[1/2] drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set
diff mbox series

Message ID 20190107085656.22521-1-joonas.lahtinen@linux.intel.com
State New
Headers show
Series
  • [1/2] drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set
Related show

Commit Message

Joonas Lahtinen Jan. 7, 2019, 8:56 a.m. UTC
Make sure the underlying VMA in the process address space is the
same as it was during vm_mmap to avoid applying WC to wrong VMA.

A more long-term solution would be to have vm_mmap_locked variant
in linux/mmap.h for when caller wants to hold mmap_sem for an
extended duration.

Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects")
Reported-by: Adam Zabrocki <adamza@microsoft.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: <stable@vger.kernel.org> # v4.0+
Cc: Akash Goel <akash.goel@intel.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
Cc: Adam Zabrocki <adamza@microsoft.com>
---
 drivers/gpu/drm/i915/i915_gem.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

Comments

Chris Wilson Jan. 7, 2019, 9:13 a.m. UTC | #1
Quoting Joonas Lahtinen (2019-01-07 08:56:55)
> Make sure the underlying VMA in the process address space is the
> same as it was during vm_mmap to avoid applying WC to wrong VMA.
> 
> A more long-term solution would be to have vm_mmap_locked variant
> in linux/mmap.h for when caller wants to hold mmap_sem for an
> extended duration.
> 
> Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects")
> Reported-by: Adam Zabrocki <adamza@microsoft.com>
> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
> Cc: <stable@vger.kernel.org> # v4.0+
> Cc: Akash Goel <akash.goel@intel.com>
> Cc: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
> Cc: Adam Zabrocki <adamza@microsoft.com>
> ---
>  drivers/gpu/drm/i915/i915_gem.c | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
> index 062c8395557c..f1d594a53978 100644
> --- a/drivers/gpu/drm/i915/i915_gem.c
> +++ b/drivers/gpu/drm/i915/i915_gem.c
> @@ -1680,6 +1680,15 @@ i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data,
>         return 0;
>  }
>  
> +static inline bool
> +match_gem_vma(struct vm_area_struct *vma, struct file *filp,
> +             unsigned long addr, unsigned long size)

With the exception of there isn't anything gem specific here,

> +{
> +       return vma && vma->vm_file == filp &&
> +              vma->vm_start == addr &&
> +              (vma->vm_end - vma->vm_start) == size;

and we can break this up into separate ifs with a forgiving compiler,

Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>

I still couldn't see an easy way of passing pgprot bits into do_mmap to
avoid the race entirely.
-Chris
Tvrtko Ursulin Jan. 7, 2019, 9:24 a.m. UTC | #2
On 07/01/2019 08:56, Joonas Lahtinen wrote:
> Make sure the underlying VMA in the process address space is the
> same as it was during vm_mmap to avoid applying WC to wrong VMA.
> 
> A more long-term solution would be to have vm_mmap_locked variant
> in linux/mmap.h for when caller wants to hold mmap_sem for an
> extended duration.
> 
> Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects")
> Reported-by: Adam Zabrocki <adamza@microsoft.com>
> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
> Cc: <stable@vger.kernel.org> # v4.0+
> Cc: Akash Goel <akash.goel@intel.com>
> Cc: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
> Cc: Adam Zabrocki <adamza@microsoft.com>
> ---
>   drivers/gpu/drm/i915/i915_gem.c | 11 ++++++++++-
>   1 file changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
> index 062c8395557c..f1d594a53978 100644
> --- a/drivers/gpu/drm/i915/i915_gem.c
> +++ b/drivers/gpu/drm/i915/i915_gem.c
> @@ -1680,6 +1680,15 @@ i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data,
>   	return 0;
>   }
>   
> +static inline bool
> +match_gem_vma(struct vm_area_struct *vma, struct file *filp,
> +	      unsigned long addr, unsigned long size)
> +{
> +	return vma && vma->vm_file == filp &&
> +	       vma->vm_start == addr &&
> +	       (vma->vm_end - vma->vm_start) == size;
> +}
> +
>   /**
>    * i915_gem_mmap_ioctl - Maps the contents of an object, returning the address
>    *			 it is mapped to.
> @@ -1738,7 +1747,7 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
>   			return -EINTR;
>   		}
>   		vma = find_vma(mm, addr);
> -		if (vma)
> +		if (match_gem_vma(vma, obj->base.filp, addr, args->size))
>   			vma->vm_page_prot =
>   				pgprot_writecombine(vm_get_page_prot(vma->vm_flags));
>   		else
> 

Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>

Regards,

Tvrtko
Chris Wilson Jan. 7, 2019, 10:58 a.m. UTC | #3
Quoting Patchwork (2019-01-07 10:44:01)
> ### IGT changes ###
> 
> #### Possible regressions ####
> 
>   * igt@gem_userptr_blits@readonly-unsync:
>     - shard-apl:          PASS -> TIMEOUT
> 
>   * igt@kms_draw_crc@draw-method-rgb565-mmap-wc-untiled:
>     - shard-apl:          PASS -> FAIL
>     - shard-glk:          PASS -> FAIL
>     - shard-kbl:          PASS -> FAIL

igt_fb doesn't compute a page aligned size, and igt_draw ends up making
a mmap request not rounding up to the page boundary. I wonder if that
hasn't been causing a few flip-flips...
-Chris
Joonas Lahtinen Feb. 7, 2019, 1:38 p.m. UTC | #4
Quoting Joonas Lahtinen (2019-01-07 10:56:55)
> Make sure the underlying VMA in the process address space is the
> same as it was during vm_mmap to avoid applying WC to wrong VMA.
> 
> A more long-term solution would be to have vm_mmap_locked variant
> in linux/mmap.h for when caller wants to hold mmap_sem for an
> extended duration.

