[v5,01/13] drm/ttm: stop calling tt_swapin in vm_access

Message ID	20210927114114.152310-1-matthew.auld@intel.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=YAdz=OR=lists.freedesktop.org=dri-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 69B3D60F4B From: Matthew Auld <matthew.auld@intel.com> To: intel-gfx@lists.freedesktop.org Cc: dri-devel@lists.freedesktop.org, =?utf-8?q?Thomas_Hellstr=C3=B6m?= <thomas.hellstrom@linux.intel.com>, =?utf-8?q?Christian_K=C3=B6nig?= <christian.koenig@amd.com> Subject: [PATCH v5 01/13] drm/ttm: stop calling tt_swapin in vm_access Date: Mon, 27 Sep 2021 12:41:02 +0100 Message-Id: <20210927114114.152310-1-matthew.auld@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
Series	[v5,01/13] drm/ttm: stop calling tt_swapin in vm_access \| expand [v5,01/13] drm/ttm: stop calling tt_swapin in vm_access [v5,02/13] drm/ttm: stop setting page->index for the ttm_tt [v5,03/13] drm/ttm: move ttm_tt_{add, clear}_mapping into amdgpu [v5,04/13] drm/ttm: remove TTM_PAGE_FLAG_NO_RETRY [v5,05/13] drm/ttm: s/FLAG_SG/FLAG_EXTERNAL/ [v5,06/13] drm/ttm: add some kernel-doc for TTM_TT_FLAG_* [v5,07/13] drm/ttm: add TTM_TT_FLAG_EXTERNAL_MAPPABLE [v5,08/13] drm/i915/gem: Break out some shmem backend utils [v5,09/13] drm/i915/ttm: add tt shmem backend [v5,10/13] drm/i915: try to simplify make_{un}shrinkable [v5,11/13] drm/i915/ttm: make evicted shmem pages visible to the shrinker [v5,12/13] drm/i915/ttm: use cached system pages when evicting lmem [v5,13/13] drm/i915/ttm: enable shmem tt backend

Message ID

20210927114114.152310-1-matthew.auld@intel.com (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 69B3D60F4B
From: Matthew Auld <matthew.auld@intel.com>
To: intel-gfx@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org,
 =?utf-8?q?Thomas_Hellstr=C3=B6m?= <thomas.hellstrom@linux.intel.com>,
	=?utf-8?q?Christian_K=C3=B6nig?= <christian.koenig@amd.com>
Subject: [PATCH v5 01/13] drm/ttm: stop calling tt_swapin in vm_access
Date: Mon, 27 Sep 2021 12:41:02 +0100
Message-Id: <20210927114114.152310-1-matthew.auld@intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Series

[v5,01/13] drm/ttm: stop calling tt_swapin in vm_access | expand

Commit Message

Matthew Auld Sept. 27, 2021, 11:41 a.m. UTC

In commit:

commit 09ac4fcb3f255e9225967c75f5893325c116cdbe
Author: Felix Kuehling <Felix.Kuehling@amd.com>
Date:   Thu Jul 13 17:01:16 2017 -0400

    drm/ttm: Implement vm_operations_struct.access v2

we added the vm_access hook, where we also directly call tt_swapin for
some reason. If something is swapped-out then the ttm_tt must also be
unpopulated, and since access_kmap should also call tt_populate, if
needed, then swapping-in will already be handled there.

If anything, calling tt_swapin directly here would likely always fail
since the tt->pages won't yet be populated, or worse since the tt->pages
array is never actually cleared in unpopulate this might lead to a nasty
uaf.

Fixes: 09ac4fcb3f25 ("drm/ttm: Implement vm_operations_struct.access v2")
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Cc: Christian König <christian.koenig@amd.com>
Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
---
 drivers/gpu/drm/ttm/ttm_bo_vm.c | 5 -----
 1 file changed, 5 deletions(-)

Comments

Christian König Sept. 27, 2021, 11:47 a.m. UTC | #1

Any objections that I just push patches 1-7 to drm-misc-next?

Christian.

