drivers/gpu/drm/panthor/panthor_mmu.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-)
This commit address a kernel panic issue that can happen if Userspace
tries to partially unmap a GPU virtual region (aka drm_gpuva).
The VM_BIND interface allows partial unmapping of a BO.
Panthor driver pre-allocates memory for the new drm_gpuva structures
that would be needed for the map/unmap operation, done using drm_gpuvm
layer. It expected that only one new drm_gpuva would be needed on umap
but a partial unmap can require 2 new drm_gpuva and that's why it
ended up doing a NULL pointer dereference causing a kernel panic.
Following dump was seen when partial unmap was exercised.
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078
Mem abort info:
ESR = 0x0000000096000046
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000
CM = 0, WnR = 1, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000
[000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000
Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP
<snip>
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]
lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor]
sp : ffff800085d43970
x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000
x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000
x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180
x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010
x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c
x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58
x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c
x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7
x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001
x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078
Call trace:
panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]
op_remap_cb.isra.22+0x50/0x80
__drm_gpuvm_sm_unmap+0x10c/0x1c8
drm_gpuvm_sm_unmap+0x40/0x60
panthor_vm_exec_op+0xb4/0x3d0 [panthor]
panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor]
panthor_ioctl_vm_bind+0x160/0x4a0 [panthor]
drm_ioctl_kernel+0xbc/0x138
drm_ioctl+0x240/0x500
__arm64_sys_ioctl+0xb0/0xf8
invoke_syscall+0x4c/0x110
el0_svc_common.constprop.1+0x98/0xf8
do_el0_svc+0x24/0x38
el0_svc+0x40/0xf8
el0t_64_sync_handler+0xa0/0xc8
el0t_64_sync+0x174/0x178
Changes in v2:
- Add R-bs and fixes tags
Fixes: 647810ec2476 ("drm/panthor: Add the MMU/VM logical block")
Signed-off-by: Akash Goel <akash.goel@arm.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Liviu Dudau <liviu.dudau@arm.com>
Reviewed-by: Steven Price <steven.price@arm.com>
---
drivers/gpu/drm/panthor/panthor_mmu.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/panthor/panthor_mmu.c b/drivers/gpu/drm/panthor/panthor_mmu.c
index 6dec4354e378..7870e7dbaa5d 100644
--- a/drivers/gpu/drm/panthor/panthor_mmu.c
+++ b/drivers/gpu/drm/panthor/panthor_mmu.c
@@ -1175,10 +1175,14 @@ panthor_vm_op_ctx_prealloc_vmas(struct panthor_vm_op_ctx *op_ctx)
break;
case DRM_PANTHOR_VM_BIND_OP_TYPE_UNMAP:
- /* Partial unmaps might trigger a remap with either a prev or a next VA,
- * but not both.
+ /* Two VMAs can be needed for an unmap, as an unmap can happen
+ * in the middle of a drm_gpuva, requiring a remap with both
+ * prev & next VA. Or an unmap can span more than one drm_gpuva
+ * where the first and last ones are covered partially, requring
+ * a remap for the first with a prev VA and remap for the last
+ * with a next VA.
*/
- vma_count = 1;
+ vma_count = 2;
break;
default:
--
2.25.1Hi Akash,
On 20/10/2025 07:00, Akash Goel wrote:
> This commit address a kernel panic issue that can happen if Userspace
> tries to partially unmap a GPU virtual region (aka drm_gpuva).
> The VM_BIND interface allows partial unmapping of a BO.
>
> Panthor driver pre-allocates memory for the new drm_gpuva structures
> that would be needed for the map/unmap operation, done using drm_gpuvm
> layer. It expected that only one new drm_gpuva would be needed on umap
> but a partial unmap can require 2 new drm_gpuva and that's why it
> ended up doing a NULL pointer dereference causing a kernel panic.
>
> Following dump was seen when partial unmap was exercised.
> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078
> Mem abort info:
> ESR = 0x0000000096000046
> EC = 0x25: DABT (current EL), IL = 32 bits
> SET = 0, FnV = 0
> EA = 0, S1PTW = 0
> FSC = 0x06: level 2 translation fault
> Data abort info:
> ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000
> CM = 0, WnR = 1, TnD = 0, TagAccess = 0
> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000
> [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000
> Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP
> <snip>
> pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]
> lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor]
> sp : ffff800085d43970
> x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000
> x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000
> x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180
> x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010
> x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c
> x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58
> x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c
> x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7
> x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001
> x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078
> Call trace:
> panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]
> op_remap_cb.isra.22+0x50/0x80
> __drm_gpuvm_sm_unmap+0x10c/0x1c8
> drm_gpuvm_sm_unmap+0x40/0x60
> panthor_vm_exec_op+0xb4/0x3d0 [panthor]
> panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor]
> panthor_ioctl_vm_bind+0x160/0x4a0 [panthor]
> drm_ioctl_kernel+0xbc/0x138
> drm_ioctl+0x240/0x500
> __arm64_sys_ioctl+0xb0/0xf8
> invoke_syscall+0x4c/0x110
> el0_svc_common.constprop.1+0x98/0xf8
> do_el0_svc+0x24/0x38
> el0_svc+0x40/0xf8
> el0t_64_sync_handler+0xa0/0xc8
> el0t_64_sync+0x174/0x178
>
> Changes in v2:
> - Add R-bs and fixes tags
Sorry, perhaps I wasn't very clear. I've already pushed v1 to
drm-misc-fixes (with the fixes line and the R-bs):
4eabd0d8791e ("drm/panthor: Fix kernel panic on partial unmap of a GPU VA region")
Usually there's no need to post another version just to update the tags
as we can do that as part of applying the series.
Thanks,
Steve
>
> Fixes: 647810ec2476 ("drm/panthor: Add the MMU/VM logical block")
> Signed-off-by: Akash Goel <akash.goel@arm.com>
> Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
> Reviewed-by: Liviu Dudau <liviu.dudau@arm.com>
> Reviewed-by: Steven Price <steven.price@arm.com>
> ---
> drivers/gpu/drm/panthor/panthor_mmu.c | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/panthor/panthor_mmu.c b/drivers/gpu/drm/panthor/panthor_mmu.c
> index 6dec4354e378..7870e7dbaa5d 100644
> --- a/drivers/gpu/drm/panthor/panthor_mmu.c
> +++ b/drivers/gpu/drm/panthor/panthor_mmu.c
> @@ -1175,10 +1175,14 @@ panthor_vm_op_ctx_prealloc_vmas(struct panthor_vm_op_ctx *op_ctx)
> break;
>
> case DRM_PANTHOR_VM_BIND_OP_TYPE_UNMAP:
> - /* Partial unmaps might trigger a remap with either a prev or a next VA,
> - * but not both.
> + /* Two VMAs can be needed for an unmap, as an unmap can happen
> + * in the middle of a drm_gpuva, requiring a remap with both
> + * prev & next VA. Or an unmap can span more than one drm_gpuva
> + * where the first and last ones are covered partially, requring
> + * a remap for the first with a prev VA and remap for the last
> + * with a next VA.
> */
> - vma_count = 1;
> + vma_count = 2;
> break;
>
> default:
On 10/20/25 16:44, Steven Price wrote:
> Hi Akash,
>
>
> Sorry, perhaps I wasn't very clear. I've already pushed v1 to
> drm-misc-fixes (with the fixes line and the R-bs):
>
> 4eabd0d8791e ("drm/panthor: Fix kernel panic on partial unmap of a GPU VA region")
>
> Usually there's no need to post another version just to update the tags
> as we can do that as part of applying the series.
>
I am sorry Steve, I am not well versed with the up-streaming process.
Thanks for clarifying. Will do as as you suggested for future patches.
Best regards
Akash
> Thanks,
> Steve
>
>>
On 10/20/25 16:44, Steven Price wrote:
> Hi Akash,
>
> On 20/10/2025 07:00, Akash Goel wrote:
>> This commit address a kernel panic issue that can happen if Userspace
>> tries to partially unmap a GPU virtual region (aka drm_gpuva).
>> The VM_BIND interface allows partial unmapping of a BO.
