From: Maarten Lankhorst <maarten.lankhorst@canonical.com>
To: Jerome Glisse <j.glisse@gmail.com>,
Thomas Hellstrom <thellstrom@vmware.com>
Cc: "Christian König" <deathsimple@vodafone.de>,
"Peter Zijlstra" <peterz@infradead.org>,
"Daniel Vetter" <daniel.vetter@ffwll.ch>,
intel-gfx <intel-gfx@lists.freedesktop.org>,
"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
dri-devel <dri-devel@lists.freedesktop.org>,
"Alex Deucher" <alexander.deucher@amd.com>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Ingo Molnar" <mingo@kernel.org>
Subject: Re: [RFC PATCH] drm/radeon: fixup locking inversion between mmap_sem and reservations
Date: Wed, 09 Oct 2013 12:58:36 +0200 [thread overview]
Message-ID: <525536DC.5020801@canonical.com> (raw)
In-Reply-To: <20131008164737.GA2782@gmail.com>
op 08-10-13 18:47, Jerome Glisse schreef:
> On Tue, Oct 08, 2013 at 06:29:35PM +0200, Thomas Hellstrom wrote:
>> On 10/08/2013 04:55 PM, Jerome Glisse wrote:
>>> On Tue, Oct 08, 2013 at 04:45:18PM +0200, Christian König wrote:
>>>> Am 08.10.2013 16:33, schrieb Jerome Glisse:
>>>>> On Tue, Oct 08, 2013 at 04:14:40PM +0200, Maarten Lankhorst wrote:
>>>>>> Allocate and copy all kernel memory before doing reservations. This prevents a locking
>>>>>> inversion between mmap_sem and reservation_class, and allows us to drop the trylocking
>>>>>> in ttm_bo_vm_fault without upsetting lockdep.
>>>>>>
>>>>>> Signed-off-by: Maarten Lankhorst <maarten.lankhorst@canonical.com>
>>>>> I would say NAK. Current code only allocate temporary page in AGP case.
>>>>> So AGP case is userspace -> temp page -> cs checker -> radeon ib.
>>>>>
>>>>> Non AGP is directly memcpy to radeon IB.
>>>>>
>>>>> Your patch allocate memory memcpy userspace to it and it will then be
>>>>> memcpy to IB. Which means you introduce an extra memcpy in the process
>>>>> not something we want.
>>>> Totally agree. Additional to that there is no good reason to provide
>>>> anything else than anonymous system memory to the CS ioctl, so the
>>>> dependency between the mmap_sem and reservations are not really
>>>> clear to me.
>>>>
>>>> Christian.
>>> I think is that in other code path you take mmap_sem first then reserve
>>> bo. But here we reserve bo and then we take mmap_sem because of copy
>> >from user.
>>> Cheers,
>>> Jerome
>>>
>> Actually the log message is a little confusing. I think the mmap_sem
>> locking inversion problem is orthogonal to what's being fixed here.
>>
>> This patch fixes the possible recursive bo::reserve caused by
>> malicious user-space handing a pointer to ttm memory so that the ttm
>> fault handler is called when bos are already reserved. That may
>> cause a (possibly interruptible) livelock.
>>
>> Once that is fixed, we are free to choose the mmap_sem ->
>> bo::reserve locking order. Currently it's bo::reserve->mmap_sem(),
>> but the hack required in the ttm fault handler is admittedly a bit
>> ugly. The plan is to change the locking order to
>> mmap_sem->bo::reserve
>>
>> I'm not sure if it applies to this particular case, but it should be
>> possible to make sure that copy_from_user_inatomic() will always
>> succeed, by making sure the pages are present using
>> get_user_pages(), and release the pages after
>> copy_from_user_inatomic() is done. That way there's no need for a
>> double memcpy slowpath, but if the copied data is very fragmented I
>> guess the resulting code may look ugly. The get_user_pages()
>> function will return an error if it hits TTM pages.
>>
>> /Thomas
> get_user_pages + copy_from_user_inatomic is overkill. We should just
> do get_user_pages which fails with ttm memory and then use copy_highpage
> helper.
I don't think we have to do anything that complicated, the easiest solution seems to be to
call radeon_ib_get before calling radeon_cs_parser_relocs, and copy everything to the ib
buffer before taking the reserve lock.
