From mboxrd@z Thu Jan 1 00:00:00 1970 From: Thomas Hellstrom Subject: Re: [RFC PATCH] drm/radeon: fixup locking inversion between mmap_sem and reservations Date: Tue, 08 Oct 2013 18:29:35 +0200 Message-ID: <525432EF.3050005@vmware.com> References: <20130912150645.GZ31370@twins.programming.kicks-ass.net> <5231E18D.7070306@canonical.com> <5231EF5A.7010901@vmware.com> <52323734.4070908@canonical.com> <5232A39B.5040205@vmware.com> <52541350.5060807@canonical.com> <20131008143354.GA2355@gmail.com> <52541A7E.6050807@vodafone.de> <20131008145540.GB2355@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-Reply-To: <20131008145540.GB2355@gmail.com> Sender: linux-kernel-owner@vger.kernel.org To: Jerome Glisse Cc: =?ISO-8859-1?Q?Christian_K=F6nig?= , Maarten Lankhorst , Peter Zijlstra , Daniel Vetter , intel-gfx , Linux Kernel Mailing List , dri-devel , Alex Deucher , Thomas Gleixner , Ingo Molnar List-Id: dri-devel@lists.freedesktop.org On 10/08/2013 04:55 PM, Jerome Glisse wrote: > On Tue, Oct 08, 2013 at 04:45:18PM +0200, Christian K=F6nig wrote: >> Am 08.10.2013 16:33, schrieb Jerome Glisse: >>> On Tue, Oct 08, 2013 at 04:14:40PM +0200, Maarten Lankhorst wrote: >>>> Allocate and copy all kernel memory before doing reservations. Thi= s prevents a locking >>>> inversion between mmap_sem and reservation_class, and allows us to= drop the trylocking >>>> in ttm_bo_vm_fault without upsetting lockdep. >>>> >>>> Signed-off-by: Maarten Lankhorst >>> I would say NAK. Current code only allocate temporary page in AGP c= ase. >>> So AGP case is userspace -> temp page -> cs checker -> radeon ib. >>> >>> Non AGP is directly memcpy to radeon IB. >>> >>> Your patch allocate memory memcpy userspace to it and it will then = be >>> memcpy to IB. Which means you introduce an extra memcpy in the proc= ess >>> not something we want. >> Totally agree. Additional to that there is no good reason to provide >> anything else than anonymous system memory to the CS ioctl, so the >> dependency between the mmap_sem and reservations are not really >> clear to me. >> >> Christian. > I think is that in other code path you take mmap_sem first then reser= ve > bo. But here we reserve bo and then we take mmap_sem because of copy > from user. > > Cheers, > Jerome > Actually the log message is a little confusing. I think the mmap_sem=20 locking inversion problem is orthogonal to what's being fixed here. This patch fixes the possible recursive bo::reserve caused by malicious= =20 user-space handing a pointer to ttm memory so that the ttm fault handle= r=20 is called when bos are already reserved. That may cause a (possibly=20 interruptible) livelock. Once that is fixed, we are free to choose the mmap_sem -> bo::reserve=20 locking order. Currently it's bo::reserve->mmap_sem(), but the hack=20 required in the ttm fault handler is admittedly a bit ugly. The plan i= s=20 to change the locking order to mmap_sem->bo::reserve I'm not sure if it applies to this particular case, but it should be=20 possible to make sure that copy_from_user_inatomic() will always=20 succeed, by making sure the pages are present using get_user_pages(),=20 and release the pages after copy_from_user_inatomic() is done. That way= =20 there's no need for a double memcpy slowpath, but if the copied data is= =20 very fragmented I guess the resulting code may look ugly. The=20 get_user_pages() function will return an error if it hits TTM pages. /Thomas