[PATCH] drm/ttm: don't set page->mapping

Christian König christian.koenig at amd.com
Thu Nov 5 15:15:36 UTC 2020 

Am 05.11.20 um 15:38 schrieb Daniel Vetter:
> On Thu, Nov 5, 2020 at 3:31 PM Daniel Vetter <daniel at ffwll.ch> wrote:
>> On Thu, Nov 5, 2020 at 2:22 PM Christian König <christian.koenig at amd.com> wrote:
>>> Am 05.11.20 um 14:20 schrieb Daniel Vetter:
>>>> On Thu, Nov 05, 2020 at 01:56:22PM +0100, Christian König wrote:
>>>>> Am 05.11.20 um 13:50 schrieb Daniel Vetter:
>>>>>> On Thu, Nov 05, 2020 at 01:29:50PM +0100, Christian König wrote:
>>>>>>> Am 05.11.20 um 10:11 schrieb Daniel Vetter:
>>>>>>>> On Thu, Nov 5, 2020 at 9:00 AM Christian König <christian.koenig at amd.com> wrote:
>>>>>>>>> Am 04.11.20 um 17:50 schrieb Daniel Vetter:
>>>>>>>>>> Random observation while trying to review Christian's patch series to
>>>>>>>>>> stop looking at struct page for dma-buf imports.
>>>>>>>>>>
>>>>>>>>>> This was originally added in
>>>>>>>>>>
>>>>>>>>>> commit 58aa6622d32af7d2c08d45085f44c54554a16ed7
>>>>>>>>>> Author: Thomas Hellstrom <thellstrom at vmware.com>
>>>>>>>>>> Date:   Fri Jan 3 11:47:23 2014 +0100
>>>>>>>>>>
>>>>>>>>>>          drm/ttm: Correctly set page mapping and -index members
>>>>>>>>>>
>>>>>>>>>>          Needed for some vm operations; most notably unmap_mapping_range() with
>>>>>>>>>>          even_cows = 0.
>>>>>>>>>>
>>>>>>>>>>          Signed-off-by: Thomas Hellstrom <thellstrom at vmware.com>
>>>>>>>>>>          Reviewed-by: Brian Paul <brianp at vmware.com>
>>>>>>>>>>
>>>>>>>>>> but we do not have a single caller of unmap_mapping_range with
>>>>>>>>>> even_cows == 0. And all the gem drivers don't do this, so another
>>>>>>>>>> small thing we could standardize between drm and ttm drivers.
>>>>>>>>>>
>>>>>>>>>> Plus I don't really see a need for unamp_mapping_range where we don't
>>>>>>>>>> want to indiscriminately shoot down all ptes.
>>>>>>>>> NAK, we use this to determine if a pages belongs to the driver or not in
>>>>>>>>> amdgpu for example.
>>>>>>>>>
>>>>>>>>> Mostly used for debugging, but I would really like to keep that.
>>>>>>>> Can you pls point me at that code? A quick grep hasn't really found much at all.
>>>>>>> See amdgpu_iomem_read() for an example:
>>>>>> Why do you reject this?
>>>>> When IOMMU is disabled or uses an 1 to 1 mapping we would otherwise give the
>>>>> same access as /dev/mem to system memory and that is forbidden. But as I
>>>>> noted this is just for the debugfs file.
>>>> Ah, there's a config option for that. Plus it's debugfs, anything goes in
>>>> debugfs, but if you're worried about that hole we should just disable the
>>>> entire debugfs file for CONFIG_STRICT_DEVMEM. I can perhaps throw that on
>>>> top, that follow_pfn patch series I'm baking is all about this kind of
>>>> fun.
>>> And exactly that would get a NAK from us.
>>>
>>> We have specially created that debugfs file as an alternative when
>>> CONFIG_STRICT_DEVMEM is set.
>> Uh that doesn't work if you work around core restrictions with your
>> own debugfs paths.

That's why we have the restriction to check the mapping of the pages.

This way we only expose the memory which was allocated by our driver and 
don't allow any uncontrolled access to the whole system memory.

We have something similar for radeon as well, but there we have a global 
GART table which we can use for validating stuff.

>>   Maybe you can do fun like this in your dkms, but
>> not in upstream. Like if this was specifically created to work around
>> CONFIG_STRICT_DEVMEM (and it sounds like that) then I think this
>> should never have landed in upstream to begin with.
> I'm also kinda confused that there's distros with CONFIG_STRICT_DEVMEM
> which allow debugfs. debugfs is a pretty bad root hole all around, or
> at least that's been the assumption all the time.

Yeah, completely agree :) But that's not my problem.

Christian.

> -Daniel
>
>>>>> When I tried a few years ago to not set the page->mapping I immediately ran
>>>>> into issues with our eviction test. So I think that this is used elsewhere
>>>>> as well.
>>>> That's the kind of interaction I'm worried about here tbh. If this does
>>>> some kind of shrinking of some sorts, I think a real shrinker should take
>>>> over.
>>>>
>>>> An improved grep shows nothing else, so the only the above is the only
>>>> thing I can think of. What kind of eviction test goes boom if you clear
>>>> ->mapping here? I'd be happy to type up the clever trick for the debugfs
>>>> files.
>>>> -Daniel
>>>>
>>>>> Regards,
>>>>> Christian.
>>>>>
>>>>>> If this is to avoid issues with userptr, then I think there's a simple
>>>>>> trick:
>>>>>> - grab page reference
>>>>>> - recheck that the iova still points at the same address
>>>>>> - do read/write, safe in the knowledge that this page cannot be reused for
>>>>>>      anything else
>>>>>> - drop page reference
>>>>>>
>>>>>> Of course this can still race against iova updates, but that seems to be a
>>>>>> fundamental part of your debug interface here.
>>>>>>
>>>>>> Or am I missing something?
>>>>>>
>>>>>> Just pondering this more since setting the page->mapping pointer for just
>>>>>> this seems somewhat wild abuse of ->mapping semantics :-)
>>>>>> -Daniel
>>>>>>
>>>>>>>>                    if (p->mapping != adev->mman.bdev.dev_mapping)
>>>>>>>>                            return -EPERM;
>>>>>>> Christian.
>>>>>>>
>>>>>>>> -Daniel
>>>>>>>>
>>>>>>>>> Christian.
>>>>>>>>>
>>>>>>>>>> Cc: Thomas Hellstrom <thellstrom at vmware.com>
>>>>>>>>>> Cc: Brian Paul <brianp at vmware.com>
>>>>>>>>>> Signed-off-by: Daniel Vetter <daniel.vetter at intel.com>
>>>>>>>>>> Cc: Christian Koenig <christian.koenig at amd.com>
>>>>>>>>>> Cc: Huang Rui <ray.huang at amd.com>
>>>>>>>>>> ---
>>>>>>>>>>       drivers/gpu/drm/ttm/ttm_tt.c | 12 ------------
>>>>>>>>>>       1 file changed, 12 deletions(-)
>>>>>>>>>>
>>>>>>>>>> diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c
>>>>>>>>>> index 8861a74ac335..438ea43fd8c1 100644
>>>>>>>>>> --- a/drivers/gpu/drm/ttm/ttm_tt.c
>>>>>>>>>> +++ b/drivers/gpu/drm/ttm/ttm_tt.c
>>>>>>>>>> @@ -291,17 +291,6 @@ int ttm_tt_swapout(struct ttm_bo_device *bdev, struct ttm_tt *ttm)
>>>>>>>>>>           return ret;
>>>>>>>>>>       }
>>>>>>>>>>
>>>>>>>>>> -static void ttm_tt_add_mapping(struct ttm_bo_device *bdev, struct ttm_tt *ttm)
>>>>>>>>>> -{
>>>>>>>>>> -     pgoff_t i;
>>>>>>>>>> -
>>>>>>>>>> -     if (ttm->page_flags & TTM_PAGE_FLAG_SG)
>>>>>>>>>> -             return;
>>>>>>>>>> -
>>>>>>>>>> -     for (i = 0; i < ttm->num_pages; ++i)
>>>>>>>>>> -             ttm->pages[i]->mapping = bdev->dev_mapping;
>>>>>>>>>> -}
>>>>>>>>>> -
>>>>>>>>>>       int ttm_tt_populate(struct ttm_bo_device *bdev,
>>>>>>>>>>                       struct ttm_tt *ttm, struct ttm_operation_ctx *ctx)
>>>>>>>>>>       {
>>>>>>>>>> @@ -320,7 +309,6 @@ int ttm_tt_populate(struct ttm_bo_device *bdev,
>>>>>>>>>>           if (ret)
>>>>>>>>>>                   return ret;
>>>>>>>>>>
>>>>>>>>>> -     ttm_tt_add_mapping(bdev, ttm);
>>>>>>>>>>           ttm->page_flags |= TTM_PAGE_FLAG_PRIV_POPULATED;
>>>>>>>>>>           if (unlikely(ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) {
>>>>>>>>>>                   ret = ttm_tt_swapin(ttm);
>>
>> --
>> Daniel Vetter
>> Software Engineer, Intel Corporation
>> https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fblog.ffwll.ch%2F&data=04%7C01%7Cchristian.koenig%40amd.com%7C619e6a6113674691eb9708d8819874f4%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637401839082694450%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Uo7UXS7y%2BU%2FHfnBenx2vQXuyyB%2FCuOULLOp1uL0eg4I%3D&reserved=0
>
>

More information about the dri-devel mailing list