[Mesa-dev] [PATCH 0/6] dma-buf: Add an API for exporting sync files (v12)

Christian König christian.koenig at amd.com
Fri Jun 18 18:01:53 UTC 2021 

Am 18.06.21 um 19:20 schrieb Daniel Vetter:
> On Fri, Jun 18, 2021 at 6:43 PM Christian König
> <christian.koenig at amd.com> wrote:
>> Am 18.06.21 um 17:17 schrieb Daniel Vetter:
>>> [SNIP]
>>> Ignoring _all_ fences is officially ok for pinned dma-buf. This is
>>> what v4l does. Aside from it's definitely not just i915 that does this
>>> even on the drm side, we have a few more drivers nowadays.
>> No it seriously isn't. If drivers are doing this they are more than broken.
>>
>> See the comment in dma-resv.h
>>
>>    * Based on bo.c which bears the following copyright notice,
>>    * but is dual licensed:
>> ....
>>
>>
>> The handling in ttm_bo.c is and always was that the exclusive fence is
>> used for buffer moves.
>>
>> As I said multiple times now the *MAIN* purpose of the dma_resv object
>> is memory management and *NOT* synchronization.
>>
>> Those restrictions come from the original design of TTM where the
>> dma_resv object originated from.
>>
>> The resulting consequences are that:
>>
>> a) If you access the buffer without waiting for the exclusive fence you
>> run into a potential information leak.
>>       We kind of let that slip for V4L since they only access the buffers
>> for writes, so you can't do any harm there.
>>
>> b) If you overwrite the exclusive fence with a new one without waiting
>> for the old one to signal you open up the possibility for userspace to
>> access freed up memory.
>>       This is a complete show stopper since it means that taking over the
>> system is just a typing exercise.
>>
>>
>> What you have done by allowing this in is ripping open a major security
>> hole for any DMA-buf import in i915 from all TTM based driver.
>>
>> This needs to be fixed ASAP, either by waiting in i915 and all other
>> drivers doing this for the exclusive fence while importing a DMA-buf or
>> by marking i915 and all other drivers as broken.
>>
>> Sorry, but if you allowed that in you seriously have no idea what you
>> are talking about here and where all of this originated from.
> Dude, get a grip, seriously. dma-buf landed in 2011
>
> commit d15bd7ee445d0702ad801fdaece348fdb79e6581
> Author: Sumit Semwal <sumit.semwal at ti.com>
> Date:   Mon Dec 26 14:53:15 2011 +0530
>
>     dma-buf: Introduce dma buffer sharing mechanism
>
> and drm prime landed in the same year
>
> commit 3248877ea1796915419fba7c89315fdbf00cb56a
> (airlied/drm-prime-dmabuf-initial)
> Author: Dave Airlie <airlied at redhat.com>
> Date:   Fri Nov 25 15:21:02 2011 +0000
>
>     drm: base prime/dma-buf support (v5)
>
> dma-resv was extracted much later
>
> commit 786d7257e537da0674c02e16e3b30a44665d1cee
> Author: Maarten Lankhorst <m.b.lankhorst at gmail.com>
> Date:   Thu Jun 27 13:48:16 2013 +0200
>
>     reservation: cross-device reservation support, v4
>
> Maarten's patch only extracted the dma_resv stuff so it's there,
> optionally. There was never any effort to roll this out to all the
> existing drivers, of which there were plenty.
>
> It is, and has been since 10 years, totally fine to access dma-buf
> without looking at any fences at all. From your pov of a ttm driver
> dma-resv is mainly used for memory management and not sync, but I
> think that's also due to some reinterpretation of the actual sync
> rules on your side. For everyone else the dma_resv attached to a
> dma-buf has been about implicit sync only, nothing else.

No, that was way before my time.

The whole thing was introduced with this commit here:

commit f2c24b83ae90292d315aa7ac029c6ce7929e01aa
Author: Maarten Lankhorst <maarten.lankhorst at canonical.com>
Date:   Wed Apr 2 17:14:48 2014 +0200

     drm/ttm: flip the switch, and convert to dma_fence

     Signed-off-by: Maarten Lankhorst <maarten.lankhorst at canonical.com>

  int ttm_bo_move_accel_cleanup(struct ttm_buffer_object *bo,
....
-       bo->sync_obj = driver->sync_obj_ref(sync_obj);
+       reservation_object_add_excl_fence(bo->resv, fence);
         if (evict) {

Maarten replaced the bo->sync_obj reference with the dma_resv exclusive 
fence.

This means that we need to apply the sync_obj semantic to all drivers 
using a DMA-buf with its dma_resv object, otherwise you break imports 
from TTM drivers.

Since then and up till now the exclusive fence must be waited on and 
never replaced with anything which signals before the old fence.

Maarten and I think Thomas did that and I was always assuming that you 
know about this design decision.

It's absolutely not that this is my invention, I'm just telling you how 
it ever was.

Anyway this means we have a seriously misunderstanding and yes now some 
of our discussions about dynamic P2P suddenly make much more sense.

Regards,
Christian.


>
> _only_ when you have a dynamic importer/exporter can you assume that
> the dma_resv fences must actually be obeyed. That's one of the reasons
> why we had to make this a completely new mode (the other one was
> locking, but they really tie together).
>
> Wrt your problems:
> a) needs to be fixed in drivers exporting buffers and failing to make
> sure the memory is there by the time dma_buf_map_attachment returns.
> b) needs to be fixed in the importers, and there's quite a few of
> those. There's more than i915 here, which is why I think we should
> have the dma_resv_add_shared_exclusive helper extracted from amdgpu.
> Avoids hand-rolling this about 5 times (6 if we include the import
> ioctl from Jason).
>
> Also I've like been trying to explain this ever since the entire
> dynamic dma-buf thing started.
> -Daniel

More information about the dri-devel mailing list