From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?ISO-8859-1?Q?Thomas_Hellstr=F6m?= Subject: Re: Breakage in "track dev_mapping in more robust and flexible way" Date: Thu, 25 Oct 2012 20:27:07 +0200 Message-ID: <5089847B.50808@vmware.com> References: <50894671.2070803@vmware.com> <20121025144136.GB2062@gmail.com> <50895672.7070706@vmware.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" Content-Transfer-Encoding: quoted-printable Return-path: Received: from smtp-outbound-2.vmware.com (smtp-outbound-2.vmware.com [208.91.2.13]) by gabe.freedesktop.org (Postfix) with ESMTP id C0429A0A54 for ; Thu, 25 Oct 2012 11:27:12 -0700 (PDT) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org To: Ilija Hadzic Cc: Dave Airlie , linux-graphics-maintainer@vmware.com, "dri-devel@lists.freedesktop.org" List-Id: dri-devel@lists.freedesktop.org On 10/25/12 7:12 PM, Ilija Hadzic wrote: > On Thu, Oct 25, 2012 at 11:10 AM, Thomas Hellstr=F6m > wrote: >> On 10/25/12 4:41 PM, Jerome Glisse wrote: >>> On Thu, Oct 25, 2012 at 04:02:25PM +0200, Thomas Hellstrom wrote: >>>> Hi, >>>> >>>> This commit >>>> >>>> From 949c4a34afacfe800fc442afac117aba15284962 Mon Sep 17 00:00:00 20= 01 >>>> From: Ilija Hadzic >>>> Date: Tue, 15 May 2012 16:40:10 -0400 >>>> Subject: [PATCH] drm: track dev_mapping in more robust and flexible way >>>> >>>> Setting dev_mapping (pointer to the address_space structure >>>> used for memory mappings) to the address_space of the first >>>> opener's inode and then failing if other openers come in >>>> through a different inode has a few restrictions that are >>>> eliminated by this patch. >>>> >>>> If we already have valid dev_mapping and we spot an opener >>>> with different i_node, we force its i_mapping pointer to the >>>> already established address_space structure (first opener's >>>> inode). This will make all mappings from drm device hang off >>>> the same address_space object. >>>> ... >>>> >>>> Breaks drivers using TTM, since when the X server calls into the >>>> driver open, drm's dev_mapping has not >>>> yet been setup. The setup needs to be moved before the driver's open >>>> hook is called. >>>> >>>> Typically, if a TTM-aware driver is provoked by the Xorg server to >>>> move a buffer from system to VRAM or AGP, >>>> before any other drm client is started, The user-space page table >>>> entries are not killed before the move, and left pointing >>>> into freed pages, causing system crashes and / or user-space access >>>> to arbitrary memory. >>> Doesn't handle move invalidate the drm file mapping before scheduling >>> the move ? >> Yes, but to do that it needs a correct value of bdev::dev_mapping, which= is >> now incorrectly set on the >> *second* open instead of the first open. >> > So you are implying that in the first open the assignment of dev->dev_map= ping is > somehow skipped (which could happen if drm_setup returns an error) or tha= t the > driver on which you are having problems with (nouveau I presume) needs > dev_mapping > in the firstopen hook ? No. On open, driver::open is called from drm::open. It copies the value = of dev->dev_mapping, however, driver::open is called *before* dev->dev_mapping is set up, so what I'm = saying is that the setup of dev->dev_mapping must be moved to before driver::open is called from = drm::open (this was hit while testing vmwgfx with new code, BTW. It will be hard, = but probably possible to trigger from unpriviliged user-space with the current vmwgfx code. Thanks, Thomas