[PATCH 4/4] drm/amdkfd: Check against device cgroup

Roman Gushchin guro at fb.com
Tue May 14 01:58:40 UTC 2019 

On Wed, May 01, 2019 at 02:59:29PM +0000, Kasiviswanathan, Harish wrote:
> Participate in device cgroup. All kfd devices are exposed via /dev/kfd.
> So use /dev/dri/renderN node.
> 
> Before exposing the device to a task check if it has permission to
> access it. If the task (based on its cgroup) can access /dev/dri/renderN
> then expose the device via kfd node.
> 
> If the task cannot access /dev/dri/renderN then process device data
> (pdd) is not created. This will ensure that task cannot use the device.
> 
> In sysfs topology, all device nodes are visible irrespective of the task
> cgroup. The sysfs node directories are created at driver load time and
> cannot be changed dynamically. However, access to information inside
> nodes is controlled based on the task's cgroup permissions.
> 
> Signed-off-by: Harish Kasiviswanathan <Harish.Kasiviswanathan at amd.com>
> Reviewed-by: Felix Kuehling <Felix.Kuehling at amd.com>

Hello, Harish!

Cgroup/device controller part looks good to me.
Please, feel free to use my acks for patches 3 and 4:
Acked-by: Roman Gushchin <guro at fb.com>

Thanks!

> ---
>  drivers/gpu/drm/amd/amdkfd/kfd_flat_memory.c |  9 +++++++--
>  drivers/gpu/drm/amd/amdkfd/kfd_priv.h        | 17 +++++++++++++++++
>  drivers/gpu/drm/amd/amdkfd/kfd_topology.c    | 12 ++++++++++++
>  3 files changed, 36 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_flat_memory.c b/drivers/gpu/drm/amd/amdkfd/kfd_flat_memory.c
> index dc7339825b5c..3804edfb4ff7 100644
> --- a/drivers/gpu/drm/amd/amdkfd/kfd_flat_memory.c
> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_flat_memory.c
> @@ -369,8 +369,13 @@ int kfd_init_apertures(struct kfd_process *process)
>  
>  	/*Iterating over all devices*/
>  	while (kfd_topology_enum_kfd_devices(id, &dev) == 0) {
> -		if (!dev) {
> -			id++; /* Skip non GPU devices */
> +		if (!dev || kfd_devcgroup_check_permission(dev)) {
> +			/* Skip non GPU devices and devices to which the
> +			 * current process have no access to. Access can be
> +			 * limited by placing the process in a specific
> +			 * cgroup hierarchy
                                           ^
				Probably, a missing dot here.
> +			 */
> +			id++;
>  			continue;
>  		}
>

More information about the amd-gfx mailing list