Message ID | 20201104165030.2005167-1-daniel.vetter@ffwll.ch (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | drm/ttm: don't set page->mapping | expand |
Am 04.11.20 um 17:50 schrieb Daniel Vetter: > Random observation while trying to review Christian's patch series to > stop looking at struct page for dma-buf imports. > > This was originally added in > > commit 58aa6622d32af7d2c08d45085f44c54554a16ed7 > Author: Thomas Hellstrom <thellstrom@vmware.com> > Date: Fri Jan 3 11:47:23 2014 +0100 > > drm/ttm: Correctly set page mapping and -index members > > Needed for some vm operations; most notably unmap_mapping_range() with > even_cows = 0. > > Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> > Reviewed-by: Brian Paul <brianp@vmware.com> > > but we do not have a single caller of unmap_mapping_range with > even_cows == 0. And all the gem drivers don't do this, so another > small thing we could standardize between drm and ttm drivers. > > Plus I don't really see a need for unamp_mapping_range where we don't > want to indiscriminately shoot down all ptes. NAK, we use this to determine if a pages belongs to the driver or not in amdgpu for example. Mostly used for debugging, but I would really like to keep that. Christian. > > Cc: Thomas Hellstrom <thellstrom@vmware.com> > Cc: Brian Paul <brianp@vmware.com> > Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> > Cc: Christian Koenig <christian.koenig@amd.com> > Cc: Huang Rui <ray.huang@amd.com> > --- > drivers/gpu/drm/ttm/ttm_tt.c | 12 ------------ > 1 file changed, 12 deletions(-) > > diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c > index 8861a74ac335..438ea43fd8c1 100644 > --- a/drivers/gpu/drm/ttm/ttm_tt.c > +++ b/drivers/gpu/drm/ttm/ttm_tt.c > @@ -291,17 +291,6 @@ int ttm_tt_swapout(struct ttm_bo_device *bdev, struct ttm_tt *ttm) > return ret; > } > > -static void ttm_tt_add_mapping(struct ttm_bo_device *bdev, struct ttm_tt *ttm) > -{ > - pgoff_t i; > - > - if (ttm->page_flags & TTM_PAGE_FLAG_SG) > - return; > - > - for (i = 0; i < ttm->num_pages; ++i) > - ttm->pages[i]->mapping = bdev->dev_mapping; > -} > - > int ttm_tt_populate(struct ttm_bo_device *bdev, > struct ttm_tt *ttm, struct ttm_operation_ctx *ctx) > { > @@ -320,7 +309,6 @@ int ttm_tt_populate(struct ttm_bo_device *bdev, > if (ret) > return ret; > > - ttm_tt_add_mapping(bdev, ttm); > ttm->page_flags |= TTM_PAGE_FLAG_PRIV_POPULATED; > if (unlikely(ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) { > ret = ttm_tt_swapin(ttm);
On Thu, Nov 5, 2020 at 9:00 AM Christian König <christian.koenig@amd.com> wrote: > > Am 04.11.20 um 17:50 schrieb Daniel Vetter: > > Random observation while trying to review Christian's patch series to > > stop looking at struct page for dma-buf imports. > > > > This was originally added in > > > > commit 58aa6622d32af7d2c08d45085f44c54554a16ed7 > > Author: Thomas Hellstrom <thellstrom@vmware.com> > > Date: Fri Jan 3 11:47:23 2014 +0100 > > > > drm/ttm: Correctly set page mapping and -index members > > > > Needed for some vm operations; most notably unmap_mapping_range() with > > even_cows = 0. > > > > Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> > > Reviewed-by: Brian Paul <brianp@vmware.com> > > > > but we do not have a single caller of unmap_mapping_range with > > even_cows == 0. And all the gem drivers don't do this, so another > > small thing we could standardize between drm and ttm drivers. > > > > Plus I don't really see a need for unamp_mapping_range where we don't > > want to indiscriminately shoot down all ptes. > > NAK, we use this to determine if a pages belongs to the driver or not in > amdgpu for example. > > Mostly used for debugging, but I would really like to keep that. Can you pls point me at that code? A quick grep hasn't really found much at all. -Daniel > > Christian. > > > > > Cc: Thomas Hellstrom <thellstrom@vmware.com> > > Cc: Brian Paul <brianp@vmware.com> > > Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> > > Cc: Christian Koenig <christian.koenig@amd.com> > > Cc: Huang Rui <ray.huang@amd.com> > > --- > > drivers/gpu/drm/ttm/ttm_tt.c | 12 ------------ > > 1 file changed, 12 deletions(-) > > > > diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c > > index 8861a74ac335..438ea43fd8c1 100644 > > --- a/drivers/gpu/drm/ttm/ttm_tt.c > > +++ b/drivers/gpu/drm/ttm/ttm_tt.c > > @@ -291,17 +291,6 @@ int ttm_tt_swapout(struct ttm_bo_device *bdev, struct ttm_tt *ttm) > > return ret; > > } > > > > -static void ttm_tt_add_mapping(struct ttm_bo_device *bdev, struct ttm_tt *ttm) > > -{ > > - pgoff_t i; > > - > > - if (ttm->page_flags & TTM_PAGE_FLAG_SG) > > - return; > > - > > - for (i = 0; i < ttm->num_pages; ++i) > > - ttm->pages[i]->mapping = bdev->dev_mapping; > > -} > > - > > int ttm_tt_populate(struct ttm_bo_device *bdev, > > struct ttm_tt *ttm, struct ttm_operation_ctx *ctx) > > { > > @@ -320,7 +309,6 @@ int ttm_tt_populate(struct ttm_bo_device *bdev, > > if (ret) > > return ret; > > > > - ttm_tt_add_mapping(bdev, ttm); > > ttm->page_flags |= TTM_PAGE_FLAG_PRIV_POPULATED; > > if (unlikely(ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) { > > ret = ttm_tt_swapin(ttm); >
Am 05.11.20 um 10:11 schrieb Daniel Vetter: > On Thu, Nov 5, 2020 at 9:00 AM Christian König <christian.koenig@amd.com> wrote: >> Am 04.11.20 um 17:50 schrieb Daniel Vetter: >>> Random observation while trying to review Christian's patch series to >>> stop looking at struct page for dma-buf imports. >>> >>> This was originally added in >>> >>> commit 58aa6622d32af7d2c08d45085f44c54554a16ed7 >>> Author: Thomas Hellstrom <thellstrom@vmware.com> >>> Date: Fri Jan 3 11:47:23 2014 +0100 >>> >>> drm/ttm: Correctly set page mapping and -index members >>> >>> Needed for some vm operations; most notably unmap_mapping_range() with >>> even_cows = 0. >>> >>> Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> >>> Reviewed-by: Brian Paul <brianp@vmware.com> >>> >>> but we do not have a single caller of unmap_mapping_range with >>> even_cows == 0. And all the gem drivers don't do this, so another >>> small thing we could standardize between drm and ttm drivers. >>> >>> Plus I don't really see a need for unamp_mapping_range where we don't >>> want to indiscriminately shoot down all ptes. >> NAK, we use this to determine if a pages belongs to the driver or not in >> amdgpu for example. >> >> Mostly used for debugging, but I would really like to keep that. > Can you pls point me at that code? A quick grep hasn't really found much at all. See amdgpu_iomem_read() for an example: > if (p->mapping != adev->mman.bdev.dev_mapping) > return -EPERM; Christian. > -Daniel > >> Christian. >> >>> Cc: Thomas Hellstrom <thellstrom@vmware.com> >>> Cc: Brian Paul <brianp@vmware.com> >>> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> >>> Cc: Christian Koenig <christian.koenig@amd.com> >>> Cc: Huang Rui <ray.huang@amd.com> >>> --- >>> drivers/gpu/drm/ttm/ttm_tt.c | 12 ------------ >>> 1 file changed, 12 deletions(-) >>> >>> diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c >>> index 8861a74ac335..438ea43fd8c1 100644 >>> --- a/drivers/gpu/drm/ttm/ttm_tt.c >>> +++ b/drivers/gpu/drm/ttm/ttm_tt.c >>> @@ -291,17 +291,6 @@ int ttm_tt_swapout(struct ttm_bo_device *bdev, struct ttm_tt *ttm) >>> return ret; >>> } >>> >>> -static void ttm_tt_add_mapping(struct ttm_bo_device *bdev, struct ttm_tt *ttm) >>> -{ >>> - pgoff_t i; >>> - >>> - if (ttm->page_flags & TTM_PAGE_FLAG_SG) >>> - return; >>> - >>> - for (i = 0; i < ttm->num_pages; ++i) >>> - ttm->pages[i]->mapping = bdev->dev_mapping; >>> -} >>> - >>> int ttm_tt_populate(struct ttm_bo_device *bdev, >>> struct ttm_tt *ttm, struct ttm_operation_ctx *ctx) >>> { >>> @@ -320,7 +309,6 @@ int ttm_tt_populate(struct ttm_bo_device *bdev, >>> if (ret) >>> return ret; >>> >>> - ttm_tt_add_mapping(bdev, ttm); >>> ttm->page_flags |= TTM_PAGE_FLAG_PRIV_POPULATED; >>> if (unlikely(ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) { >>> ret = ttm_tt_swapin(ttm); >
On Thu, Nov 05, 2020 at 01:29:50PM +0100, Christian König wrote: > Am 05.11.20 um 10:11 schrieb Daniel Vetter: > > On Thu, Nov 5, 2020 at 9:00 AM Christian König <christian.koenig@amd.com> wrote: > > > Am 04.11.20 um 17:50 schrieb Daniel Vetter: > > > > Random observation while trying to review Christian's patch series to > > > > stop looking at struct page for dma-buf imports. > > > > > > > > This was originally added in > > > > > > > > commit 58aa6622d32af7d2c08d45085f44c54554a16ed7 > > > > Author: Thomas Hellstrom <thellstrom@vmware.com> > > > > Date: Fri Jan 3 11:47:23 2014 +0100 > > > > > > > > drm/ttm: Correctly set page mapping and -index members > > > > > > > > Needed for some vm operations; most notably unmap_mapping_range() with > > > > even_cows = 0. > > > > > > > > Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> > > > > Reviewed-by: Brian Paul <brianp@vmware.com> > > > > > > > > but we do not have a single caller of unmap_mapping_range with > > > > even_cows == 0. And all the gem drivers don't do this, so another > > > > small thing we could standardize between drm and ttm drivers. > > > > > > > > Plus I don't really see a need for unamp_mapping_range where we don't > > > > want to indiscriminately shoot down all ptes. > > > NAK, we use this to determine if a pages belongs to the driver or not in > > > amdgpu for example. > > > > > > Mostly used for debugging, but I would really like to keep that. > > Can you pls point me at that code? A quick grep hasn't really found much at all. > > See amdgpu_iomem_read() for an example: Why do you reject this? If this is to avoid issues with userptr, then I think there's a simple trick: - grab page reference - recheck that the iova still points at the same address - do read/write, safe in the knowledge that this page cannot be reused for anything else - drop page reference Of course this can still race against iova updates, but that seems to be a fundamental part of your debug interface here. Or am I missing something? Just pondering this more since setting the page->mapping pointer for just this seems somewhat wild abuse of ->mapping semantics :-) -Daniel > > > if (p->mapping != adev->mman.bdev.dev_mapping) > > return -EPERM; > > Christian. > > > -Daniel > > > > > Christian. > > > > > > > Cc: Thomas Hellstrom <thellstrom@vmware.com> > > > > Cc: Brian Paul <brianp@vmware.com> > > > > Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> > > > > Cc: Christian Koenig <christian.koenig@amd.com> > > > > Cc: Huang Rui <ray.huang@amd.com> > > > > --- > > > > drivers/gpu/drm/ttm/ttm_tt.c | 12 ------------ > > > > 1 file changed, 12 deletions(-) > > > > > > > > diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c > > > > index 8861a74ac335..438ea43fd8c1 100644 > > > > --- a/drivers/gpu/drm/ttm/ttm_tt.c > > > > +++ b/drivers/gpu/drm/ttm/ttm_tt.c > > > > @@ -291,17 +291,6 @@ int ttm_tt_swapout(struct ttm_bo_device *bdev, struct ttm_tt *ttm) > > > > return ret; > > > > } > > > > > > > > -static void ttm_tt_add_mapping(struct ttm_bo_device *bdev, struct ttm_tt *ttm) > > > > -{ > > > > - pgoff_t i; > > > > - > > > > - if (ttm->page_flags & TTM_PAGE_FLAG_SG) > > > > - return; > > > > - > > > > - for (i = 0; i < ttm->num_pages; ++i) > > > > - ttm->pages[i]->mapping = bdev->dev_mapping; > > > > -} > > > > - > > > > int ttm_tt_populate(struct ttm_bo_device *bdev, > > > > struct ttm_tt *ttm, struct ttm_operation_ctx *ctx) > > > > { > > > > @@ -320,7 +309,6 @@ int ttm_tt_populate(struct ttm_bo_device *bdev, > > > > if (ret) > > > > return ret; > > > > > > > > - ttm_tt_add_mapping(bdev, ttm); > > > > ttm->page_flags |= TTM_PAGE_FLAG_PRIV_POPULATED; > > > > if (unlikely(ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) { > > > > ret = ttm_tt_swapin(ttm); > > >
Am 05.11.20 um 13:50 schrieb Daniel Vetter: > On Thu, Nov 05, 2020 at 01:29:50PM +0100, Christian König wrote: >> Am 05.11.20 um 10:11 schrieb Daniel Vetter: >>> On Thu, Nov 5, 2020 at 9:00 AM Christian König <christian.koenig@amd.com> wrote: >>>> Am 04.11.20 um 17:50 schrieb Daniel Vetter: >>>>> Random observation while trying to review Christian's patch series to >>>>> stop looking at struct page for dma-buf imports. >>>>> >>>>> This was originally added in >>>>> >>>>> commit 58aa6622d32af7d2c08d45085f44c54554a16ed7 >>>>> Author: Thomas Hellstrom <thellstrom@vmware.com> >>>>> Date: Fri Jan 3 11:47:23 2014 +0100 >>>>> >>>>> drm/ttm: Correctly set page mapping and -index members >>>>> >>>>> Needed for some vm operations; most notably unmap_mapping_range() with >>>>> even_cows = 0. >>>>> >>>>> Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> >>>>> Reviewed-by: Brian Paul <brianp@vmware.com> >>>>> >>>>> but we do not have a single caller of unmap_mapping_range with >>>>> even_cows == 0. And all the gem drivers don't do this, so another >>>>> small thing we could standardize between drm and ttm drivers. >>>>> >>>>> Plus I don't really see a need for unamp_mapping_range where we don't >>>>> want to indiscriminately shoot down all ptes. >>>> NAK, we use this to determine if a pages belongs to the driver or not in >>>> amdgpu for example. >>>> >>>> Mostly used for debugging, but I would really like to keep that. >>> Can you pls point me at that code? A quick grep hasn't really found much at all. >> See amdgpu_iomem_read() for an example: > Why do you reject this? When IOMMU is disabled or uses an 1 to 1 mapping we would otherwise give the same access as /dev/mem to system memory and that is forbidden. But as I noted this is just for the debugfs file. When I tried a few years ago to not set the page->mapping I immediately ran into issues with our eviction test. So I think that this is used elsewhere as well. Regards, Christian. > > If this is to avoid issues with userptr, then I think there's a simple > trick: > - grab page reference > - recheck that the iova still points at the same address > - do read/write, safe in the knowledge that this page cannot be reused for > anything else > - drop page reference > > Of course this can still race against iova updates, but that seems to be a > fundamental part of your debug interface here. > > Or am I missing something? > > Just pondering this more since setting the page->mapping pointer for just > this seems somewhat wild abuse of ->mapping semantics :-) > -Daniel > >>> if (p->mapping != adev->mman.bdev.dev_mapping) >>> return -EPERM; >> Christian. >> >>> -Daniel >>> >>>> Christian. >>>> >>>>> Cc: Thomas Hellstrom <thellstrom@vmware.com> >>>>> Cc: Brian Paul <brianp@vmware.com> >>>>> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> >>>>> Cc: Christian Koenig <christian.koenig@amd.com> >>>>> Cc: Huang Rui <ray.huang@amd.com> >>>>> --- >>>>> drivers/gpu/drm/ttm/ttm_tt.c | 12 ------------ >>>>> 1 file changed, 12 deletions(-) >>>>> >>>>> diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c >>>>> index 8861a74ac335..438ea43fd8c1 100644 >>>>> --- a/drivers/gpu/drm/ttm/ttm_tt.c >>>>> +++ b/drivers/gpu/drm/ttm/ttm_tt.c >>>>> @@ -291,17 +291,6 @@ int ttm_tt_swapout(struct ttm_bo_device *bdev, struct ttm_tt *ttm) >>>>> return ret; >>>>> } >>>>> >>>>> -static void ttm_tt_add_mapping(struct ttm_bo_device *bdev, struct ttm_tt *ttm) >>>>> -{ >>>>> - pgoff_t i; >>>>> - >>>>> - if (ttm->page_flags & TTM_PAGE_FLAG_SG) >>>>> - return; >>>>> - >>>>> - for (i = 0; i < ttm->num_pages; ++i) >>>>> - ttm->pages[i]->mapping = bdev->dev_mapping; >>>>> -} >>>>> - >>>>> int ttm_tt_populate(struct ttm_bo_device *bdev, >>>>> struct ttm_tt *ttm, struct ttm_operation_ctx *ctx) >>>>> { >>>>> @@ -320,7 +309,6 @@ int ttm_tt_populate(struct ttm_bo_device *bdev, >>>>> if (ret) >>>>> return ret; >>>>> >>>>> - ttm_tt_add_mapping(bdev, ttm); >>>>> ttm->page_flags |= TTM_PAGE_FLAG_PRIV_POPULATED; >>>>> if (unlikely(ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) { >>>>> ret = ttm_tt_swapin(ttm);
On Thu, Nov 05, 2020 at 01:56:22PM +0100, Christian König wrote: > Am 05.11.20 um 13:50 schrieb Daniel Vetter: > > On Thu, Nov 05, 2020 at 01:29:50PM +0100, Christian König wrote: > > > Am 05.11.20 um 10:11 schrieb Daniel Vetter: > > > > On Thu, Nov 5, 2020 at 9:00 AM Christian König <christian.koenig@amd.com> wrote: > > > > > Am 04.11.20 um 17:50 schrieb Daniel Vetter: > > > > > > Random observation while trying to review Christian's patch series to > > > > > > stop looking at struct page for dma-buf imports. > > > > > > > > > > > > This was originally added in > > > > > > > > > > > > commit 58aa6622d32af7d2c08d45085f44c54554a16ed7 > > > > > > Author: Thomas Hellstrom <thellstrom@vmware.com> > > > > > > Date: Fri Jan 3 11:47:23 2014 +0100 > > > > > > > > > > > > drm/ttm: Correctly set page mapping and -index members > > > > > > > > > > > > Needed for some vm operations; most notably unmap_mapping_range() with > > > > > > even_cows = 0. > > > > > > > > > > > > Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> > > > > > > Reviewed-by: Brian Paul <brianp@vmware.com> > > > > > > > > > > > > but we do not have a single caller of unmap_mapping_range with > > > > > > even_cows == 0. And all the gem drivers don't do this, so another > > > > > > small thing we could standardize between drm and ttm drivers. > > > > > > > > > > > > Plus I don't really see a need for unamp_mapping_range where we don't > > > > > > want to indiscriminately shoot down all ptes. > > > > > NAK, we use this to determine if a pages belongs to the driver or not in > > > > > amdgpu for example. > > > > > > > > > > Mostly used for debugging, but I would really like to keep that. > > > > Can you pls point me at that code? A quick grep hasn't really found much at all. > > > See amdgpu_iomem_read() for an example: > > Why do you reject this? > > When IOMMU is disabled or uses an 1 to 1 mapping we would otherwise give the > same access as /dev/mem to system memory and that is forbidden. But as I > noted this is just for the debugfs file. Ah, there's a config option for that. Plus it's debugfs, anything goes in debugfs, but if you're worried about that hole we should just disable the entire debugfs file for CONFIG_STRICT_DEVMEM. I can perhaps throw that on top, that follow_pfn patch series I'm baking is all about this kind of fun. > When I tried a few years ago to not set the page->mapping I immediately ran > into issues with our eviction test. So I think that this is used elsewhere > as well. That's the kind of interaction I'm worried about here tbh. If this does some kind of shrinking of some sorts, I think a real shrinker should take over. An improved grep shows nothing else, so the only the above is the only thing I can think of. What kind of eviction test goes boom if you clear ->mapping here? I'd be happy to type up the clever trick for the debugfs files. -Daniel > > Regards, > Christian. > > > > > If this is to avoid issues with userptr, then I think there's a simple > > trick: > > - grab page reference > > - recheck that the iova still points at the same address > > - do read/write, safe in the knowledge that this page cannot be reused for > > anything else > > - drop page reference > > > > Of course this can still race against iova updates, but that seems to be a > > fundamental part of your debug interface here. > > > > Or am I missing something? > > > > Just pondering this more since setting the page->mapping pointer for just > > this seems somewhat wild abuse of ->mapping semantics :-) > > -Daniel > > > > > > if (p->mapping != adev->mman.bdev.dev_mapping) > > > > return -EPERM; > > > Christian. > > > > > > > -Daniel > > > > > > > > > Christian. > > > > > > > > > > > Cc: Thomas Hellstrom <thellstrom@vmware.com> > > > > > > Cc: Brian Paul <brianp@vmware.com> > > > > > > Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> > > > > > > Cc: Christian Koenig <christian.koenig@amd.com> > > > > > > Cc: Huang Rui <ray.huang@amd.com> > > > > > > --- > > > > > > drivers/gpu/drm/ttm/ttm_tt.c | 12 ------------ > > > > > > 1 file changed, 12 deletions(-) > > > > > > > > > > > > diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c > > > > > > index 8861a74ac335..438ea43fd8c1 100644 > > > > > > --- a/drivers/gpu/drm/ttm/ttm_tt.c > > > > > > +++ b/drivers/gpu/drm/ttm/ttm_tt.c > > > > > > @@ -291,17 +291,6 @@ int ttm_tt_swapout(struct ttm_bo_device *bdev, struct ttm_tt *ttm) > > > > > > return ret; > > > > > > } > > > > > > > > > > > > -static void ttm_tt_add_mapping(struct ttm_bo_device *bdev, struct ttm_tt *ttm) > > > > > > -{ > > > > > > - pgoff_t i; > > > > > > - > > > > > > - if (ttm->page_flags & TTM_PAGE_FLAG_SG) > > > > > > - return; > > > > > > - > > > > > > - for (i = 0; i < ttm->num_pages; ++i) > > > > > > - ttm->pages[i]->mapping = bdev->dev_mapping; > > > > > > -} > > > > > > - > > > > > > int ttm_tt_populate(struct ttm_bo_device *bdev, > > > > > > struct ttm_tt *ttm, struct ttm_operation_ctx *ctx) > > > > > > { > > > > > > @@ -320,7 +309,6 @@ int ttm_tt_populate(struct ttm_bo_device *bdev, > > > > > > if (ret) > > > > > > return ret; > > > > > > > > > > > > - ttm_tt_add_mapping(bdev, ttm); > > > > > > ttm->page_flags |= TTM_PAGE_FLAG_PRIV_POPULATED; > > > > > > if (unlikely(ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) { > > > > > > ret = ttm_tt_swapin(ttm); >
Am 05.11.20 um 14:20 schrieb Daniel Vetter: > On Thu, Nov 05, 2020 at 01:56:22PM +0100, Christian König wrote: >> Am 05.11.20 um 13:50 schrieb Daniel Vetter: >>> On Thu, Nov 05, 2020 at 01:29:50PM +0100, Christian König wrote: >>>> Am 05.11.20 um 10:11 schrieb Daniel Vetter: >>>>> On Thu, Nov 5, 2020 at 9:00 AM Christian König <christian.koenig@amd.com> wrote: >>>>>> Am 04.11.20 um 17:50 schrieb Daniel Vetter: >>>>>>> Random observation while trying to review Christian's patch series to >>>>>>> stop looking at struct page for dma-buf imports. >>>>>>> >>>>>>> This was originally added in >>>>>>> >>>>>>> commit 58aa6622d32af7d2c08d45085f44c54554a16ed7 >>>>>>> Author: Thomas Hellstrom <thellstrom@vmware.com> >>>>>>> Date: Fri Jan 3 11:47:23 2014 +0100 >>>>>>> >>>>>>> drm/ttm: Correctly set page mapping and -index members >>>>>>> >>>>>>> Needed for some vm operations; most notably unmap_mapping_range() with >>>>>>> even_cows = 0. >>>>>>> >>>>>>> Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> >>>>>>> Reviewed-by: Brian Paul <brianp@vmware.com> >>>>>>> >>>>>>> but we do not have a single caller of unmap_mapping_range with >>>>>>> even_cows == 0. And all the gem drivers don't do this, so another >>>>>>> small thing we could standardize between drm and ttm drivers. >>>>>>> >>>>>>> Plus I don't really see a need for unamp_mapping_range where we don't >>>>>>> want to indiscriminately shoot down all ptes. >>>>>> NAK, we use this to determine if a pages belongs to the driver or not in >>>>>> amdgpu for example. >>>>>> >>>>>> Mostly used for debugging, but I would really like to keep that. >>>>> Can you pls point me at that code? A quick grep hasn't really found much at all. >>>> See amdgpu_iomem_read() for an example: >>> Why do you reject this? >> When IOMMU is disabled or uses an 1 to 1 mapping we would otherwise give the >> same access as /dev/mem to system memory and that is forbidden. But as I >> noted this is just for the debugfs file. > Ah, there's a config option for that. Plus it's debugfs, anything goes in > debugfs, but if you're worried about that hole we should just disable the > entire debugfs file for CONFIG_STRICT_DEVMEM. I can perhaps throw that on > top, that follow_pfn patch series I'm baking is all about this kind of > fun. And exactly that would get a NAK from us. We have specially created that debugfs file as an alternative when CONFIG_STRICT_DEVMEM is set. Regards, Christian. > >> When I tried a few years ago to not set the page->mapping I immediately ran >> into issues with our eviction test. So I think that this is used elsewhere >> as well. > That's the kind of interaction I'm worried about here tbh. If this does > some kind of shrinking of some sorts, I think a real shrinker should take > over. > > An improved grep shows nothing else, so the only the above is the only > thing I can think of. What kind of eviction test goes boom if you clear > ->mapping here? I'd be happy to type up the clever trick for the debugfs > files. > -Daniel > >> Regards, >> Christian. >> >>> If this is to avoid issues with userptr, then I think there's a simple >>> trick: >>> - grab page reference >>> - recheck that the iova still points at the same address >>> - do read/write, safe in the knowledge that this page cannot be reused for >>> anything else >>> - drop page reference >>> >>> Of course this can still race against iova updates, but that seems to be a >>> fundamental part of your debug interface here. >>> >>> Or am I missing something? >>> >>> Just pondering this more since setting the page->mapping pointer for just >>> this seems somewhat wild abuse of ->mapping semantics :-) >>> -Daniel >>> >>>>> if (p->mapping != adev->mman.bdev.dev_mapping) >>>>> return -EPERM; >>>> Christian. >>>> >>>>> -Daniel >>>>> >>>>>> Christian. >>>>>> >>>>>>> Cc: Thomas Hellstrom <thellstrom@vmware.com> >>>>>>> Cc: Brian Paul <brianp@vmware.com> >>>>>>> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> >>>>>>> Cc: Christian Koenig <christian.koenig@amd.com> >>>>>>> Cc: Huang Rui <ray.huang@amd.com> >>>>>>> --- >>>>>>> drivers/gpu/drm/ttm/ttm_tt.c | 12 ------------ >>>>>>> 1 file changed, 12 deletions(-) >>>>>>> >>>>>>> diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c >>>>>>> index 8861a74ac335..438ea43fd8c1 100644 >>>>>>> --- a/drivers/gpu/drm/ttm/ttm_tt.c >>>>>>> +++ b/drivers/gpu/drm/ttm/ttm_tt.c >>>>>>> @@ -291,17 +291,6 @@ int ttm_tt_swapout(struct ttm_bo_device *bdev, struct ttm_tt *ttm) >>>>>>> return ret; >>>>>>> } >>>>>>> >>>>>>> -static void ttm_tt_add_mapping(struct ttm_bo_device *bdev, struct ttm_tt *ttm) >>>>>>> -{ >>>>>>> - pgoff_t i; >>>>>>> - >>>>>>> - if (ttm->page_flags & TTM_PAGE_FLAG_SG) >>>>>>> - return; >>>>>>> - >>>>>>> - for (i = 0; i < ttm->num_pages; ++i) >>>>>>> - ttm->pages[i]->mapping = bdev->dev_mapping; >>>>>>> -} >>>>>>> - >>>>>>> int ttm_tt_populate(struct ttm_bo_device *bdev, >>>>>>> struct ttm_tt *ttm, struct ttm_operation_ctx *ctx) >>>>>>> { >>>>>>> @@ -320,7 +309,6 @@ int ttm_tt_populate(struct ttm_bo_device *bdev, >>>>>>> if (ret) >>>>>>> return ret; >>>>>>> >>>>>>> - ttm_tt_add_mapping(bdev, ttm); >>>>>>> ttm->page_flags |= TTM_PAGE_FLAG_PRIV_POPULATED; >>>>>>> if (unlikely(ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) { >>>>>>> ret = ttm_tt_swapin(ttm);
On Thu, Nov 5, 2020 at 2:22 PM Christian König <christian.koenig@amd.com> wrote: > > Am 05.11.20 um 14:20 schrieb Daniel Vetter: > > On Thu, Nov 05, 2020 at 01:56:22PM +0100, Christian König wrote: > >> Am 05.11.20 um 13:50 schrieb Daniel Vetter: > >>> On Thu, Nov 05, 2020 at 01:29:50PM +0100, Christian König wrote: > >>>> Am 05.11.20 um 10:11 schrieb Daniel Vetter: > >>>>> On Thu, Nov 5, 2020 at 9:00 AM Christian König <christian.koenig@amd.com> wrote: > >>>>>> Am 04.11.20 um 17:50 schrieb Daniel Vetter: > >>>>>>> Random observation while trying to review Christian's patch series to > >>>>>>> stop looking at struct page for dma-buf imports. > >>>>>>> > >>>>>>> This was originally added in > >>>>>>> > >>>>>>> commit 58aa6622d32af7d2c08d45085f44c54554a16ed7 > >>>>>>> Author: Thomas Hellstrom <thellstrom@vmware.com> > >>>>>>> Date: Fri Jan 3 11:47:23 2014 +0100 > >>>>>>> > >>>>>>> drm/ttm: Correctly set page mapping and -index members > >>>>>>> > >>>>>>> Needed for some vm operations; most notably unmap_mapping_range() with > >>>>>>> even_cows = 0. > >>>>>>> > >>>>>>> Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> > >>>>>>> Reviewed-by: Brian Paul <brianp@vmware.com> > >>>>>>> > >>>>>>> but we do not have a single caller of unmap_mapping_range with > >>>>>>> even_cows == 0. And all the gem drivers don't do this, so another > >>>>>>> small thing we could standardize between drm and ttm drivers. > >>>>>>> > >>>>>>> Plus I don't really see a need for unamp_mapping_range where we don't > >>>>>>> want to indiscriminately shoot down all ptes. > >>>>>> NAK, we use this to determine if a pages belongs to the driver or not in > >>>>>> amdgpu for example. > >>>>>> > >>>>>> Mostly used for debugging, but I would really like to keep that. > >>>>> Can you pls point me at that code? A quick grep hasn't really found much at all. > >>>> See amdgpu_iomem_read() for an example: > >>> Why do you reject this? > >> When IOMMU is disabled or uses an 1 to 1 mapping we would otherwise give the > >> same access as /dev/mem to system memory and that is forbidden. But as I > >> noted this is just for the debugfs file. > > Ah, there's a config option for that. Plus it's debugfs, anything goes in > > debugfs, but if you're worried about that hole we should just disable the > > entire debugfs file for CONFIG_STRICT_DEVMEM. I can perhaps throw that on > > top, that follow_pfn patch series I'm baking is all about this kind of > > fun. > > And exactly that would get a NAK from us. > > We have specially created that debugfs file as an alternative when > CONFIG_STRICT_DEVMEM is set. Uh