These are now merged to drm-tip, and will head to 5.1 and then
to stable kernels.

Thanks for the report and reviews!

Regards, Joonas

> Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects")
> Reported-by: Adam Zabrocki <adamza@microsoft.com>
> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
> Cc: <stable@vger.kernel.org> # v4.0+
> Cc: Akash Goel <akash.goel@intel.com>
> Cc: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
> Cc: Adam Zabrocki <adamza@microsoft.com>
> ---
>  drivers/gpu/drm/i915/i915_gem.c | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
> index 062c8395557c..f1d594a53978 100644
> --- a/drivers/gpu/drm/i915/i915_gem.c
> +++ b/drivers/gpu/drm/i915/i915_gem.c
> @@ -1680,6 +1680,15 @@ i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data,
>         return 0;
>  }
>  
> +static inline bool
> +match_gem_vma(struct vm_area_struct *vma, struct file *filp,
> +             unsigned long addr, unsigned long size)
> +{
> +       return vma && vma->vm_file == filp &&
> +              vma->vm_start == addr &&
> +              (vma->vm_end - vma->vm_start) == size;
> +}
> +
>  /**
>   * i915_gem_mmap_ioctl - Maps the contents of an object, returning the address
>   *                      it is mapped to.
> @@ -1738,7 +1747,7 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
>                         return -EINTR;
>                 }
>                 vma = find_vma(mm, addr);
> -               if (vma)
> +               if (match_gem_vma(vma, obj->base.filp, addr, args->size))
>                         vma->vm_page_prot =
>                                 pgprot_writecombine(vm_get_page_prot(vma->vm_flags));
>                 else
> -- 
> 2.17.2
>
Adam Zabrocki Feb. 8, 2019, 12:03 a.m. UTC | #5
Thanks for the patch for both issues!

Best regards,
Adam

-----Original Message-----
From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> 
Sent: Thursday, February 7, 2019 5:39 AM
To: Intel graphics driver community testing & development <intel-gfx@lists.freedesktop.org>
Cc: stable@vger.kernel.org; Akash Goel <akash.goel@intel.com>; Chris Wilson <chris@chris-wilson.co.uk>; Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>; Adam Zabrocki <adamza@microsoft.com>
Subject: Re: [PATCH 1/2] drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set

Quoting Joonas Lahtinen (2019-01-07 10:56:55)
> Make sure the underlying VMA in the process address space is the same 
> as it was during vm_mmap to avoid applying WC to wrong VMA.
> 
> A more long-term solution would be to have vm_mmap_locked variant in 
> linux/mmap.h for when caller wants to hold mmap_sem for an extended 
> duration.

These are now merged to drm-tip, and will head to 5.1 and then to stable kernels.

Thanks for the report and reviews!

Regards, Joonas

> Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user 
> mappings for objects")
> Reported-by: Adam Zabrocki <adamza@microsoft.com>
> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
> Cc: <stable@vger.kernel.org> # v4.0+
> Cc: Akash Goel <akash.goel@intel.com>
> Cc: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
> Cc: Adam Zabrocki <adamza@microsoft.com>
> ---
>  drivers/gpu/drm/i915/i915_gem.c | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_gem.c 
> b/drivers/gpu/drm/i915/i915_gem.c index 062c8395557c..f1d594a53978 
> 100644
> --- a/drivers/gpu/drm/i915/i915_gem.c
> +++ b/drivers/gpu/drm/i915/i915_gem.c
> @@ -1680,6 +1680,15 @@ i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data,
>         return 0;
>  }
>  
> +static inline bool
> +match_gem_vma(struct vm_area_struct *vma, struct file *filp,
> +             unsigned long addr, unsigned long size) {
> +       return vma && vma->vm_file == filp &&
> +              vma->vm_start == addr &&
> +              (vma->vm_end - vma->vm_start) == size; }
> +
>  /**
>   * i915_gem_mmap_ioctl - Maps the contents of an object, returning the address
>   *                      it is mapped to.
> @@ -1738,7 +1747,7 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
>                         return -EINTR;
>                 }
>                 vma = find_vma(mm, addr);
> -               if (vma)
> +               if (match_gem_vma(vma, obj->base.filp, addr, 
> + args->size))
>                         vma->vm_page_prot =
>                                 pgprot_writecombine(vm_get_page_prot(vma->vm_flags));
>                 else
> --
> 2.17.2
>

Patch
diff mbox series

diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index 062c8395557c..f1d594a53978 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -1680,6 +1680,15 @@  i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data,
 	return 0;
 }
 
+static inline bool
+match_gem_vma(struct vm_area_struct *vma, struct file *filp,
+	      unsigned long addr, unsigned long size)
+{
+	return vma && vma->vm_file == filp &&
+	       vma->vm_start == addr &&
+	       (vma->vm_end - vma->vm_start) == size;
+}
+
 /**
  * i915_gem_mmap_ioctl - Maps the contents of an object, returning the address
  *			 it is mapped to.
@@ -1738,7 +1747,7 @@  i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
 			return -EINTR;
 		}
 		vma = find_vma(mm, addr);
-		if (vma)
+		if (match_gem_vma(vma, obj->base.filp, addr, args->size))
 			vma->vm_page_prot =
 				pgprot_writecombine(vm_get_page_prot(vma->vm_flags));
 		else