Claude review: drm/xe/xe_vm: Implement xe_vm_get_property_ioctl

[Claude Code Review Bot <claude-review@example.com>]

Patch Review

**Missing UAPI field validation.** The ioctl handler validates `reserved[]` but does not check `pad` or `extensions`:

> +	if (XE_IOCTL_DBG(xe, args->reserved[0] || args->reserved[1] ||
> +			     args->reserved[2]))
> +		return -EINVAL;

Both `pad` (marked MBZ in the UAPI struct) and `extensions` must be validated to be zero for future extensibility. Compare with `xe_vm_create_ioctl` and other xe ioctl handlers which all validate their `extensions` field. This should be:

```c
if (XE_IOCTL_DBG(xe, args->extensions))
    return -EINVAL;
if (XE_IOCTL_DBG(xe, args->pad || args->reserved[0] ||
                 args->reserved[1] || args->reserved[2]))
    return -EINVAL;
```

Failing to reject non-zero `extensions` now means the field cannot be used for extensions in the future without breaking backward compatibility with applications that happen to pass garbage in that field today.

**TOCTOU between size check and fill.** In `xe_vm_get_property_helper`, the faults lock is acquired to read `vm->faults.len`, then released, then `fill_faults` acquires the lock again:

> +		spin_lock(&vm->faults.lock);
> +		size = size_mul(sizeof(struct xe_vm_fault), vm->faults.len);
> +		spin_unlock(&vm->faults.lock);
> +
> +		if (!args->size) {
> +			args->size = size;
> +			return 0;
> +		}
> +
> +		if (args->size > size || args->size % sizeof(struct xe_vm_fault))
> +			return -EINVAL;
> +
> +		return fill_faults(vm, args);

Since faults can only be added (not removed except during VM teardown), and `fill_faults` caps its iteration at `count = args->size / entry_size`, this is safe in practice: there will always be at least `count` entries by the time `fill_faults` runs. However, if `xe_vm_close_and_put` runs between the size check and `fill_faults`, the list could be cleared, resulting in `fill_faults` copying fewer entries than expected (the rest being zero-filled from `kcalloc`). The user would receive zero-filled fault entries with no way to distinguish them from a legitimate fault at address 0. Documenting this race or returning the actual number of entries copied would be an improvement.

**No way to report actual count.** Related to the above, the ioctl provides no mechanism for the kernel to tell userspace how many fault entries were actually copied. If the user queries the size, allocates memory, then calls again, new faults may have been added in between. The user gets back exactly the number they requested, but has no way to know if there are additional faults available. For a query interface, a pattern like "return the total available count in a field so the user can re-query" would be more useful.

**`xe_vm_fault` reserved fields not validated on read-back.** The `struct xe_vm_fault` has `pad` and `reserved` MBZ fields, but since these are output-only structs (kernel writes them, user reads them), validation isn't needed. The kernel correctly zero-fills them via `kcalloc` and zero-initialized `fault_entry`. This is fine.

---
Generated by Claude Code Patch Reviewer