Make sure the underlying VMA in the process address space is the same as it was during vm_mmap to avoid applying WC to wrong VMA.
A more long-term solution would be to have vm_mmap_locked variant in linux/mmap.h for when caller wants to hold mmap_sem for an extended duration.
Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects") Reported-by: Adam Zabrocki adamza@microsoft.com Suggested-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Joonas Lahtinen joonas.lahtinen@linux.intel.com Cc: stable@vger.kernel.org # v4.0+ Cc: Akash Goel akash.goel@intel.com Cc: Chris Wilson chris@chris-wilson.co.uk Cc: Tvrtko Ursulin tvrtko.ursulin@linux.intel.com Cc: Adam Zabrocki adamza@microsoft.com --- drivers/gpu/drm/i915/i915_gem.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index 062c8395557c..f1d594a53978 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -1680,6 +1680,15 @@ i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data, return 0; }
+static inline bool +match_gem_vma(struct vm_area_struct *vma, struct file *filp, + unsigned long addr, unsigned long size) +{ + return vma && vma->vm_file == filp && + vma->vm_start == addr && + (vma->vm_end - vma->vm_start) == size; +} + /** * i915_gem_mmap_ioctl - Maps the contents of an object, returning the address * it is mapped to. @@ -1738,7 +1747,7 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, return -EINTR; } vma = find_vma(mm, addr); - if (vma) + if (match_gem_vma(vma, obj->base.filp, addr, args->size)) vma->vm_page_prot = pgprot_writecombine(vm_get_page_prot(vma->vm_flags)); else
Add err goto label and use it when VMA can't be established or changes underneath.
Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects") Reported-by: Adam Zabrocki adamza@microsoft.com Signed-off-by: Joonas Lahtinen joonas.lahtinen@linux.intel.com Cc: stable@vger.kernel.org # v4.0+ Cc: Akash Goel akash.goel@intel.com Cc: Chris Wilson chris@chris-wilson.co.uk Cc: Tvrtko Ursulin tvrtko.ursulin@linux.intel.com Cc: Adam Zabrocki adamza@microsoft.com --- drivers/gpu/drm/i915/i915_gem.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index f1d594a53978..97cbc0e27e3e 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -1738,6 +1738,9 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, addr = vm_mmap(obj->base.filp, 0, args->size, PROT_READ | PROT_WRITE, MAP_SHARED, args->offset); + if (IS_ERR((void *)addr)) + goto err; + if (args->flags & I915_MMAP_WC) { struct mm_struct *mm = current->mm; struct vm_area_struct *vma; @@ -1753,17 +1756,22 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, else addr = -ENOMEM; up_write(&mm->mmap_sem); + if (IS_ERR((void *)addr)) + goto err;
/* This may race, but that's ok, it only gets set */ WRITE_ONCE(obj->frontbuffer_ggtt_origin, ORIGIN_CPU); } i915_gem_object_put(obj); - if (IS_ERR((void *)addr)) - return addr;
args->addr_ptr = (uint64_t) addr;
return 0; + +err: + i915_gem_object_put(obj); + + return addr; }
static unsigned int tile_row_pages(const struct drm_i915_gem_object *obj)
Quoting Joonas Lahtinen (2019-01-07 08:56:56)
Add err goto label and use it when VMA can't be established or changes underneath.
Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects")
Dubious. All it changes is one branch where the error is forced to -ENOMEM.
Reported-by: Adam Zabrocki adamza@microsoft.com Signed-off-by: Joonas Lahtinen joonas.lahtinen@linux.intel.com Cc: stable@vger.kernel.org # v4.0+ Cc: Akash Goel akash.goel@intel.com Cc: Chris Wilson chris@chris-wilson.co.uk Cc: Tvrtko Ursulin tvrtko.ursulin@linux.intel.com Cc: Adam Zabrocki adamza@microsoft.com
drivers/gpu/drm/i915/i915_gem.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index f1d594a53978..97cbc0e27e3e 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -1738,6 +1738,9 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, addr = vm_mmap(obj->base.filp, 0, args->size, PROT_READ | PROT_WRITE, MAP_SHARED, args->offset);
if (IS_ERR((void *)addr))goto err;if (args->flags & I915_MMAP_WC) { struct mm_struct *mm = current->mm; struct vm_area_struct *vma;@@ -1753,17 +1756,22 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, else addr = -ENOMEM; up_write(&mm->mmap_sem);
if (IS_ERR((void *)addr))goto err;
The issue still remains that we are returning having called vm_mmap and leaving the vma intact. And we've established above that calling vm_munmap() is a race. -Chris
On 07/01/2019 08:56, Joonas Lahtinen wrote:
Add err goto label and use it when VMA can't be established or changes underneath.
Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects") Reported-by: Adam Zabrocki adamza@microsoft.com Signed-off-by: Joonas Lahtinen joonas.lahtinen@linux.intel.com Cc: stable@vger.kernel.org # v4.0+ Cc: Akash Goel akash.goel@intel.com Cc: Chris Wilson chris@chris-wilson.co.uk Cc: Tvrtko Ursulin tvrtko.ursulin@linux.intel.com Cc: Adam Zabrocki adamza@microsoft.com
drivers/gpu/drm/i915/i915_gem.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index f1d594a53978..97cbc0e27e3e 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -1738,6 +1738,9 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, addr = vm_mmap(obj->base.filp, 0, args->size, PROT_READ | PROT_WRITE, MAP_SHARED, args->offset);
- if (IS_ERR((void *)addr))
goto err;- if (args->flags & I915_MMAP_WC) { struct mm_struct *mm = current->mm; struct vm_area_struct *vma;
@@ -1753,17 +1756,22 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, else addr = -ENOMEM; up_write(&mm->mmap_sem);
if (IS_ERR((void *)addr))goto err;/* This may race, but that's ok, it only gets set */ WRITE_ONCE(obj->frontbuffer_ggtt_origin, ORIGIN_CPU); } i915_gem_object_put(obj);
- if (IS_ERR((void *)addr))
return addr;args->addr_ptr = (uint64_t) addr; return 0;
+err:
- i915_gem_object_put(obj);
- return addr; }
static unsigned int tile_row_pages(const struct drm_i915_gem_object *obj)
Reviewed-by: Tvrtko Ursulin tvrtko.ursulin@intel.com
Regards,
Tvrtko
Quoting Joonas Lahtinen (2019-01-07 08:56:55)
Make sure the underlying VMA in the process address space is the same as it was during vm_mmap to avoid applying WC to wrong VMA.
A more long-term solution would be to have vm_mmap_locked variant in linux/mmap.h for when caller wants to hold mmap_sem for an extended duration.
Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects") Reported-by: Adam Zabrocki adamza@microsoft.com Suggested-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Joonas Lahtinen joonas.lahtinen@linux.intel.com Cc: stable@vger.kernel.org # v4.0+ Cc: Akash Goel akash.goel@intel.com Cc: Chris Wilson chris@chris-wilson.co.uk Cc: Tvrtko Ursulin tvrtko.ursulin@linux.intel.com Cc: Adam Zabrocki adamza@microsoft.com
drivers/gpu/drm/i915/i915_gem.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index 062c8395557c..f1d594a53978 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -1680,6 +1680,15 @@ i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data, return 0; } +static inline bool +match_gem_vma(struct vm_area_struct *vma, struct file *filp,
unsigned long addr, unsigned long size)
With the exception of there isn't anything gem specific here,
+{
return vma && vma->vm_file == filp &&vma->vm_start == addr &&(vma->vm_end - vma->vm_start) == size;
and we can break this up into separate ifs with a forgiving compiler,
Reviewed-by: Chris Wilson chris@chris-wilson.co.uk
I still couldn't see an easy way of passing pgprot bits into do_mmap to avoid the race entirely. -Chris
On 07/01/2019 08:56, Joonas Lahtinen wrote:
Make sure the underlying VMA in the process address space is the same as it was during vm_mmap to avoid applying WC to wrong VMA.
A more long-term solution would be to have vm_mmap_locked variant in linux/mmap.h for when caller wants to hold mmap_sem for an extended duration.
Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects") Reported-by: Adam Zabrocki adamza@microsoft.com Suggested-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Joonas Lahtinen joonas.lahtinen@linux.intel.com Cc: stable@vger.kernel.org # v4.0+ Cc: Akash Goel akash.goel@intel.com Cc: Chris Wilson chris@chris-wilson.co.uk Cc: Tvrtko Ursulin tvrtko.ursulin@linux.intel.com Cc: Adam Zabrocki adamza@microsoft.com
drivers/gpu/drm/i915/i915_gem.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index 062c8395557c..f1d594a53978 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -1680,6 +1680,15 @@ i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data, return 0; } +static inline bool +match_gem_vma(struct vm_area_struct *vma, struct file *filp,
unsigned long addr, unsigned long size)+{
- return vma && vma->vm_file == filp &&
vma->vm_start == addr &&(vma->vm_end - vma->vm_start) == size;+}
- /**
- i915_gem_mmap_ioctl - Maps the contents of an object, returning the address
it is mapped to.@@ -1738,7 +1747,7 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, return -EINTR; } vma = find_vma(mm, addr);
if (vma)
if (match_gem_vma(vma, obj->base.filp, addr, args->size)) vma->vm_page_prot = pgprot_writecombine(vm_get_page_prot(vma->vm_flags));
Reviewed-by: Tvrtko Ursulin tvrtko.ursulin@intel.com
Regards,
Tvrtko
Quoting Joonas Lahtinen (2019-01-07 10:56:55)
Make sure the underlying VMA in the process address space is the same as it was during vm_mmap to avoid applying WC to wrong VMA.
