| Message ID | 20190107085656.22521-1-joonas.lahtinen@linux.intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/2] drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set | expand |
Quoting Joonas Lahtinen (2019-01-07 08:56:55) > Make sure the underlying VMA in the process address space is the > same as it was during vm_mmap to avoid applying WC to wrong VMA. > > A more long-term solution would be to have vm_mmap_locked variant > in linux/mmap.h for when caller wants to hold mmap_sem for an > extended duration. > > Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects") > Reported-by: Adam Zabrocki <adamza@microsoft.com> > Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> > Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> > Cc: <stable@vger.kernel.org> # v4.0+ > Cc: Akash Goel <akash.goel@intel.com> > Cc: Chris Wilson <chris@chris-wilson.co.uk> > Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com> > Cc: Adam Zabrocki <adamza@microsoft.com> > --- > drivers/gpu/drm/i915/i915_gem.c | 11 ++++++++++- > 1 file changed, 10 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c > index 062c8395557c..f1d594a53978 100644 > --- a/drivers/gpu/drm/i915/i915_gem.c > +++ b/drivers/gpu/drm/i915/i915_gem.c > @@ -1680,6 +1680,15 @@ i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data, > return 0; > } > > +static inline bool > +match_gem_vma(struct vm_area_struct *vma, struct file *filp, > + unsigned long addr, unsigned long size) With the exception of there isn't anything gem specific here, > +{ > + return vma && vma->vm_file == filp && > + vma->vm_start == addr && > + (vma->vm_end - vma->vm_start) == size; and we can break this up into separate ifs with a forgiving compiler, Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> I still couldn't see an easy way of passing pgprot bits into do_mmap to avoid the race entirely. -Chris
On 07/01/2019 08:56, Joonas Lahtinen wrote: > Make sure the underlying VMA in the process address space is the > same as it was during vm_mmap to avoid applying WC to wrong VMA. > > A more long-term solution would be to have vm_mmap_locked variant > in linux/mmap.h for when caller wants to hold mmap_sem for an > extended duration. > > Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects") > Reported-by: Adam Zabrocki <adamza@microsoft.com> > Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> > Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> > Cc: <stable@vger.kernel.org> # v4.0+ > Cc: Akash Goel <akash.goel@intel.com> > Cc: Chris Wilson <chris@chris-wilson.co.uk> > Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com> > Cc: Adam Zabrocki <adamza@microsoft.com> > --- > drivers/gpu/drm/i915/i915_gem.c | 11 ++++++++++- > 1 file changed, 10 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c > index 062c8395557c..f1d594a53978 100644 > --- a/drivers/gpu/drm/i915/i915_gem.c > +++ b/drivers/gpu/drm/i915/i915_gem.c > @@ -1680,6 +1680,15 @@ i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data, > return 0; > } > > +static inline bool > +match_gem_vma(struct vm_area_struct *vma, struct file *filp, > + unsigned long addr, unsigned long size) > +{ > + return vma && vma->vm_file == filp && > + vma->vm_start == addr && > + (vma->vm_end - vma->vm_start) == size; > +} > + > /** > * i915_gem_mmap_ioctl - Maps the contents of an object, returning the address > * it is mapped to. > @@ -1738,7 +1747,7 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, > return -EINTR; > } > vma = find_vma(mm, addr); > - if (vma) > + if (match_gem_vma(vma, obj->base.filp, addr, args->size)) > vma->vm_page_prot = > pgprot_writecombine(vm_get_page_prot(vma->vm_flags)); > else > Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com> Regards, Tvrtko
Quoting Patchwork (2019-01-07 10:44:01) > ### IGT changes ### > > #### Possible regressions #### > > * igt@gem_userptr_blits@readonly-unsync: > - shard-apl: PASS -> TIMEOUT > > * igt@kms_draw_crc@draw-method-rgb565-mmap-wc-untiled: > - shard-apl: PASS -> FAIL > - shard-glk: PASS -> FAIL > - shard-kbl: PASS -> FAIL igt_fb doesn't compute a page aligned size, and igt_draw ends up making a mmap request not rounding up to the page boundary. I wonder if that hasn't been causing a few flip-flips... -Chris
Quoting Joonas Lahtinen (2019-01-07 10:56:55) > Make sure the underlying VMA in the process address space is the > same as it was during vm_mmap to avoid applying WC to wrong VMA. > > A more long-term solution would be to have vm_mmap_locked variant > in linux/mmap.h for when caller wants to hold mmap_sem for an > extended duration. These are now merged to drm-tip, and will head to 5.1 and then to stable kernels. Thanks for the report and reviews! Regards, Joonas > Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects") > Reported-by: Adam Zabrocki <adamza@microsoft.com> > Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> > Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> > Cc: <stable@vger.kernel.org> # v4.0+ > Cc: Akash Goel <akash.goel@intel.com> > Cc: Chris Wilson <chris@chris-wilson.co.uk> > Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com> > Cc: Adam Zabrocki <adamza@microsoft.com> > --- > drivers/gpu/drm/i915/i915_gem.c | 11 ++++++++++- > 1 file changed, 10 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c > index 062c8395557c..f1d594a53978 100644 > --- a/drivers/gpu/drm/i915/i915_gem.c > +++ b/drivers/gpu/drm/i915/i915_gem.c > @@ -1680,6 +1680,15 @@ i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data, > return 0; > } > > +static inline bool > +match_gem_vma(struct vm_area_struct *vma, struct file *filp, > + unsigned long addr, unsigned long size) > +{ > + return vma && vma->vm_file == filp && > + vma->vm_start == addr && > + (vma->vm_end - vma->vm_start) == size; > +} > + > /** > * i915_gem_mmap_ioctl - Maps the contents of an object, returning the address > * it is mapped to. > @@ -1738,7 +1747,7 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, > return -EINTR; > } > vma = find_vma(mm, addr); > - if (vma) > + if (match_gem_vma(vma, obj->base.filp, addr, args->size)) > vma->vm_page_prot = > pgprot_writecombine(vm_get_page_prot(vma->vm_flags)); > else > -- > 2.17.2 >
Thanks for the patch for both issues! Best regards, Adam -----Original Message----- From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> Sent: Thursday, February 7, 2019 5:39 AM To: Intel graphics driver community testing & development <intel-gfx@lists.freedesktop.org> Cc: stable@vger.kernel.org; Akash Goel <akash.goel@intel.com>; Chris Wilson <chris@chris-wilson.co.uk>; Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>; Adam Zabrocki <adamza@microsoft.com> Subject: Re: [PATCH 1/2] drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set Quoting Joonas Lahtinen (2019-01-07 10:56:55) > Make sure the underlying VMA in the process address space is the same > as it was during vm_mmap to avoid applying WC to wrong VMA. > > A more long-term solution would be to have vm_mmap_locked variant in > linux/mmap.h for when caller wants to hold mmap_sem for an extended > duration. These are now merged to drm-tip, and will head to 5.1 and then to stable kernels. Thanks for the report and reviews! Regards, Joonas > Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user > mappings for objects") > Reported-by: Adam Zabrocki <adamza@microsoft.com> > Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> > Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> > Cc: <stable@vger.kernel.org> # v4.0+ > Cc: Akash Goel <akash.goel@intel.com> > Cc: Chris Wilson <chris@chris-wilson.co.uk> > Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com> > Cc: Adam Zabrocki <adamza@microsoft.com> > --- > drivers/gpu/drm/i915/i915_gem.c | 11 ++++++++++- > 1 file changed, 10 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/i915/i915_gem.c > b/drivers/gpu/drm/i915/i915_gem.c index 062c8395557c..f1d594a53978 > 100644 > --- a/drivers/gpu/drm/i915/i915_gem.c > +++ b/drivers/gpu/drm/i915/i915_gem.c > @@ -1680,6 +1680,15 @@ i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data, > return 0; > } > > +static inline bool > +match_gem_vma(struct vm_area_struct *vma, struct file *filp, > + unsigned long addr, unsigned long size) { > + return vma && vma->vm_file == filp && > + vma->vm_start == addr && > + (vma->vm_end - vma->vm_start) == size; } > + > /** > * i915_gem_mmap_ioctl - Maps the contents of an object, returning the address > * it is mapped to. > @@ -1738,7 +1747,7 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, > return -EINTR; > } > vma = find_vma(mm, addr); > - if (vma) > + if (match_gem_vma(vma, obj->base.filp, addr, > + args->size)) > vma->vm_page_prot = > pgprot_writecombine(vm_get_page_prot(vma->vm_flags)); > else > -- > 2.17.2 >
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index 062c8395557c..f1d594a53978 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -1680,6 +1680,15 @@ i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data, return 0; } +static inline bool +match_gem_vma(struct vm_area_struct *vma, struct file *filp, + unsigned long addr, unsigned long size) +{ + return vma && vma->vm_file == filp && + vma->vm_start == addr && + (vma->vm_end - vma->vm_start) == size; +} + /** * i915_gem_mmap_ioctl - Maps the contents of an object, returning the address * it is mapped to. @@ -1738,7 +1747,7 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, return -EINTR; } vma = find_vma(mm, addr); - if (vma) + if (match_gem_vma(vma, obj->base.filp, addr, args->size)) vma->vm_page_prot = pgprot_writecombine(vm_get_page_prot(vma->vm_flags)); else
Make sure the underlying VMA in the process address space is the same as it was during vm_mmap to avoid applying WC to wrong VMA. A more long-term solution would be to have vm_mmap_locked variant in linux/mmap.h for when caller wants to hold mmap_sem for an extended duration. Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects") Reported-by: Adam Zabrocki <adamza@microsoft.com> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> Cc: <stable@vger.kernel.org> # v4.0+ Cc: Akash Goel <akash.goel@intel.com> Cc: Chris Wilson <chris@chris-wilson.co.uk> Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com> Cc: Adam Zabrocki <adamza@microsoft.com> --- drivers/gpu/drm/i915/i915_gem.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-)