HI, Christian, On Tue, 2021-09-21 at 13:28 +0200, Christian König wrote: > Am 21.09.21 um 13:01 schrieb Matthew Auld: > > In commit: > > > > commit 09ac4fcb3f255e9225967c75f5893325c116cdbe > > Author: Felix Kuehling <Felix.Kuehling@xxxxxxx> > > Date: Thu Jul 13 17:01:16 2017 -0400 > > > > drm/ttm: Implement vm_operations_struct.access v2 > > > > we added the vm_access hook, where we also directly call tt_swapin > > for > > some reason. If something is swapped-out then the ttm_tt must also > > be > > unpopulated, and since access_kmap should also call tt_populate, if > > needed, then swapping-in will already be handled there. > > Sounds like you completely misunderstand what that is good for. > > This is for debugger attaching to a process and peek/poke into the > VMA > and completely unrelated to kmap. I think what Matthew is saying is that there is a fallthrough to TTM_PL_TT which calls ttm_bo_vm_access_kmap which calls ttm_tt_populate(). So from my pow, unless there are other concerns, this is Reviewed-by: Thomas Hellström <thomas.hellstrom@xxxxxxxxxxxxxxx> > > > > > If anything, calling tt_swapin directly here would likely always > > fail > > since the tt->pages won't yet be populated, or worse since the tt- > > >pages > > array is never actually cleared in unpopulate this might lead to a > > nasty > > uaf. > > That's indeed true, but we just need to unconditionally call > ttm_tt_populate() here instead. > > Regards, > Christian. > > > > > Fixes: 09ac4fcb3f25 ("drm/ttm: Implement > > vm_operations_struct.access v2") > > Signed-off-by: Matthew Auld <matthew.auld@xxxxxxxxx> > > Cc: Thomas Hellström <thomas.hellstrom@xxxxxxxxxxxxxxx> > > Cc: Christian König <christian.koenig@xxxxxxx> > > --- > > drivers/gpu/drm/ttm/ttm_bo_vm.c | 5 ----- > > 1 file changed, 5 deletions(-) > > > > diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c > > b/drivers/gpu/drm/ttm/ttm_bo_vm.c > > index f56be5bc0861..5b9b7fd01a69 100644 > > --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c > > +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c > > @@ -519,11 +519,6 @@ int ttm_bo_vm_access(struct vm_area_struct > > *vma, unsigned long addr, > > > > switch (bo->resource->mem_type) { > > case TTM_PL_SYSTEM: > > - if (unlikely(bo->ttm->page_flags & > > TTM_PAGE_FLAG_SWAPPED)) { > > - ret = ttm_tt_swapin(bo->ttm); > > - if (unlikely(ret != 0)) > > - return ret; > > - } > > fallthrough; > > case TTM_PL_TT: > > ret = ttm_bo_vm_access_kmap(bo, offset, buf, len, > > write); >