A more long-term solution would be to have vm_mmap_locked variant in linux/mmap.h for when caller wants to hold mmap_sem for an extended duration.
These are now merged to drm-tip, and will head to 5.1 and then to stable kernels.
Thanks for the report and reviews!
Regards, Joonas
Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects") Reported-by: Adam Zabrocki adamza@microsoft.com Suggested-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Joonas Lahtinen joonas.lahtinen@linux.intel.com Cc: stable@vger.kernel.org # v4.0+ Cc: Akash Goel akash.goel@intel.com Cc: Chris Wilson chris@chris-wilson.co.uk Cc: Tvrtko Ursulin tvrtko.ursulin@linux.intel.com Cc: Adam Zabrocki adamza@microsoft.com
drivers/gpu/drm/i915/i915_gem.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index 062c8395557c..f1d594a53978 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -1680,6 +1680,15 @@ i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data, return 0; } +static inline bool +match_gem_vma(struct vm_area_struct *vma, struct file *filp,
unsigned long addr, unsigned long size)+{
return vma && vma->vm_file == filp &&vma->vm_start == addr &&(vma->vm_end - vma->vm_start) == size;+}
/**
- i915_gem_mmap_ioctl - Maps the contents of an object, returning the address
it is mapped to.@@ -1738,7 +1747,7 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, return -EINTR; } vma = find_vma(mm, addr);
if (vma)
if (match_gem_vma(vma, obj->base.filp, addr, args->size)) vma->vm_page_prot = pgprot_writecombine(vm_get_page_prot(vma->vm_flags)); else-- 2.17.2
Thanks for the patch for both issues!
Best regards, Adam
-----Original Message----- From: Joonas Lahtinen joonas.lahtinen@linux.intel.com Sent: Thursday, February 7, 2019 5:39 AM To: Intel graphics driver community testing & development intel-gfx@lists.freedesktop.org Cc: stable@vger.kernel.org; Akash Goel akash.goel@intel.com; Chris Wilson chris@chris-wilson.co.uk; Tvrtko Ursulin tvrtko.ursulin@linux.intel.com; Adam Zabrocki adamza@microsoft.com Subject: Re: [PATCH 1/2] drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set
Quoting Joonas Lahtinen (2019-01-07 10:56:55)
Make sure the underlying VMA in the process address space is the same as it was during vm_mmap to avoid applying WC to wrong VMA.
A more long-term solution would be to have vm_mmap_locked variant in linux/mmap.h for when caller wants to hold mmap_sem for an extended duration.
These are now merged to drm-tip, and will head to 5.1 and then to stable kernels.
Thanks for the report and reviews!
Regards, Joonas
Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects") Reported-by: Adam Zabrocki adamza@microsoft.com Suggested-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Joonas Lahtinen joonas.lahtinen@linux.intel.com Cc: stable@vger.kernel.org # v4.0+ Cc: Akash Goel akash.goel@intel.com Cc: Chris Wilson chris@chris-wilson.co.uk Cc: Tvrtko Ursulin tvrtko.ursulin@linux.intel.com Cc: Adam Zabrocki adamza@microsoft.com
drivers/gpu/drm/i915/i915_gem.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index 062c8395557c..f1d594a53978 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -1680,6 +1680,15 @@ i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data, return 0; } +static inline bool +match_gem_vma(struct vm_area_struct *vma, struct file *filp,
unsigned long addr, unsigned long size) {return vma && vma->vm_file == filp &&vma->vm_start == addr &&(vma->vm_end - vma->vm_start) == size; }/**
- i915_gem_mmap_ioctl - Maps the contents of an object, returning the address
it is mapped to.@@ -1738,7 +1747,7 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, return -EINTR; } vma = find_vma(mm, addr);
if (vma)
if (match_gem_vma(vma, obj->base.filp, addr,- args->size)) vma->vm_page_prot = pgprot_writecombine(vm_get_page_prot(vma->vm_flags)); else
-- 2.17.2
linux-stable-mirror@lists.linaro.org
-
Adam Zabrocki -
Chris Wilson -
Joonas Lahtinen -
Tvrtko Ursulin