Quoting Bloomfield, Jon (2018-06-14 16:06:40) > > -----Original Message----- > > From: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx> > > Sent: Thursday, June 14, 2018 8:00 AM > > To: Bloomfield, Jon <jon.bloomfield@xxxxxxxxx>; intel- > > gfx@xxxxxxxxxxxxxxxxxxxxx > > Cc: Joonas Lahtinen <joonas.lahtinen@xxxxxxxxxxxxxxx>; Matthew Auld > > <matthew.william.auld@xxxxxxxxx> > > Subject: RE: [PATCH 3/5] drm/i915: Prevent writing into a read-only object via > > a GGTT mmap > > > > Quoting Bloomfield, Jon (2018-06-14 15:53:13) > > > > -----Original Message----- > > > > From: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx> > > > > Sent: Thursday, June 14, 2018 5:00 AM > > > > To: intel-gfx@xxxxxxxxxxxxxxxxxxxxx > > > > Cc: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx>; Bloomfield, Jon > > > > <jon.bloomfield@xxxxxxxxx>; Joonas Lahtinen > > > > <joonas.lahtinen@xxxxxxxxxxxxxxx>; Matthew Auld > > > > <matthew.william.auld@xxxxxxxxx> > > > > Subject: [PATCH 3/5] drm/i915: Prevent writing into a read-only object via > > a > > > > GGTT mmap > > > > > > > > If the user has created a read-only object, they should not be allowed > > > > to circumvent the write protection by using a GGTT mmapping. Deny it. > > > > > > > > Also most machines do not support read-only GGTT PTEs, so again we > > have > > > > to reject attempted writes. Fortunately, this is known a priori, so we > > > > can at least reject in the call to create the mmap with backup in the > > > > fault handler. This is a little draconian as we could blatantly ignore > > > > the write protection on the pages, but it is far simply to keep the > > > > readonly object pure. (It is easier to lift a restriction than to impose > > > > it later!) > > > Are you sure this is necessary? I assumed you would just create a ro IA > > > mapping to the page, irrespective of the ability of ggtt. > > > > You are thinking of the CPU mmap? The GTT mmap offers a linear view of > > the tiled object. It would be very wrong for us to bypass the PROT_READ > > protection of a user page by accessing it via the GTT. > No, I was thinking of gtt mmap. That requires both GTT and IA PTE mappings > right? One to map the object into the GTT, and then a second to point the > IA at the aperture. Why wouldn't marking the IA mapping RO protect the > object if the GT cannot reach the GTT mapping (from user batches). Hmm. I keep forgetting that we can get at the vma from mmap(), because that's hidden away elsewhere and only see i915_gem_fault() on a daily basis. Hmm, is legal to read a PROT_READ-only vma is PROT_WRITE is requested, or are meant to return -EINVAL? -Chris _______________________________________________ Intel-gfx mailing list Intel-gfx@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/intel-gfx