Am 27.09.21 um 13:41 schrieb Matthew Auld:
> In commit:
>
> commit 09ac4fcb3f255e9225967c75f5893325c116cdbe
> Author: Felix Kuehling <Felix.Kuehling@amd.com>
> Date:   Thu Jul 13 17:01:16 2017 -0400
>
>      drm/ttm: Implement vm_operations_struct.access v2
>
> we added the vm_access hook, where we also directly call tt_swapin for
> some reason. If something is swapped-out then the ttm_tt must also be
> unpopulated, and since access_kmap should also call tt_populate, if
> needed, then swapping-in will already be handled there.
>
> If anything, calling tt_swapin directly here would likely always fail
> since the tt->pages won't yet be populated, or worse since the tt->pages
> array is never actually cleared in unpopulate this might lead to a nasty
> uaf.
>
> Fixes: 09ac4fcb3f25 ("drm/ttm: Implement vm_operations_struct.access v2")
> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
> Cc: Christian König <christian.koenig@amd.com>
> Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
> Reviewed-by: Christian König <christian.koenig@amd.com>
> ---
>   drivers/gpu/drm/ttm/ttm_bo_vm.c | 5 -----
>   1 file changed, 5 deletions(-)
>
> diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> index f56be5bc0861..5b9b7fd01a69 100644
> --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
> +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> @@ -519,11 +519,6 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
>   
>   	switch (bo->resource->mem_type) {
>   	case TTM_PL_SYSTEM:
> -		if (unlikely(bo->ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) {
> -			ret = ttm_tt_swapin(bo->ttm);
> -			if (unlikely(ret != 0))
> -				return ret;
> -		}
>   		fallthrough;
>   	case TTM_PL_TT:
>   		ret = ttm_bo_vm_access_kmap(bo, offset, buf, len, write);

Matthew Auld Sept. 27, 2021, 4:14 p.m. UTC | #2

On Mon, 27 Sept 2021 at 12:47, Christian König <christian.koenig@amd.com> wrote:
>
> Any objections that I just push patches 1-7 to drm-misc-next?

Please go ahead Christian. Thanks.

>
> Christian.
>
> Am 27.09.21 um 13:41 schrieb Matthew Auld:
> > In commit:
> >
> > commit 09ac4fcb3f255e9225967c75f5893325c116cdbe
> > Author: Felix Kuehling <Felix.Kuehling@amd.com>
> > Date:   Thu Jul 13 17:01:16 2017 -0400
> >
> >      drm/ttm: Implement vm_operations_struct.access v2
> >
> > we added the vm_access hook, where we also directly call tt_swapin for
> > some reason. If something is swapped-out then the ttm_tt must also be
> > unpopulated, and since access_kmap should also call tt_populate, if
> > needed, then swapping-in will already be handled there.
> >
> > If anything, calling tt_swapin directly here would likely always fail
> > since the tt->pages won't yet be populated, or worse since the tt->pages
> > array is never actually cleared in unpopulate this might lead to a nasty
> > uaf.
> >
> > Fixes: 09ac4fcb3f25 ("drm/ttm: Implement vm_operations_struct.access v2")
> > Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> > Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
> > Cc: Christian König <christian.koenig@amd.com>
> > Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
> > Reviewed-by: Christian König <christian.koenig@amd.com>
> > ---
> >   drivers/gpu/drm/ttm/ttm_bo_vm.c | 5 -----
> >   1 file changed, 5 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> > index f56be5bc0861..5b9b7fd01a69 100644
> > --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
> > +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> > @@ -519,11 +519,6 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
> >
> >       switch (bo->resource->mem_type) {
> >       case TTM_PL_SYSTEM:
> > -             if (unlikely(bo->ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) {
> > -                     ret = ttm_tt_swapin(bo->ttm);
> > -                     if (unlikely(ret != 0))
> > -                             return ret;
> > -             }
> >               fallthrough;
> >       case TTM_PL_TT:
> >               ret = ttm_bo_vm_access_kmap(bo, offset, buf, len, write);
>

Christian König Sept. 29, 2021, 12:01 p.m. UTC | #3

Am 27.09.21 um 18:14 schrieb Matthew Auld:
> On Mon, 27 Sept 2021 at 12:47, Christian König <christian.koenig@amd.com> wrote:
>> Any objections that I just push patches 1-7 to drm-misc-next?
> Please go ahead Christian. Thanks.

Well I've pushed patches #1-#4 because #5 won't apply on current 
drm-misc-next (some conflict in i915).

Could you rebase this an/or request backmerging of drm-next into 
drm-misc-next when potential i915 prerequisites have landed there.

Thanks,
Christian.

