff800086193b80
x26: 0000000000400000 x25: 0000000000810000 x24: 0000000000400000
x23: ffff000808af1800 x22: 0000000000a00000 x21: ffff800086193a00
x20: ffff000806fd3f00 x19: 0000000000410000 x18: 00000000ffffffff
x17: 0000000000000000 x16: 0000000000000000 x15: ffff800083ce2d83
x14: 0000000000000000 x13: 3120646574636976 x12: 6520303030303138
x11: 2d30303030313420 x10: ffff8000836e6c80 x9 : ffff80007bfc889c
x8 : 3fffffffffffefff x7 : ffff8000836e6c80 x6 : 0000000000000000
x5 : ffff00097ef19088 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000010000 x1 : 0000000000000400 x0 : 0000000000000000
Call trace:
 iova_mapped_as_huge_page+0x20/0x68 [panthor] (P)
 op_remap_cb.isra.0+0x70/0xb0
 __drm_gpuvm_sm_unmap+0xf8/0x1c0
 drm_gpuvm_sm_unmap+0x40/0x60
 panthor_vm_exec_op+0xa0/0x168 [panthor]
 panthor_vm_bind_exec_sync_op+0x8c/0xb8 [panthor]
 panthor_ioctl_vm_bind+0xbc/0x170 [panthor]
 drm_ioctl_kernel+0xc0/0x140
 drm_ioctl+0x20c/0x500
 __arm64_sys_ioctl+0xb4/0x118
 invoke_syscall+0x5c/0x120
 el0_svc_common.constprop.0+0x48/0xf8
 do_el0_svc+0x28/0x40
 el0_svc+0x38/0x128
 el0t_64_sync_handler+0xa0/0xe8
 el0t_64_sync+0x198/0x1a0
Code: 8b030021 cb020021 f940b800 d34cfc21 (f8617801)
---[ end trace 0000000000000000 ]---

Fixes: 8e7460eac786 ("drm/panthor: Support partial unmaps of huge pages")
Signed-off-by: Akash Goel <[email protected]>
---
 drivers/gpu/drm/panthor/panthor_mmu.c | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/drivers/gpu/drm/panthor/panthor_mmu.c 
b/drivers/gpu/drm/panthor/panthor_mmu.c
index 31cc57029c12..285e7b9bc100 100644
--- a/drivers/gpu/drm/panthor/panthor_mmu.c
+++ b/drivers/gpu/drm/panthor/panthor_mmu.c
@@ -2358,20 +2358,20 @@ static int panthor_gpuva_sm_step_remap(struct 
drm_gpuva_op *op,
         */
        panthor_fix_sparse_map_offset(op->remap.next, unmap_vma->flags);
 
-       /*
-        * ARM IOMMU page table management code disallows partial unmaps of 
huge pages,
-        * so when a partial unmap is requested, we must first unmap the entire 
huge
-        * page and then remap the difference between the huge page minus the 
requested
-        * unmap region. Calculating the right start address and range for the 
expanded
-        * unmap operation is the responsibility of the following function.
-        */
-       unmap_hugepage_align(&op->remap, &unmap_start, &unmap_range);
-
-       /* If the range changed, we might have to lock a wider region to 
guarantee
-        * atomicity. panthor_vm_lock_region() bails out early if the new region
-        * is already part of the locked region, so no need to do this check 
here.
-        */
        if (!unmap_vma->evicted) {
+               /*
+               * ARM IOMMU page table management code disallows partial unmaps 
of huge pages,
+               * so when a partial unmap is requested, we must first unmap the 
entire huge
+               * page and then remap the difference between the huge page 
minus the requested
+               * unmap region. Calculating the right start address and range 
for the expanded
+               * unmap operation is the responsibility of the following 
function.
+               */
+               unmap_hugepage_align(&op->remap, &unmap_start, &unmap_range);
+
+               /* If the range changed, we might have to lock a wider region 
to guarantee
+                * atomicity. panthor_vm_lock_region() bails out early if the 
new region
+                * is already part of the locked region, so no need to do this 
check here.
+                */
                panthor_vm_lock_region(vm, unmap_start, unmap_range);
                panthor_vm_unmap_pages(vm, unmap_start, unmap_range);
        }
-- 
2.25.1

Reply via email to