~Maarten
next prev parent reply other threads:[~2013-10-09 10:58 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-12 15:06 [BUG] completely bonkers use of set_need_resched + VM_FAULT_NOPAGE Peter Zijlstra
2013-09-12 15:11 ` Maarten Lankhorst
2013-09-12 15:14 ` Peter Zijlstra
2013-09-12 15:14 ` Peter Zijlstra
2013-09-12 15:36 ` Daniel Vetter
2013-09-12 15:43 ` Peter Zijlstra
2013-09-12 15:43 ` Peter Zijlstra
2013-09-12 15:58 ` Daniel Vetter
2013-09-12 16:22 ` Peter Zijlstra
2013-09-12 16:35 ` Chris Wilson
2013-09-12 16:35 ` Chris Wilson
2013-09-12 20:30 ` Peter Zijlstra
2013-09-12 20:37 ` Thomas Gleixner
2013-09-12 19:52 ` Daniel Vetter
2013-09-12 19:58 ` Thomas Gleixner
2013-09-12 20:04 ` Daniel Vetter
2013-09-12 20:20 ` Thomas Gleixner
2013-09-12 20:23 ` Daniel Vetter
2013-09-12 20:39 ` Thomas Gleixner
2013-09-12 20:48 ` Thomas Hellstrom
2013-09-12 20:48 ` Thomas Hellstrom
2013-09-12 16:33 ` Thomas Hellstrom
2013-09-12 16:33 ` Thomas Hellstrom
2013-09-12 15:45 ` Maarten Lankhorst
2013-09-12 15:45 ` Maarten Lankhorst
2013-09-12 16:44 ` Thomas Hellstrom
2013-09-12 19:48 ` Daniel Vetter
2013-09-12 21:50 ` Maarten Lankhorst
2013-09-13 5:33 ` Thomas Hellstrom
2013-09-13 8:26 ` Daniel Vetter
2013-10-08 14:14 ` [RFC PATCH] drm/radeon: fixup locking inversion between mmap_sem and reservations Maarten Lankhorst
2013-10-08 14:33 ` Jerome Glisse
2013-10-08 14:45 ` Christian König
2013-10-08 14:55 ` Jerome Glisse
2013-10-08 16:29 ` Thomas Hellstrom
2013-10-08 16:47 ` Jerome Glisse
2013-10-08 16:58 ` Thomas Hellstrom
2013-10-09 12:36 ` [RFC PATCH v2] drm/radeon: fixup locking inversion between, " Maarten Lankhorst
2013-10-09 10:58 ` Maarten Lankhorst [this message]
2013-10-08 14:45 ` [RFC PATCH] drm/radeon: fixup locking inversion between " Maarten Lankhorst
2013-10-08 14:57 ` Jerome Glisse
2013-09-13 6:44 ` [BUG] completely bonkers use of set_need_resched + VM_FAULT_NOPAGE Thomas Hellstrom
2013-09-13 6:44 ` Thomas Hellstrom
2013-09-13 7:16 ` Maarten Lankhorst
2013-09-13 7:46 ` Thomas Hellstrom
2013-09-13 7:51 ` Maarten Lankhorst
2013-09-13 8:23 ` Thomas Hellstrom
2013-09-13 8:23 ` Thomas Hellstrom
2013-09-13 8:32 ` Daniel Vetter
2013-09-13 8:39 ` Thomas Hellstrom
2013-09-13 8:58 ` Maarten Lankhorst
2013-09-13 9:21 ` Thomas Hellstrom
2013-09-13 8:29 ` Peter Zijlstra
2013-09-13 8:41 ` Daniel Vetter
2013-09-13 9:00 ` Peter Zijlstra
2013-09-23 15:33 ` [RFC PATCH] drm/nouveau: fix nested locking in mmap handler Maarten Lankhorst
2013-09-24 7:22 ` Thomas Hellstrom
2013-09-24 7:34 ` Maarten Lankhorst
2013-09-24 8:20 ` Ingo Molnar
2013-09-24 9:03 ` Thomas Hellstrom
2013-09-24 9:36 ` Daniel Vetter
2013-09-24 10:11 ` Maarten Lankhorst
2013-09-24 10:33 ` Thomas Hellstrom
2013-09-24 11:32 ` Maarten Lankhorst
2013-09-24 17:04 ` Thomas Hellstrom
2013-09-24 9:43 ` Maarten Lankhorst
2013-09-24 9:43 ` Maarten Lankhorst
2013-09-24 17:53 ` Thomas Hellstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=525536DC.5020801@canonical.com \
--to=maarten.lankhorst@canonical.com \
--cc=alexander.deucher@amd.com \
--cc=daniel.vetter@ffwll.ch \
--cc=deathsimple@vodafone.de \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=j.glisse@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=thellstrom@vmware.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.