>
>> Christian.
>>
>> Am 27.09.21 um 13:41 schrieb Matthew Auld:
>>> In commit:
>>>
>>> commit 09ac4fcb3f255e9225967c75f5893325c116cdbe
>>> Author: Felix Kuehling <Felix.Kuehling@amd.com>
>>> Date:   Thu Jul 13 17:01:16 2017 -0400
>>>
>>>       drm/ttm: Implement vm_operations_struct.access v2
>>>
>>> we added the vm_access hook, where we also directly call tt_swapin for
>>> some reason. If something is swapped-out then the ttm_tt must also be
>>> unpopulated, and since access_kmap should also call tt_populate, if
>>> needed, then swapping-in will already be handled there.
>>>
>>> If anything, calling tt_swapin directly here would likely always fail
>>> since the tt->pages won't yet be populated, or worse since the tt->pages
>>> array is never actually cleared in unpopulate this might lead to a nasty
>>> uaf.
>>>
>>> Fixes: 09ac4fcb3f25 ("drm/ttm: Implement vm_operations_struct.access v2")
>>> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
>>> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
>>> Cc: Christian König <christian.koenig@amd.com>
>>> Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
>>> Reviewed-by: Christian König <christian.koenig@amd.com>
>>> ---
>>>    drivers/gpu/drm/ttm/ttm_bo_vm.c | 5 -----
>>>    1 file changed, 5 deletions(-)
>>>
>>> diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
>>> index f56be5bc0861..5b9b7fd01a69 100644
>>> --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
>>> +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
>>> @@ -519,11 +519,6 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
>>>
>>>        switch (bo->resource->mem_type) {
>>>        case TTM_PL_SYSTEM:
>>> -             if (unlikely(bo->ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) {
>>> -                     ret = ttm_tt_swapin(bo->ttm);
>>> -                     if (unlikely(ret != 0))
>>> -                             return ret;
>>> -             }
>>>                fallthrough;
>>>        case TTM_PL_TT:
>>>                ret = ttm_bo_vm_access_kmap(bo, offset, buf, len, write);

Matthew Auld Sept. 29, 2021, 1:45 p.m. UTC | #4

On Wed, 29 Sept 2021 at 13:01, Christian König <christian.koenig@amd.com> wrote:
>
> Am 27.09.21 um 18:14 schrieb Matthew Auld:
> > On Mon, 27 Sept 2021 at 12:47, Christian König <christian.koenig@amd.com> wrote:
> >> Any objections that I just push patches 1-7 to drm-misc-next?
> > Please go ahead Christian. Thanks.
>
> Well I've pushed patches #1-#4 because #5 won't apply on current
> drm-misc-next (some conflict in i915).
>
> Could you rebase this an/or request backmerging of drm-next into
> drm-misc-next when potential i915 prerequisites have landed there.

Version which should apply to drm-misc-next:
https://patchwork.freedesktop.org/series/95219/

>
> Thanks,
> Christian.
>
> >
> >> Christian.
> >>
> >> Am 27.09.21 um 13:41 schrieb Matthew Auld:
> >>> In commit:
> >>>
> >>> commit 09ac4fcb3f255e9225967c75f5893325c116cdbe
> >>> Author: Felix Kuehling <Felix.Kuehling@amd.com>
> >>> Date:   Thu Jul 13 17:01:16 2017 -0400
> >>>
> >>>       drm/ttm: Implement vm_operations_struct.access v2
> >>>
> >>> we added the vm_access hook, where we also directly call tt_swapin for
> >>> some reason. If something is swapped-out then the ttm_tt must also be
> >>> unpopulated, and since access_kmap should also call tt_populate, if
> >>> needed, then swapping-in will already be handled there.
> >>>
> >>> If anything, calling tt_swapin directly here would likely always fail
> >>> since the tt->pages won't yet be populated, or worse since the tt->pages
> >>> array is never actually cleared in unpopulate this might lead to a nasty
> >>> uaf.
> >>>
> >>> Fixes: 09ac4fcb3f25 ("drm/ttm: Implement vm_operations_struct.access v2")
> >>> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> >>> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
> >>> Cc: Christian König <christian.koenig@amd.com>
> >>> Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
> >>> Reviewed-by: Christian König <christian.koenig@amd.com>
> >>> ---
> >>>    drivers/gpu/drm/ttm/ttm_bo_vm.c | 5 -----
> >>>    1 file changed, 5 deletions(-)
> >>>
> >>> diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> >>> index f56be5bc0861..5b9b7fd01a69 100644
> >>> --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
> >>> +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> >>> @@ -519,11 +519,6 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
> >>>
> >>>        switch (bo->resource->mem_type) {
> >>>        case TTM_PL_SYSTEM:
> >>> -             if (unlikely(bo->ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) {
> >>> -                     ret = ttm_tt_swapin(bo->ttm);
> >>> -                     if (unlikely(ret != 0))
> >>> -                             return ret;
> >>> -             }
> >>>                fallthrough;
> >>>        case TTM_PL_TT:
> >>>                ret = ttm_bo_vm_access_kmap(bo, offset, buf, len, write);
>

diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
index f56be5bc0861..5b9b7fd01a69 100644
--- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
+++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
@@ -519,11 +519,6 @@  int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
 
 	switch (bo->resource->mem_type) {
 	case TTM_PL_SYSTEM:
-		if (unlikely(bo->ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) {
-			ret = ttm_tt_swapin(bo->ttm);
-			if (unlikely(ret != 0))
-				return ret;
-		}
 		fallthrough;
 	case TTM_PL_TT:
 		ret = ttm_bo_vm_access_kmap(bo, offset, buf, len, write);

[v5,01/13] drm/ttm: stop calling tt_swapin in vm_access

Commit Message

Comments

Patch