From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.7 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F28A1C433EF for ; Tue, 21 Sep 2021 11:37:45 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id BC3D760F41 for ; Tue, 21 Sep 2021 11:37:45 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org BC3D760F41 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.intel.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 47E136E92E; Tue, 21 Sep 2021 11:37:45 +0000 (UTC) Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by gabe.freedesktop.org (Postfix) with ESMTPS id 9F90D6E92E; Tue, 21 Sep 2021 11:37:43 +0000 (UTC) X-IronPort-AV: E=McAfee;i="6200,9189,10113"; a="220140876" X-IronPort-AV: E=Sophos;i="5.85,311,1624345200"; d="scan'208";a="220140876" Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Sep 2021 04:37:39 -0700 X-IronPort-AV: E=Sophos;i="5.85,311,1624345200"; d="scan'208";a="652898568" Received: from rogerc2x-mobl.ger.corp.intel.com (HELO [10.249.254.52]) ([10.249.254.52]) by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Sep 2021 04:37:37 -0700 Message-ID: From: Thomas =?ISO-8859-1?Q?Hellstr=F6m?= To: Christian =?ISO-8859-1?Q?K=F6nig?= , Matthew Auld , intel-gfx@lists.freedesktop.org Cc: dri-devel@lists.freedesktop.org Date: Tue, 21 Sep 2021 13:37:35 +0200 In-Reply-To: References: <20210921110121.3783395-1-matthew.auld@intel.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.40.4 (3.40.4-1.fc34) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: Re: [Intel-gfx] [PATCH v4 01/14] drm/ttm: stop calling tt_swapin in vm_access X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" HI, Christian, On Tue, 2021-09-21 at 13:28 +0200, Christian König wrote: > Am 21.09.21 um 13:01 schrieb Matthew Auld: > > In commit: > > > > commit 09ac4fcb3f255e9225967c75f5893325c116cdbe > > Author: Felix Kuehling > > Date:   Thu Jul 13 17:01:16 2017 -0400 > > > >      drm/ttm: Implement vm_operations_struct.access v2 > > > > we added the vm_access hook, where we also directly call tt_swapin > > for > > some reason. If something is swapped-out then the ttm_tt must also > > be > > unpopulated, and since access_kmap should also call tt_populate, if > > needed, then swapping-in will already be handled there. > > Sounds like you completely misunderstand what that is good for. > > This is for debugger attaching to a process and peek/poke into the > VMA > and completely unrelated to kmap. I think what Matthew is saying is that there is a fallthrough to TTM_PL_TT which calls ttm_bo_vm_access_kmap which calls ttm_tt_populate(). So from my pow, unless there are other concerns, this is Reviewed-by: Thomas Hellström > > > > > If anything, calling tt_swapin directly here would likely always > > fail > > since the tt->pages won't yet be populated, or worse since the tt- > > >pages > > array is never actually cleared in unpopulate this might lead to a > > nasty > > uaf. > > That's indeed true, but we just need to unconditionally call > ttm_tt_populate() here instead. > > Regards, > Christian. > > > > > Fixes: 09ac4fcb3f25 ("drm/ttm: Implement > > vm_operations_struct.access v2") > > Signed-off-by: Matthew Auld > > Cc: Thomas Hellström > > Cc: Christian König > > --- > >   drivers/gpu/drm/ttm/ttm_bo_vm.c | 5 ----- > >   1 file changed, 5 deletions(-) > > > > diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c > > b/drivers/gpu/drm/ttm/ttm_bo_vm.c > > index f56be5bc0861..5b9b7fd01a69 100644 > > --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c > > +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c > > @@ -519,11 +519,6 @@ int ttm_bo_vm_access(struct vm_area_struct > > *vma, unsigned long addr, > >   > >         switch (bo->resource->mem_type) { > >         case TTM_PL_SYSTEM: > > -               if (unlikely(bo->ttm->page_flags & > > TTM_PAGE_FLAG_SWAPPED)) { > > -                       ret = ttm_tt_swapin(bo->ttm); > > -                       if (unlikely(ret != 0)) > > -                               return ret; > > -               } > >                 fallthrough; > >         case TTM_PL_TT: > >                 ret = ttm_bo_vm_access_kmap(bo, offset, buf, len, > > write); >