that doesn't work if you work around core restrictions with your own debugfs paths. Maybe you can do fun like this in your dkms, but not in upstream. Like if this was specifically created to work around CONFIG_STRICT_DEVMEM (and it sounds like that) then I think this should never have landed in upstream to begin with. -Daniel > > Regards, > Christian. > > > > >> When I tried a few years ago to not set the page->mapping I immediately ran > >> into issues with our eviction test. So I think that this is used elsewhere > >> as well. > > That's the kind of interaction I'm worried about here tbh. If this does > > some kind of shrinking of some sorts, I think a real shrinker should take > > over. > > > > An improved grep shows nothing else, so the only the above is the only > > thing I can think of. What kind of eviction test goes boom if you clear > > ->mapping here? I'd be happy to type up the clever trick for the debugfs > > files. > > -Daniel > > > >> Regards, > >> Christian. > >> > >>> If this is to avoid issues with userptr, then I think there's a simple > >>> trick: > >>> - grab page reference > >>> - recheck that the iova still points at the same address > >>> - do read/write, safe in the knowledge that this page cannot be reused for > >>> anything else > >>> - drop page reference > >>> > >>> Of course this can still race against iova updates, but that seems to be a > >>> fundamental part of your debug interface here. > >>> > >>> Or am I missing something? > >>> > >>> Just pondering this more since setting the page->mapping pointer for just > >>> this seems somewhat wild abuse of ->mapping semantics :-) > >>> -Daniel > >>> > >>>>> if (p->mapping != adev->mman.bdev.dev_mapping) > >>>>> return -EPERM; > >>>> Christian. > >>>> > >>>>> -Daniel > >>>>> > >>>>>> Christian. > >>>>>> > >>>>>>> Cc: Thomas Hellstrom <thellstrom@vmware.com> > >>>>>>> Cc: Brian Paul <brianp@vmware.com> > >>>>>>> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> > >>>>>>> Cc: Christian Koenig <christian.koenig@amd.com> > >>>>>>> Cc: Huang Rui <ray.huang@amd.com> > >>>>>>> --- > >>>>>>> drivers/gpu/drm/ttm/ttm_tt.c | 12 ------------ > >>>>>>> 1 file changed, 12 deletions(-) > >>>>>>> > >>>>>>> diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c > >>>>>>> index 8861a74ac335..438ea43fd8c1 100644 > >>>>>>> --- a/drivers/gpu/drm/ttm/ttm_tt.c > >>>>>>> +++ b/drivers/gpu/drm/ttm/ttm_tt.c > >>>>>>> @@ -291,17 +291,6 @@ int ttm_tt_swapout(struct ttm_bo_device *bdev, struct ttm_tt *ttm) > >>>>>>> return ret; > >>>>>>> } > >>>>>>> > >>>>>>> -static void ttm_tt_add_mapping(struct ttm_bo_device *bdev, struct ttm_tt *ttm) > >>>>>>> -{ > >>>>>>> - pgoff_t i; > >>>>>>> - > >>>>>>> - if (ttm->page_flags & TTM_PAGE_FLAG_SG) > >>>>>>> - return; > >>>>>>> - > >>>>>>> - for (i = 0; i < ttm->num_pages; ++i) > >>>>>>> - ttm->pages[i]->mapping = bdev->dev_mapping; > >>>>>>> -} > >>>>>>> - > >>>>>>> int ttm_tt_populate(struct ttm_bo_device *bdev, > >>>>>>> struct ttm_tt *ttm, struct ttm_operation_ctx *ctx) > >>>>>>> { > >>>>>>> @@ -320,7 +309,6 @@ int ttm_tt_populate(struct ttm_bo_device *bdev, > >>>>>>> if (ret) > >>>>>>> return ret; > >>>>>>> > >>>>>>> - ttm_tt_add_mapping(bdev, ttm); > >>>>>>> ttm->page_flags |= TTM_PAGE_FLAG_PRIV_POPULATED; > >>>>>>> if (unlikely(ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) { > >>>>>>> ret = ttm_tt_swapin(ttm); >
On Thu, Nov 5, 2020 at 3:31 PM Daniel Vetter <daniel@ffwll.ch> wrote: > > On Thu, Nov 5, 2020 at 2:22 PM Christian König <christian.koenig@amd.com> wrote: > > > > Am 05.11.20 um 14:20 schrieb Daniel Vetter: > > > On Thu, Nov 05, 2020 at 01:56:22PM +0100, Christian König wrote: > > >> Am 05.11.20 um 13:50 schrieb Daniel Vetter: > > >>> On Thu, Nov 05, 2020 at 01:29:50PM +0100, Christian König wrote: > > >>>> Am 05.11.20 um 10:11 schrieb Daniel Vetter: > > >>>>> On Thu, Nov 5, 2020 at 9:00 AM Christian König <christian.koenig@amd.com> wrote: > > >>>>>> Am 04.11.20 um 17:50 schrieb Daniel Vetter: > > >>>>>>> Random observation while trying to review Christian's patch series to > > >>>>>>> stop looking at struct page for dma-buf imports. > > >>>>>>> > > >>>>>>> This was originally added in > > >>>>>>> > > >>>>>>> commit 58aa6622d32af7d2c08d45085f44c54554a16ed7 > > >>>>>>> Author: Thomas Hellstrom <thellstrom@vmware.com> > > >>>>>>> Date: Fri Jan 3 11:47:23 2014 +0100 > > >>>>>>> > > >>>>>>> drm/ttm: Correctly set page mapping and -index members > > >>>>>>> > > >>>>>>> Needed for some vm operations; most notably unmap_mapping_range() with > > >>>>>>> even_cows = 0. > > >>>>>>> > > >>>>>>> Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> > > >>>>>>> Reviewed-by: Brian Paul <brianp@vmware.com> > > >>>>>>> > > >>>>>>> but we do not have a single caller of unmap_mapping_range with > > >>>>>>> even_cows == 0. And all the gem drivers don't do this, so another > > >>>>>>> small thing we could standardize between drm and ttm drivers. > > >>>>>>> > > >>>>>>> Plus I don't really see a need for unamp_mapping_range where we don't > > >>>>>>> want to indiscriminately shoot down all ptes. > > >>>>>> NAK, we use this to determine if a pages belongs to the driver or not in > > >>>>>> amdgpu for example. > > >>>>>> > > >>>>>> Mostly used for debugging, but I would really like to keep that. > > >>>>> Can you pls point me at that code? A quick grep hasn't really found much at all. > > >>>> See amdgpu_iomem_read() for an example: > > >>> Why do you reject this? > > >> When IOMMU is disabled or uses an 1 to 1 mapping we would otherwise give the > > >> same access as /dev/mem to system memory and that is forbidden. But as I > > >> noted this is just for the debugfs file. > > > Ah, there's a config option for that. Plus it's debugfs, anything goes in > > > debugfs, but if you're worried about that hole we should just disable the > > > entire debugfs file for CONFIG_STRICT_DEVMEM. I can perhaps throw that on > > > top, that follow_pfn patch series I'm baking is all about this kind of > > > fun. > > > > And exactly that would get a NAK from us. > > > > We have specially created that debugfs file as an alternative when > > CONFIG_STRICT_DEVMEM is set. > > Uh that doesn't work if you work around core restrictions with your > own debugfs paths. Maybe you can do fun like this in your dkms, but > not in upstream. Like if this was specifically created to work around > CONFIG_STRICT_DEVMEM (and it sounds like that) then I think this > should never have landed in upstream to begin with. I'm also kinda confused that there's distros with CONFIG_STRICT_DEVMEM which allow debugfs. debugfs is a pretty bad root hole all around, or at least that's been the assumption all the time. -Daniel > > >> When I tried a few years ago to not set the page->mapping I immediately ran > > >> into issues with our eviction test. So I think that this is used elsewhere > > >> as well. > > > That's the kind of interaction I'm worried about here tbh. If this does > > > some kind of shrinking of some sorts, I think a real shrinker should take > > > over. > > > > > > An improved grep shows nothing else, so the only the above is the only > > > thing I can think of. What kind of eviction test goes boom if you clear > > > ->mapping here? I'd be happy to type up the clever trick for the debugfs > > > files. > > > -Daniel > > > > > >> Regards, > > >> Christian. > > >> > > >>> If this is to avoid issues with userptr, then I think there's a simple > > >>> trick: > > >>> - grab page reference > > >>> - recheck that the iova still points at the same address > > >>> - do read/write, safe in the knowledge that this page cannot be reused for > > >>> anything else > > >>> - drop page reference > > >>> > > >>> Of course this can still race against iova updates, but that seems to be a > > >>> fundamental part of your debug interface here. > > >>> > > >>> Or am I missing something? > > >>> > > >>> Just pondering this more since setting the page->mapping pointer for just > > >>> this seems somewhat wild abuse of ->mapping semantics :-) > > >>> -Daniel > > >>> > > >>>>> if (p->mapping != adev->mman.bdev.dev_mapping) > > >>>>> return -EPERM; > > >>>> Christian. > > >>>> > > >>>>> -Daniel > > >>>>> > > >>>>>> Christian. > > >>>>>> > > >>>>>>> Cc: Thomas Hellstrom <thellstrom@vmware.com> > > >>>>>>> Cc: Brian Paul <brianp@vmware.com> > > >>>>>>> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> > > >>>>>>> Cc: Christian Koenig <christian.koenig@amd.com> > > >>>>>>> Cc: Huang Rui <ray.huang@amd.com> > > >>>>>>> --- > > >>>>>>> drivers/gpu/drm/ttm/ttm_tt.c | 12 ------------ > > >>>>>>> 1 file changed, 12 deletions(-) > > >>>>>>> > > >>>>>>> diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c > > >>>>>>> index 8861a74ac335..438ea43fd8c1 100644 > > >>>>>>> --- a/drivers/gpu/drm/ttm/ttm_tt.c > > >>>>>>> +++ b/drivers/gpu/drm/ttm/ttm_tt.c > > >>>>>>> @@ -291,17 +291,6 @@ int ttm_tt_swapout(struct ttm_bo_device *bdev, struct ttm_tt *ttm) > > >>>>>>> return ret; > > >>>>>>> } > > >>>>>>> > > >>>>>>> -static void ttm_tt_add_mapping(struct ttm_bo_device *bdev, struct ttm_tt *ttm) > > >>>>>>> -{ > > >>>>>>> - pgoff_t i; > > >>>>>>> - > > >>>>>>> - if (ttm->page_flags & TTM_PAGE_FLAG_SG) > > >>>>>>> - return; > > >>>>>>> - > > >>>>>>> - for (i = 0; i < ttm->num_pages; ++i) > > >>>>>>> - ttm->pages[i]->mapping = bdev->dev_mapping; > > >>>>>>> -} > > >>>>>>> - > > >>>>>>> int ttm_tt_populate(struct ttm_bo_device *bdev, > > >>>>>>> struct ttm_tt *ttm, struct ttm_operation_ctx *ctx) > > >>>>>>> { > > >>>>>>> @@ -320,7 +309,6 @@ int ttm_tt_populate(struct ttm_bo_device *bdev, > > >>>>>>> if (ret) > > >>>>>>> return ret; > > >>>>>>> > > >>>>>>> - ttm_tt_add_mapping(bdev, ttm); > > >>>>>>> ttm->page_flags |= TTM_PAGE_FLAG_PRIV_POPULATED; > > >>>>>>> if (unlikely(ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) { > > >>>>>>> ret = ttm_tt_swapin(ttm); > > > > > -- > Daniel Vetter > Software Engineer, Intel Corporation > http://blog.ffwll.ch
Am 05.11.20 um 15:38 schrieb Daniel Vetter: > On Thu, Nov 5, 2020 at 3:31 PM Daniel Vetter <daniel@ffwll.ch> wrote: >> On Thu, Nov 5, 2020 at 2:22 PM Christian König <christian.koenig@amd.com> wrote: >>> Am 05.11.20 um 14:20 schrieb Daniel Vetter: >>>> On Thu, Nov 05, 2020 at 01:56:22PM +0100, Christian König wrote: >>>>> Am 05.11.20 um 13:50 schrieb Daniel Vetter: >>>>>> On Thu, Nov 05, 2020 at 01:29:50PM +0100, Christian König wrote: >>>>>>> Am 05.11.20 um 10:11 schrieb Daniel Vetter: >>>>>>>> On Thu, Nov 5, 2020 at 9:00 AM Christian König <christian.koenig@amd.com> wrote: >>>>>>>>> Am 04.11.20 um 17:50 schrieb Daniel Vetter: >>>>>>>>>> Random observation while trying to review Christian's patch series to >>>>>>>>>> stop looking at struct page for dma-buf imports. >>>>>>>>>> >>>>>>>>>> This was originally added in >>>>>>>>>> >>>>>>>>>> commit 58aa6622d32af7d2c08d45085f44c54554a16ed7 >>>>>>>>>> Author: Thomas Hellstrom <thellstrom@vmware.com> >>>>>>>>>> Date: Fri Jan 3 11:47:23 2014 +0100 >>>>>>>>>> >>>>>>>>>> drm/ttm: Correctly set page mapping and -index members >>>>>>>>>> >>>>>>>>>> Needed for some vm operations; most notably unmap_mapping_range() with >>>>>>>>>> even_cows = 0. >>>>>>>>>> >>>>>>>>>> Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> >>>>>>>>>> Reviewed-by: Brian Paul <brianp@vmware.com> >>>>>>>>>> >>>>>>>>>> but we do not have a single caller of unmap_mapping_range with >>>>>>>>>> even_cows == 0. And all the gem drivers don't do this, so another >>>>>>>>>> small thing we could standardize between drm and ttm drivers. >>>>>>>>>> >>>>>>>>>> Plus I don't really see a need for unamp_mapping_range where we don't >>>>>>>>>> want to indiscriminately shoot down all ptes. >>>>>>>>> NAK, we use this to determine if a pages belongs to the driver or not in >>>>>>>>> amdgpu for example. >>>>>>>>> >>>>>>>>> Mostly used for debugging, but I would really like to keep that. >>>>>>>> Can you pls point me at that code? A quick grep hasn't really found much at all. >>>>>>> See amdgpu_iomem_read() for an example: >>>>>> Why do you reject this? >>>>> When IOMMU is disabled or uses an 1 to 1 mapping we would otherwise give the >>>>> same access as /dev/mem to system memory and that is forbidden. But as I >>>>> noted this is just for the debugfs file. >>>> Ah, there's a config option for that. Plus it's debugfs, anything goes in >>>> debugfs, but if you're worried about that hole we should just disable the >>>> entire debugfs file for CONFIG_STRICT_DEVMEM. I can perhaps throw that on >>>> top, that follow_pfn patch series I'm baking is all about this kind of >>>> fun. >>> And exactly that would get a NAK from us. >>> >>> We have specially created that debugfs file as an alternative when >>> CONFIG_STRICT_DEVMEM is set. >> Uh that doesn't work if you work around core restrictions with your >> own debugfs paths. That's why we have the restriction to check the mapping of the pages. This way we only expose the memory which was allocated by our driver and don't allow any uncontrolled access to the whole system memory. We have something similar for radeon as well, but there we have a global GART table which we can use for validating stuff. >> Maybe you can do fun like this in your dkms, but >> not in upstream. Like if this was specifically created to work around >> CONFIG_STRICT_DEVMEM (and it sounds like that) then I think this >> should never have landed in upstream to begin with. > I'm also kinda confused that there's distros with CONFIG_STRICT_DEVMEM > which allow debugfs. debugfs is a pretty bad root hole all around, or > at least that's been the assumption all the time. Yeah, completely agree :) But that's not my problem. Christian. > -Daniel > >>>>> When I tried a few years ago to not set the page->mapping I immediately ran >>>>> into issues with our eviction test. So I think that this is used elsewhere >>>>> as well. >>>> That's the kind of interaction I'm worried about here tbh. If this does >>>> some kind of shrinking of some sorts, I think a real shrinker should take >>>> over. >>>> >>>> An improved grep shows nothing else, so the only the above is the only >>>> thing I can think of. What kind of eviction test goes boom if you clear >>>> ->mapping here? I'd be happy to type up the clever trick for the debugfs >>>> files. >>>> -Daniel >>>> >>>>> Regards, >>>>> Christian. >>>>> >>>>>> If this is to avoid issues with userptr, then I think there's a simple >>>>>> trick: >>>>>> - grab page reference >>>>>> - recheck that the iova still points at the same address >>>>>> - do read/write, safe in the knowledge that this page cannot be reused for >>>>>> anything else >>>>>> - drop page reference >>>>>> >>>>>> Of course this can still race against iova updates, but that seems to be a >>>>>> fundamental part of your debug interface here. >>>>>> >>>>>> Or am I missing something? >>>>>> >>>>>> Just pondering this more since setting the page->mapping pointer for just >>>>>> this seems somewhat wild abuse of ->mapping semantics :-) >>>>>> -Daniel >>>>>> >>>>>>>> if (p->mapping != adev->mman.bdev.dev_mapping) >>>>>>>> return -EPERM; >>>>>>> Christian. >>>>>>> >>>>>>>> -Daniel >>>>>>>> >>>>>>>>> Christian. >>>>>>>>> >>>>>>>>>> Cc: Thomas Hellstrom <thellstrom@vmware.com> >>>>>>>>>> Cc: Brian Paul <brianp@vmware.com> >>>>>>>>>> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> >>>>>>>>>> Cc: Christian Koenig <christian.koenig@amd.com> >>>>>>>>>> Cc: Huang Rui <ray.huang@amd.com> >>>>>>>>>> --- >>>>>>>>>> drivers/gpu/drm/ttm/ttm_tt.c | 12 ------------ >>>>>>>>>> 1 file changed, 12 deletions(-) >>>>>>>>>> >>>>>>>>>> diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c >>>>>>>>>> index 8861a74ac335..438ea43fd8c1 100644 >>>>>>>>>> --- a/drivers/gpu/drm/ttm/ttm_tt.c >>>>>>>>>> +++ b/drivers/gpu/drm/ttm/ttm_tt.c >>>>>>>>>> @@ -291,17 +291,6 @@ int ttm_tt_swapout(struct ttm_bo_device *bdev, struct ttm_tt *ttm) >>>>>>>>>> return ret; >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> -static void ttm_tt_add_mapping(struct ttm_bo_device *bdev, struct ttm_tt *ttm) >>>>>>>>>> -{ >>>>>>>>>> - pgoff_t i; >>>>>>>>>> - >>>>>>>>>> - if (ttm->page_flags & TTM_PAGE_FLAG_SG) >>>>>>>>>> - return; >>>>>>>>>> - >>>>>>>>>> - for (i = 0; i < ttm->num_pages; ++i) >>>>>>>>>> - ttm->pages[i]->mapping = bdev->dev_mapping; >>>>>>>>>> -} >>>>>>>>>> - >>>>>>>>>> int ttm_tt_populate(struct ttm_bo_device *bdev, >>>>>>>>>> struct ttm_tt *ttm, struct ttm_operation_ctx *ctx) >>>>>>>>>> { >>>>>>>>>> @@ -320,7 +309,6 @@ int ttm_tt_populate(struct ttm_bo_device *bdev, >>>>>>>>>> if (ret) >>>>>>>>>> return ret; >>>>>>>>>> >>>>>>>>>> - ttm_tt_add_mapping(bdev, ttm); >>>>>>>>>> ttm->page_flags |= TTM_PAGE_FLAG_PRIV_POPULATED; >>>>>>>>>> if (unlikely(ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) { >>>>>>>>>> ret = ttm_tt_swapin(ttm); >> >> -- >> Daniel Vetter >> Software Engineer, Intel Corporation >> https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fblog.ffwll.ch%2F&data=04%7C01%7Cchristian.koenig%40amd.com%7C619e6a6113674691eb9708d8819874f4%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637401839082694450%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Uo7UXS7y%2BU%2FHfnBenx2vQXuyyB%2FCuOULLOp1uL0eg4I%3D&reserved=0 > >
On Thu, Nov 5, 2020 at 4:15 PM Christian König <christian.koenig@amd.com> wrote: > > Am 05.11.20 um 15:38 schrieb Daniel Vetter: > > On Thu, Nov 5, 2020 at 3:31 PM Daniel Vetter <daniel@ffwll.ch> wrote: > >> On Thu, Nov 5, 2020 at 2:22 PM Christian König <christian.koenig@amd.com> wrote: > >>> Am 05.11.20 um 14:20 schrieb Daniel Vetter: > >>>> On Thu, Nov 05, 2020 at 01:56:22PM +0100, Christian König wrote: > >>>>> Am 05.11.20 um 13:50 schrieb Daniel Vetter: > >>>>>> On Thu, Nov 05, 2020 at 01:29:50PM +0100, Christian König wrote: > >>>>>>> Am 05.11.20 um 10:11 schrieb Daniel Vetter: > >>>>>>>> On Thu, Nov 5, 2020 at 9:00 AM Christian König <christian.koenig@amd.com> wrote: > >>>>>>>>> Am 04.11.20 um 17:50 schrieb Daniel Vetter: > >>>>>>>>>> Random observation while trying to review Christian's patch series to > >>>>>>>>>> stop looking at struct page for dma-buf imports. > >>>>>>>>>> > >>>>>>>>>> This was originally added in > >>>>>>>>>> > >>>>>>>>>> commit 58aa6622d32af7d2c08d45085f44c54554a16ed7 > >>>>>>>>>> Author: Thomas Hellstrom <thellstrom@vmware.com> > >>>>>>>>>> Date: Fri Jan 3 11:47:23 2014 +0100 > >>>>>>>>>> > >>>>>>>>>> drm/ttm: Correctly set page mapping and -index members > >>>>>>>>>> > >>>>>>>>>> Needed for some vm operations; most notably unmap_mapping_range() with > >>>>>>>>>> even_cows = 0. > >>>>>>>>>> > >>>>>>>>>> Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> > >>>>>>>>>> Reviewed-by: Brian Paul <brianp@vmware.com> > >>>>>>>>>> > >>>>>>>>>> but we do not have a single caller of unmap_mapping_range with > >>>>>>>>>> even_cows == 0. And all the gem drivers don't do this, so another > >>>>>>>>>> small thing we could standardize between drm and ttm drivers. > >>>>>>>>>> > >>>>>>>>>> Plus I don't really see a need for unamp_mapping_range where we don't > >>>>>>>>>> want to indiscriminately shoot down all ptes. > >>>>>>>>> NAK, we use this to determine if a pages belongs to the driver or not in > >>>>>>>>> amdgpu for example. > >>>>>>>>> > >>>>>>>>> Mostly used for debugging, but I would really like to keep that. > >>>>>>>> Can you pls point me at that code? A quick grep hasn't really found much at all. > >>>>>>> See amdgpu_iomem_read() for an example: > >>>>>> Why do you reject this? > >>>>> When IOMMU is disabled or uses an 1 to 1 mapping we would otherwise give the > >>>>> same access as /dev/mem to system memory and that is forbidden. But as I > >>>>> noted this is just for the debugfs file. > >>>> Ah, there's a config option for that. Plus it's debugfs, anything goes in > >>>> debugfs, but if you're worried about that hole we should just disable the > >>>> entire debugfs file for CONFIG_STRICT_DEVMEM. I can perhaps throw that on > >>>> top, that follow_pfn patch series I'm baking is all about this kind of > >>>> fun. > >>> And exactly that would get a NAK from us. > >>> > >>> We have specially created that debugfs file as an alternative when > >>> CONFIG_STRICT_DEVMEM is set. > >> Uh that doesn't work if you work around core restrictions with your > >> own debugfs paths. > > That's why we have the restriction to check the mapping of the pages. > > This way we only expose the memory which was allocated by our driver and > don't allow any uncontrolled access to the whole system memory. > > We have something similar for radeon as well, but there we have a global > GART table which we can use for validating stuff. The check doesn't take any locks over the check and copy*user, I don't think it's protecting anything really against somewhat adverse userspace. I mean fundamentally locking down stuff like STRICT_DEVMEM or all the others makes debugging harder, that's kinda the expected tradeoff. > >> Maybe you can do fun like this in your dkms, but > >> not in upstream. Like if this was specifically created to work around > >> CONFIG_STRICT_DEVMEM (and it sounds like that) then I think this > >> should never have landed in upstream to begin with. > > I'm also kinda confused that there's distros with CONFIG_STRICT_DEVMEM > > which allow debugfs. debugfs is a pretty bad root hole all around, or > > at least that's been the assumption all the time. > > Yeah, completely agree :) But that's not my problem. I guess I'll do another rfc series and poke a pile of people ... seems to be a habit I'm developing :-) -Daniel > > Christian. > > > -Daniel > > > >>>>> When I tried a few years ago to not set the page->mapping I immediately ran > >>>>> into issues with our eviction test. So I think that this is used elsewhere > >>>>> as well. > >>>> That's the kind of interaction I'm worried about here tbh. If this does > >>>> some kind of shrinking of some sorts, I think a real shrinker should take > >>>> over. > >>>> > >>>> An improved grep shows nothing else, so the only the above is the only > >>>> thing I can think of. What kind of eviction test goes boom if you clear > >>>> ->mapping here? I'd be happy to type up the clever trick for the debugfs > >>>> files. > >>>> -Daniel > >>>> > >>>>> Regards, > >>>>> Christian. > >>>>> > >>>>>> If this is to avoid issues with userptr, then I think there's a simple > >>>>>> trick: > >>>>>> - grab page reference > >>>>>> - recheck that the iova still points at the same address > >>>>>> - do read/write, safe in the knowledge that this page cannot be reused for > >>>>>> anything else > >>>>>> - drop page reference > >>>>>> > >>>>>> Of course this can still race against iova updates, but that seems to be a > >>>>>> fundamental part of your debug interface here. > >>>>>> > >>>>>> Or am I missing something? > >>>>>> > >>>>>> Just pondering this more since setting the page->mapping pointer for just > >>>>>> this seems somewhat wild abuse of ->mapping semantics :-) > >>>>>> -Daniel > >>>>>> > >>>>>>>> if (p->mapping != adev->mman.bdev.dev_mapping) > >>>>>>>> return -EPERM; > >>>>>>> Christian. > >>>>>>> > >>>>>>>> -Daniel > >>>>>>>> > >>>>>>>>> Christian. > >>>>>>>>> > >>>>>>>>>> Cc: Thomas Hellstrom <thellstrom@vmware.com> > >>>>>>>>>> Cc: Brian Paul <brianp@vmware.com> > >>>>>>>>>> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> > >>>>>>>>>> Cc: Christian Koenig <christian.koenig@amd.com> > >>>>>>>>>> Cc: Huang Rui <ray.huang@amd.com> > >>>>>>>>>> --- > >>>>>>>>>> drivers/gpu/drm/ttm/ttm_tt.c | 12 ------------ > >>>>>>>>>> 1 file changed, 12 deletions(-) > >>>>>>>>>> > >>>>>>>>>> diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c > >>>>>>>>>> index 8861a74ac335..438ea43fd8c1 100644 > >>>>>>>>>> --- a/drivers/gpu/drm/ttm/ttm_tt.c > >>>>>>>>>> +++ b/drivers/gpu/drm/ttm/ttm_tt.c > >>>>>>>>>> @@ -291,17 +291,6 @@ int ttm_tt_swapout(struct ttm_bo_device *bdev, struct ttm_tt *ttm) > >>>>>>>>>> return ret; > >>>>>>>>>> } > >>>>>>>>>> > >>>>>>>>>> -static void ttm_tt_add_mapping(struct ttm_bo_device *bdev, struct ttm_tt *ttm) > >>>>>>>>>> -{ > >>>>>>>>>> - pgoff_t i; > >>>>>>>>>> - > >>>>>>>>>> - if (ttm->page_flags & TTM_PAGE_FLAG_SG) > >>>>>>>>>> - return; > >>>>>>>>>> - > >>>>>>>>>> - for (i = 0; i < ttm->num_pages; ++i) > >>>>>>>>>> - ttm->pages[i]->mapping = bdev->dev_mapping; > >>>>>>>>>> -} > >>>>>>>>>> - > >>>>>>>>>> int ttm_tt_populate(struct ttm_bo_device *bdev, > >>>>>>>>>> struct ttm_tt *ttm, struct ttm_operation_ctx *ctx) > >>>>>>>>>> { > >>>>>>>>>> @@ -320,7 +309,6 @@ int ttm_tt_populate(struct ttm_bo_device *bdev, > >>>>>>>>>> if (ret) > >>>>>>>>>> return ret; > >>>>>>>>>> > >>>>>>>>>> - ttm_tt_add_mapping(bdev, ttm); > >>>>>>>>>> ttm->page_flags |= TTM_PAGE_FLAG_PRIV_POPULATED; > >>>>>>>>>> if (unlikely(ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) { > >>>>>>>>>> ret = ttm_tt_swapin(ttm); > >> > >> -- > >> Daniel Vetter > >> Software Engineer, Intel Corporation > >> https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fblog.ffwll.ch%2F&data=04%7C01%7Cchristian.koenig%40amd.com%7C619e6a6113674691eb9708d8819874f4%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637401839082694450%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Uo7UXS7y%2BU%2FHfnBenx2vQXuyyB%2FCuOULLOp1uL0eg4I%3D&reserved=0 > > > > >
Am 05.11.20 um 17:37 schrieb Daniel Vetter: > [SNIP] >>>>>>>>>>> NAK, we use this to determine if a pages belongs to the driver or not in >>>>>>>>>>> amdgpu for example. >>>>>>>>>>> >>>>>>>>>>> Mostly used for debugging, but I would really like to keep that. >>>>>>>>>> Can you pls point me at that code? A quick grep hasn't really found much at all. >>>>>>>>> See amdgpu_iomem_read() for an example: >>>>>>>> Why do you reject this? >>>>>>> When IOMMU is disabled or uses an 1 to 1 mapping we would otherwise give the >>>>>>> same access as /dev/mem to system memory and that is forbidden. But as I >>>>>>> noted this is just for the debugfs file. >>>>>> Ah, there's a config option for that. Plus it's debugfs, anything goes in >>>>>> debugfs, but if you're worried about that hole we should just disable the >>>>>> entire debugfs file for CONFIG_STRICT_DEVMEM. I can perhaps throw that on >>>>>> top, that follow_pfn patch series I'm baking is all about this kind of >>>>>> fun. >>>>> And exactly that would get a NAK from us. >>>>> >>>>> We have specially created that debugfs file as an alternative when >>>>> CONFIG_STRICT_DEVMEM is set. >>>> Uh that doesn't work if you work around core restrictions with your >>>> own debugfs paths. >> That's why we have the restriction to check the mapping of the pages. >> >> This way we only expose the memory which was allocated by our driver and >> don't allow any uncontrolled access to the whole system memory. >> >> We have something similar for radeon as well, but there we have a global >> GART table which we can use for validating stuff. > The check doesn't take any locks over the check and copy*user, I don't > think it's protecting anything really against somewhat adverse > userspace. You mean that it's racing with freeing the pages? Yes that is an obvious problem, but we already had the same issue for radeon as well. On the other hand we could easily prevent that with a lock. > I mean fundamentally locking down stuff like STRICT_DEVMEM or all the > others makes debugging harder, that's kinda the expected tradeoff. Well we just wanted to have the same debugging functionality we had for radeon. As you said debugfs is a rabbit hole regarding attack vectors anyway. If you are root you can just go to /sys and start reprogramming the hardware to do what you want to do. Regards, Christian. > >>>> Maybe you can do fun like this in your dkms, but >>>> not in upstream. Like if this was specifically created to work around >>>> CONFIG_STRICT_DEVMEM (and it sounds like that) then I think this >>>> should never have landed in upstream to begin with. >>> I'm also kinda confused that there's distros with CONFIG_STRICT_DEVMEM >>> which allow debugfs. debugfs is a pretty bad root hole all around, or >>> at least that's been the assumption all the time. >> Yeah, completely agree :) But that's not my problem. > I guess I'll do another rfc series and poke a pile of people ... seems > to be a habit I'm developing :-) > -Daniel >
diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c index 8861a74ac335..438ea43fd8c1 100644 --- a/drivers/gpu/drm/ttm/ttm_tt.c +++ b/drivers/gpu/drm/ttm/ttm_tt.c @@ -291,17 +291,6 @@ int ttm_tt_swapout(struct ttm_bo_device *bdev, struct ttm_tt *ttm) return ret; } -static void ttm_tt_add_mapping(struct ttm_bo_device *bdev, struct ttm_tt *ttm) -{ - pgoff_t i; - - if (ttm->page_flags & TTM_PAGE_FLAG_SG) - return; - - for (i = 0; i < ttm->num_pages; ++i) - ttm->pages[i]->mapping = bdev->dev_mapping; -} - int ttm_tt_populate(struct ttm_bo_device *bdev, struct ttm_tt *ttm, struct ttm_operation_ctx *ctx) { @@ -320,7 +309,6 @@ int ttm_tt_populate(struct ttm_bo_device *bdev, if (ret) return ret; - ttm_tt_add_mapping(bdev, ttm); ttm->page_flags |= TTM_PAGE_FLAG_PRIV_POPULATED; if (unlikely(ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) { ret = ttm_tt_swapin(ttm);