Re: [PATCH] drm/shmem_helper: Make sure PMD entries get the writeable upgrade

From: Boris Brezillon

Date: Fri Apr 03 2026 - 04:26:29 EST

On Fri, 3 Apr 2026 09:57:53 +0200
Loïc Molinari <loic.molinari@xxxxxxxxxxxxx> wrote:

> Hi Boris,
>
> On 20/03/2026 16:19, Boris Brezillon wrote:
> > Unlike PTEs which are automatically upgraded to writeable entries if
> > .pfn_mkwrite() returns 0, the PMD upgrades go through .huge_fault(),
> > and we currently pretend to have handled the make-writeable request
> > even though we only ever map things read-only. Make sure we pass the
> > proper "write" info to vmf_insert_pfn_pmd() in that case.
> >
> > This also means we have to record the mkwrite event in the .huge_fault()
> > path now. Move the dirty tracking logic to a
> > drm_gem_shmem_record_mkwrite() helper so it can also be called from
> > drm_gem_shmem_pfn_mkwrite().
> >
> > Note that this wasn't a problem before commit 28e3918179aa
> > ("drm/gem-shmem: Track folio accessed/dirty status in mmap"), because
> > the pgprot were not lowered to read-only before this commit (see the
> > vma_wants_writenotify() in vma_set_page_prot()).
> >
> > Fixes: 28e3918179aa ("drm/gem-shmem: Track folio accessed/dirty status in mmap")
> > Signed-off-by: Boris Brezillon <boris.brezillon@xxxxxxxxxxxxx>
> > Cc: Biju Das <biju.das.jz@xxxxxxxxxxxxxx>
> > Cc: Thomas Zimmermann <tzimmermann@xxxxxxx>
> > Cc: Tommaso Merciai <tommaso.merciai.xr@xxxxxxxxxxxxxx>
> > ---
> >
> > This patch is based on drm-tip [2], because that's the only branch
> > that has both [1] and the dirty tracking changes that live in
> > drm-misc-next.
> >
> > Also added the THP maintainers in Cc, so I can hopefully get some
> > feedback on the fix. For instance, I'm still unsure
> > drm_gem_shmem_pfn_mkwrite() is race-free (do we need some locking
> > there? should we call folio_mark_dirty_lock()? should we call the
> > fault handler directly from there and have all the dirty tracking
> > in this .[huge_]fault path?).
> >
> > [1]https://yhbt.net/lore/dri-devel/20260319015224.46896-1-pedrodemargomes@xxxxxxxxx/
> > [2]https://gitlab.freedesktop.org/drm/tip
> > ---
> > drivers/gpu/drm/drm_gem_shmem_helper.c | 46 ++++++++++++++++++--------
> > 1 file changed, 32 insertions(+), 14 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c
> > index 2062ca607833..545933c7f712 100644
> > --- a/drivers/gpu/drm/drm_gem_shmem_helper.c
> > +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c
> > @@ -554,6 +554,21 @@ int drm_gem_shmem_dumb_create(struct drm_file *file, struct drm_device *dev,
> > }
> > EXPORT_SYMBOL_GPL(drm_gem_shmem_dumb_create);
> >
> > +static void drm_gem_shmem_record_mkwrite(struct vm_fault *vmf)
> > +{
> > + struct vm_area_struct *vma = vmf->vma;
> > + struct drm_gem_object *obj = vma->vm_private_data;
> > + struct drm_gem_shmem_object *shmem = to_drm_gem_shmem_obj(obj);
> > + loff_t num_pages = obj->size >> PAGE_SHIFT;
> > + pgoff_t page_offset = vmf->pgoff - vma->vm_pgoff; /* page offset within VMA */
> > +
> > + if (drm_WARN_ON(obj->dev, !shmem->pages || page_offset >= num_pages))
> > + return;

For full transparency, I'd like to mention the review bot complained [1]
about us not propagating the error to .pfn_mkwrite() as was done before
this patch. In practice, I don't think it matters much: if the pages are
gone and .pfn_mkwrite() is called, we're in trouble anyway, because a
read-only PTE pointing to this missing page exists already, and it
won't be removed if we return an error, it just won't be updated to
read-write.

> > +
> > + file_update_time(vma->vm_file);
> > + folio_mark_dirty(page_folio(shmem->pages[page_offset]));
>
> Unless we're sure the folio can't be truncated by another CPU, maybe we
> should use folio_mark_dirty_lock() here.

In practice, we control when the file is truncated
(drm_gem_shmem_purge_locked()), and before we do that, we make sure to
kill all the CPU mappings (drm_vma_node_unmap() called before
shmem_truncate_range()). So I'd say we're good WRT this particular race.

> This is what's done for pages
> (not PFNs) in mm/memory.c. Let's wait and see how it goes without
> locking for now.

I agree, let's see how it goes and revisit later if needed.

>
> Reviewed-by: Loïc Molinari <loic.molinari@xxxxxxxxxxxxx>

Thanks for the review. The patch has been queued to drm-misc-next-fixes.

Regards,

Boris

[1]https://lore.gitlab.freedesktop.org/drm-ai-reviews/review-patch1-20260320151914.586945-1-boris.brezillon@xxxxxxxxxxxxx/