>>
>> Panthor driver pre-allocates memory for the new drm_gpuva structures
>> that would be needed for the map/unmap operation, done using drm_gpuvm
>> layer. It expected that only one new drm_gpuva would be needed on umap
>> but a partial unmap can require 2 new drm_gpuva and that's why it
>> ended up doing a NULL pointer dereference causing a kernel panic.
>>
>> Following dump was seen when partial unmap was exercised.
>> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078
>> Mem abort info:
>> ESR = 0x0000000096000046
>> EC = 0x25: DABT (current EL), IL = 32 bits
>> SET = 0, FnV = 0
>> EA = 0, S1PTW = 0
>> FSC = 0x06: level 2 translation fault
>> Data abort info:
>> ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000
>> CM = 0, WnR = 1, TnD = 0, TagAccess = 0
>> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
>> user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000
>> [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000
>> Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP
>> <snip>
>> pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
>> pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]
>> lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor]
>> sp : ffff800085d43970
>> x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000
>> x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000
>> x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180
>> x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010
>> x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c
>> x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58
>> x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c
>> x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7
>> x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001
>> x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078
>> Call trace:
>> panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]
>> op_remap_cb.isra.22+0x50/0x80
>> __drm_gpuvm_sm_unmap+0x10c/0x1c8
>> drm_gpuvm_sm_unmap+0x40/0x60
>> panthor_vm_exec_op+0xb4/0x3d0 [panthor]
>> panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor]
>> panthor_ioctl_vm_bind+0x160/0x4a0 [panthor]
>> drm_ioctl_kernel+0xbc/0x138
>> drm_ioctl+0x240/0x500
>> __arm64_sys_ioctl+0xb0/0xf8
>> invoke_syscall+0x4c/0x110
>> el0_svc_common.constprop.1+0x98/0xf8
>> do_el0_svc+0x24/0x38
>> el0_svc+0x40/0xf8
>> el0t_64_sync_handler+0xa0/0xc8
>> el0t_64_sync+0x174/0x178
>>
>> Changes in v2:
>> - Add R-bs and fixes tags
>
> Sorry, perhaps I wasn't very clear. I've already pushed v1 to
> drm-misc-fixes (with the fixes line and the R-bs):
>
> 4eabd0d8791e ("drm/panthor: Fix kernel panic on partial unmap of a GPU VA region")
>
> Usually there's no need to post another version just to update the tags
> as we can do that as part of applying the series.
>
I am sorry Steve, I am not wel versed with the upstreaming process.
> Thanks,
> Steve
>
>>
>> Fixes: 647810ec2476 ("drm/panthor: Add the MMU/VM logical block")
>> Signed-off-by: Akash Goel <akash.goel@arm.com>
>> Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
>> Reviewed-by: Liviu Dudau <liviu.dudau@arm.com>
>> Reviewed-by: Steven Price <steven.price@arm.com>
>> ---
>> drivers/gpu/drm/panthor/panthor_mmu.c | 10 +++++++---
>> 1 file changed, 7 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/panthor/panthor_mmu.c b/drivers/gpu/drm/panthor/panthor_mmu.c
>> index 6dec4354e378..7870e7dbaa5d 100644
>> --- a/drivers/gpu/drm/panthor/panthor_mmu.c
>> +++ b/drivers/gpu/drm/panthor/panthor_mmu.c
>> @@ -1175,10 +1175,14 @@ panthor_vm_op_ctx_prealloc_vmas(struct panthor_vm_op_ctx *op_ctx)
>> break;
>>
>> case DRM_PANTHOR_VM_BIND_OP_TYPE_UNMAP:
>> - /* Partial unmaps might trigger a remap with either a prev or a next VA,
>> - * but not both.
>> + /* Two VMAs can be needed for an unmap, as an unmap can happen
>> + * in the middle of a drm_gpuva, requiring a remap with both
>> + * prev & next VA. Or an unmap can span more than one drm_gpuva
>> + * where the first and last ones are covered partially, requring
>> + * a remap for the first with a prev VA and remap for the last
>> + * with a next VA.
>> */
>> - vma_count = 1;
>> + vma_count = 2;
>> break;
>>
>> default:
>
© 2016 - 2026 Red Hat, Inc.