[PATCH 2/5] drm/radeon: add userptr flag to limit it to anonymous memory v2

Jerome Glisse j.glisse at gmail.com
Tue Aug 5 15:13:35 PDT 2014 

On Tue, Aug 05, 2014 at 07:45:21PM +0200, Christian König wrote:
> Am 05.08.2014 um 19:39 schrieb Jerome Glisse:
> >On Tue, Aug 05, 2014 at 06:05:29PM +0200, Christian König wrote:
> >>From: Christian König <christian.koenig at amd.com>
> >>
> >>Avoid problems with writeback by limiting userptr to anonymous memory.
> >>
> >>v2: add commit and code comments
> >I guess, i have not expressed myself clearly. This is bogus, you pretend
> >you want to avoid writeback issue but you still allow userspace to map
> >file backed pages (which by the way might be a regular bo object from
> >another device for instance and that would be fun).
> >
> >So this patch is a no go and i would rather see that this userptr to
> >be restricted to anon vma only no matter what. No flags here.
> 
> Mapping of non anonymous memory (e.g. everything get_user_pages won't fail
> with) is restricted to read only access by the GPU.
> 
> I'm fine with making it a hard requirement for all mappings if you say it's
> a must have.
> 

Well for time being you should force read only. The way you implement write
is broken. Here is how it can abuse to allow write to a file backed mmap.

mmap(fixaddress,fixedsize,NOFD)
userptr_ioctl(fixedaddress, RADEON_GEM_USERPTR_ANONONLY)
// bo is created successfully because fixedaddress is part of anonvma
munmap(fixedaddress,fixedsize)
// radeon get mmu_notifier_range_start callback and unbind page from the
// bo but radeon does not know there was an unmap.
mmap(fixaddress,fixedsize,fd_to_this_read_only_file_i_want_to_write_to)
radeon_ioctl_use_my_userptrbo
// bo is bind again by radeon and because all flag are set at creation
// it is map with write permission allowing someone to write to a file
// that might be read only for the user.
//
// Script kiddies it's time to learn about gpu ...

Of course if you this patch (kind of selling my own junk here) :

http://www.spinics.net/lists/linux-mm/msg75878.html

then you could know inside the range_start that you should remove the
write permission and that it should be rechecked on next bind.

Note that i have not read much of your code so maybe you handle this
case somehow.

Cheers,
Jérôme

> Christian.
> 
> >
> >Cheers,
> >Jérôme
> >
> >>Signed-off-by: Christian König <christian.koenig at amd.com>
> >>---
> >>  drivers/gpu/drm/radeon/radeon_gem.c |  3 ++-
> >>  drivers/gpu/drm/radeon/radeon_ttm.c | 10 ++++++++++
> >>  include/uapi/drm/radeon_drm.h       |  1 +
> >>  3 files changed, 13 insertions(+), 1 deletion(-)
> >>
> >>diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
> >>index 993ab22..032736b 100644
> >>--- a/drivers/gpu/drm/radeon/radeon_gem.c
> >>+++ b/drivers/gpu/drm/radeon/radeon_gem.c
> >>@@ -290,7 +290,8 @@ int radeon_gem_userptr_ioctl(struct drm_device *dev, void *data,
> >>  		return -EACCES;
> >>  	/* reject unknown flag values */
> >>-	if (args->flags & ~RADEON_GEM_USERPTR_READONLY)
> >>+	if (args->flags & ~(RADEON_GEM_USERPTR_READONLY |
> >>+	    RADEON_GEM_USERPTR_ANONONLY))
> >>  		return -EINVAL;
> >>  	/* readonly pages not tested on older hardware */
> >>diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c
> >>index 0109090..54eb7bc 100644
> >>--- a/drivers/gpu/drm/radeon/radeon_ttm.c
> >>+++ b/drivers/gpu/drm/radeon/radeon_ttm.c
> >>@@ -542,6 +542,16 @@ static int radeon_ttm_tt_pin_userptr(struct ttm_tt *ttm)
> >>  		       ttm->num_pages * PAGE_SIZE))
> >>  		return -EFAULT;
> >>+	if (gtt->userflags & RADEON_GEM_USERPTR_ANONONLY) {
> >>+		/* check that we only pin down anonymous memory
> >>+		   to prevent problems with writeback */
> >>+		unsigned long end = gtt->userptr + ttm->num_pages * PAGE_SIZE;
> >>+		struct vm_area_struct *vma;
> >>+		vma = find_vma(gtt->usermm, gtt->userptr);
> >>+		if (!vma || vma->vm_file || vma->vm_end < end)
> >>+			return -EPERM;
> >>+	}
> >>+
> >>  	do {
> >>  		unsigned num_pages = ttm->num_pages - pinned;
> >>  		uint64_t userptr = gtt->userptr + pinned * PAGE_SIZE;
> >>diff --git a/include/uapi/drm/radeon_drm.h b/include/uapi/drm/radeon_drm.h
> >>index 3a9f209..9720e1a 100644
> >>--- a/include/uapi/drm/radeon_drm.h
> >>+++ b/include/uapi/drm/radeon_drm.h
> >>@@ -816,6 +816,7 @@ struct drm_radeon_gem_create {
> >>   * perform any operation.
> >>   */
> >>  #define RADEON_GEM_USERPTR_READONLY	(1 << 0)
> >>+#define RADEON_GEM_USERPTR_ANONONLY	(1 << 1)
> >>  struct drm_radeon_gem_userptr {
> >>  	uint64_t		addr;
> >>-- 
> >>1.9.1
> >>
> >>_______________________________________________
> >>dri-devel mailing list
> >>dri-devel at lists.freedesktop.org
> >>http://lists.freedesktop.org/mailman/listinfo/dri-devel
> 
> _______________________________________________
> dri-devel mailing list
> dri-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/dri-devel

More information about the dri-devel mailing list