Re: [Mesa-dev] [PATCH 0/6] dma-buf: Add an API for exporting sync files (v12)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am 18.06.21 um 19:20 schrieb Daniel Vetter:
On Fri, Jun 18, 2021 at 6:43 PM Christian König
<christian.koenig@xxxxxxx> wrote:
Am 18.06.21 um 17:17 schrieb Daniel Vetter:
[SNIP]
Ignoring _all_ fences is officially ok for pinned dma-buf. This is
what v4l does. Aside from it's definitely not just i915 that does this
even on the drm side, we have a few more drivers nowadays.
No it seriously isn't. If drivers are doing this they are more than broken.

See the comment in dma-resv.h

   * Based on bo.c which bears the following copyright notice,
   * but is dual licensed:
....


The handling in ttm_bo.c is and always was that the exclusive fence is
used for buffer moves.

As I said multiple times now the *MAIN* purpose of the dma_resv object
is memory management and *NOT* synchronization.

Those restrictions come from the original design of TTM where the
dma_resv object originated from.

The resulting consequences are that:

a) If you access the buffer without waiting for the exclusive fence you
run into a potential information leak.
      We kind of let that slip for V4L since they only access the buffers
for writes, so you can't do any harm there.

b) If you overwrite the exclusive fence with a new one without waiting
for the old one to signal you open up the possibility for userspace to
access freed up memory.
      This is a complete show stopper since it means that taking over the
system is just a typing exercise.


What you have done by allowing this in is ripping open a major security
hole for any DMA-buf import in i915 from all TTM based driver.

This needs to be fixed ASAP, either by waiting in i915 and all other
drivers doing this for the exclusive fence while importing a DMA-buf or
by marking i915 and all other drivers as broken.

Sorry, but if you allowed that in you seriously have no idea what you
are talking about here and where all of this originated from.
Dude, get a grip, seriously. dma-buf landed in 2011

commit d15bd7ee445d0702ad801fdaece348fdb79e6581
Author: Sumit Semwal <sumit.semwal@xxxxxx>
Date:   Mon Dec 26 14:53:15 2011 +0530

    dma-buf: Introduce dma buffer sharing mechanism

and drm prime landed in the same year

commit 3248877ea1796915419fba7c89315fdbf00cb56a
(airlied/drm-prime-dmabuf-initial)
Author: Dave Airlie <airlied@xxxxxxxxxx>
Date:   Fri Nov 25 15:21:02 2011 +0000

    drm: base prime/dma-buf support (v5)

dma-resv was extracted much later

commit 786d7257e537da0674c02e16e3b30a44665d1cee
Author: Maarten Lankhorst <m.b.lankhorst@xxxxxxxxx>
Date:   Thu Jun 27 13:48:16 2013 +0200

    reservation: cross-device reservation support, v4

Maarten's patch only extracted the dma_resv stuff so it's there,
optionally. There was never any effort to roll this out to all the
existing drivers, of which there were plenty.

It is, and has been since 10 years, totally fine to access dma-buf
without looking at any fences at all. From your pov of a ttm driver
dma-resv is mainly used for memory management and not sync, but I
think that's also due to some reinterpretation of the actual sync
rules on your side. For everyone else the dma_resv attached to a
dma-buf has been about implicit sync only, nothing else.

No, that was way before my time.

The whole thing was introduced with this commit here:

commit f2c24b83ae90292d315aa7ac029c6ce7929e01aa
Author: Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxx>
Date:   Wed Apr 2 17:14:48 2014 +0200

    drm/ttm: flip the switch, and convert to dma_fence

    Signed-off-by: Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxx>

 int ttm_bo_move_accel_cleanup(struct ttm_buffer_object *bo,
....
-       bo->sync_obj = driver->sync_obj_ref(sync_obj);
+       reservation_object_add_excl_fence(bo->resv, fence);
        if (evict) {

Maarten replaced the bo->sync_obj reference with the dma_resv exclusive fence.

This means that we need to apply the sync_obj semantic to all drivers using a DMA-buf with its dma_resv object, otherwise you break imports from TTM drivers.

Since then and up till now the exclusive fence must be waited on and never replaced with anything which signals before the old fence.

Maarten and I think Thomas did that and I was always assuming that you know about this design decision.

It's absolutely not that this is my invention, I'm just telling you how it ever was.

Anyway this means we have a seriously misunderstanding and yes now some of our discussions about dynamic P2P suddenly make much more sense.

Regards,
Christian.



_only_ when you have a dynamic importer/exporter can you assume that
the dma_resv fences must actually be obeyed. That's one of the reasons
why we had to make this a completely new mode (the other one was
locking, but they really tie together).

Wrt your problems:
a) needs to be fixed in drivers exporting buffers and failing to make
sure the memory is there by the time dma_buf_map_attachment returns.
b) needs to be fixed in the importers, and there's quite a few of
those. There's more than i915 here, which is why I think we should
have the dma_resv_add_shared_exclusive helper extracted from amdgpu.
Avoids hand-rolling this about 5 times (6 if we include the import
ioctl from Jason).

Also I've like been trying to explain this ever since the entire
dynamic dma-buf thing started.
-Daniel




[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux