Re: [PATCH v3 1/1] drm/ttm: Fix COW check

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Jul 14, 2021 at 12:51:15PM +0200, Christian König wrote:
> Am 14.07.21 um 12:44 schrieb Daniel Vetter:
> > On Mon, Jul 12, 2021 at 06:06:36PM -0400, Felix Kuehling wrote:
> > > KFD Thunk maps invisible VRAM BOs with PROT_NONE, MAP_PRIVATE.
> > > is_cow_mapping returns true for these mappings. Add a check for
> > > vm_flags & VM_WRITE to avoid mmap failures on private read-only or
> > > PROT_NONE mappings.
> > > 
> > > v2: protect against mprotect making a mapping writable after the fact
> > > v3: update driver-specific vm_operations_structs
> > > 
> > > Fixes: f91142c62161 ("drm/ttm: nuke VM_MIXEDMAP on BO mappings v3")
> > > Signed-off-by: Felix Kuehling <Felix.Kuehling@xxxxxxx>
> > > Signed-off-by: Alex Deucher <alexander.deucher@xxxxxxx>
> > So looking at vmf_insert_pfn_prot() and the comment there we can't have
> > VM_PFNMAP and is_cow_mapping ever be true, or things break. On platforms
> > without pte_special at least.
> 
> Key idea is that we never end up in vmf_insert_pfn_prot() because the vma is
> mapped with PROT_NONE.

Ah right if it's PROT_NONE then it's ok. But the code here only checks for
VM_WRITE, not VM_READ, so PROT_READ can get through and go boom? Or
something else I'm missing?

Maybe time for a few amdgpu mmap tests that go through the combos and make
sure it works/fails all correctly.
-Daniel

> > So I'm not sure this is a great idea, and definitely not for all drivers
> 
> Yeah, I'm absolutely not happy with this either but it seemed to be the
> least painful thing to do.
> 
> > ...
> > 
> > Can we clear VM_MAYWRITE instead to force this to be a non-cow mapping
> > instead?
> 
> Well we have considered forcefully setting VM_SHARED, which won't work
> easily for a couple of reasons.
> 
> But clearing VM_MAYWRITE in amdgpu/amdkfd may actually work as well.
> 
> Felix can you test this?
> 
> Thanks,
> Christian.
> 
> > -Daniel
> > 
> > > ---
> > >   drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c  |  3 ++-
> > >   drivers/gpu/drm/nouveau/nouveau_gem.c    |  3 ++-
> > >   drivers/gpu/drm/radeon/radeon_gem.c      |  3 ++-
> > >   drivers/gpu/drm/ttm/ttm_bo_vm.c          | 14 +++++++++++++-
> > >   drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c |  1 +
> > >   include/drm/ttm/ttm_bo_api.h             |  4 ++++
> > >   6 files changed, 24 insertions(+), 4 deletions(-)
> > > 
> > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> > > index b3404c43a911..1aa750a6a5d2 100644
> > > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> > > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> > > @@ -79,7 +79,8 @@ static const struct vm_operations_struct amdgpu_gem_vm_ops = {
> > >   	.fault = amdgpu_gem_fault,
> > >   	.open = ttm_bo_vm_open,
> > >   	.close = ttm_bo_vm_close,
> > > -	.access = ttm_bo_vm_access
> > > +	.access = ttm_bo_vm_access,
> > > +	.mprotect = ttm_bo_vm_mprotect
> > >   };
> > >   static void amdgpu_gem_object_free(struct drm_gem_object *gobj)
> > > diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
> > > index 5b27845075a1..164ea564bb7a 100644
> > > --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
> > > +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
> > > @@ -70,7 +70,8 @@ static const struct vm_operations_struct nouveau_ttm_vm_ops = {
> > >   	.fault = nouveau_ttm_fault,
> > >   	.open = ttm_bo_vm_open,
> > >   	.close = ttm_bo_vm_close,
> > > -	.access = ttm_bo_vm_access
> > > +	.access = ttm_bo_vm_access,
> > > +	.mprotect = ttm_bo_vm_mprotect
> > >   };
> > >   void
> > > diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
> > > index 458f92a70887..c19ad07eb7b5 100644
> > > --- a/drivers/gpu/drm/radeon/radeon_gem.c
> > > +++ b/drivers/gpu/drm/radeon/radeon_gem.c
> > > @@ -77,7 +77,8 @@ static const struct vm_operations_struct radeon_gem_vm_ops = {
> > >   	.fault = radeon_gem_fault,
> > >   	.open = ttm_bo_vm_open,
> > >   	.close = ttm_bo_vm_close,
> > > -	.access = ttm_bo_vm_access
> > > +	.access = ttm_bo_vm_access,
> > > +	.mprotect = ttm_bo_vm_mprotect
> > >   };
> > >   static void radeon_gem_object_free(struct drm_gem_object *gobj)
> > > diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> > > index f56be5bc0861..fb325bad5db6 100644
> > > --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
> > > +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> > > @@ -542,17 +542,29 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
> > >   }
> > >   EXPORT_SYMBOL(ttm_bo_vm_access);
> > > +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
> > > +		       unsigned long end, unsigned long newflags)
> > > +{
> > > +	/* Enforce no COW since would have really strange behavior with it. */
> > > +	if (is_cow_mapping(newflags) && (newflags & VM_WRITE))
> > > +		return -EINVAL;
> > > +
> > > +	return 0;
> > > +}
> > > +EXPORT_SYMBOL(ttm_bo_vm_mprotect);
> > > +
> > >   static const struct vm_operations_struct ttm_bo_vm_ops = {
> > >   	.fault = ttm_bo_vm_fault,
> > >   	.open = ttm_bo_vm_open,
> > >   	.close = ttm_bo_vm_close,
> > >   	.access = ttm_bo_vm_access,
> > > +	.mprotect = ttm_bo_vm_mprotect,
> > >   };
> > >   int ttm_bo_mmap_obj(struct vm_area_struct *vma, struct ttm_buffer_object *bo)
> > >   {
> > >   	/* Enforce no COW since would have really strange behavior with it. */
> > > -	if (is_cow_mapping(vma->vm_flags))
> > > +	if (is_cow_mapping(vma->vm_flags) && (vma->vm_flags & VM_WRITE))
> > >   		return -EINVAL;
> > >   	ttm_bo_get(bo);
> > > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> > > index e6b1f98ec99f..e4bf7dc99320 100644
> > > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> > > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> > > @@ -61,6 +61,7 @@ int vmw_mmap(struct file *filp, struct vm_area_struct *vma)
> > >   		.fault = vmw_bo_vm_fault,
> > >   		.open = ttm_bo_vm_open,
> > >   		.close = ttm_bo_vm_close,
> > > +		.mprotect = ttm_bo_vm_mprotect,
> > >   #ifdef CONFIG_TRANSPARENT_HUGEPAGE
> > >   		.huge_fault = vmw_bo_vm_huge_fault,
> > >   #endif
> > > diff --git a/include/drm/ttm/ttm_bo_api.h b/include/drm/ttm/ttm_bo_api.h
> > > index f681bbdbc698..40eb95875355 100644
> > > --- a/include/drm/ttm/ttm_bo_api.h
> > > +++ b/include/drm/ttm/ttm_bo_api.h
> > > @@ -605,6 +605,10 @@ void ttm_bo_vm_close(struct vm_area_struct *vma);
> > >   int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
> > >   		     void *buf, int len, int write);
> > > +
> > > +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
> > > +		       unsigned long end, unsigned long newflags);
> > > +
> > >   bool ttm_bo_delayed_delete(struct ttm_device *bdev, bool remove_all);
> > >   vm_fault_t ttm_bo_vm_dummy_page(struct vm_fault *vmf, pgprot_t prot);
> > > -- 
> > > 2.32.0
> > > 
> 

-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux