Re: [Intel-gfx] [PATCH 0/6] drm/i915: Failsafe migration blits

["Thomas Hellström" <thomas.hellstrom@linux.intel.com>]

Hi, Dave,

On 10/14/21 03:50, Dave Airlie wrote:
> On Fri, 8 Oct 2021 at 23:36, Thomas Hellström
> <thomas.hellstrom@linux.intel.com> wrote:
>> This patch series introduces failsafe migration blits.
>> The reason for this seemingly strange concept is that if the initial
>> clearing or readback of LMEM fails for some reason, and we then set up
>> either GPU- or CPU ptes to the allocated LMEM, we can expose old
>> contents from other clients.
> Can we enumerate "for some reason" here?
>
> This feels like "security" with no defined threat model. Maybe if the
> cover letter contains more details on the threat model it would make
> more sense.

TBH, I'd be quite happy if we could find a way to skip this series (or 
even a reworked version) completely.

Assuming that the migration request setup code is bug-free enough to not 
never cause an engine reset, there are at least two ways I can see the 
migration fail:

1) The migration fence we will be depending on when fully async 
(ttm->moving) may signal with error after the following:
malicious_batchbuffer_causing_reset -> async eviction -> allocation -> 
async clearing

2) malicious_batchbuffers_causing_gt_wedge submitted to copy engine -> 
migration_blit submitted to  copy_engine. If wedging the gt, the 
migration blit will never be executed, fence->error will end up with 
-EIO but TTM will happily fault the pages to user-space.

Now we had other versions around looking at the ttm_bo->moving errors at 
vma binding and cpu faulting, but this was the direction chosen after 
discussions with our arch team. Either way we'd probably want to block 
the error propagation after async_eviction.

I can of course add 1) and 2) above to the cover-letter, but if you have 
any additional input on the best way to handle this, that'd be appreciated.

Thanks,

Thomas





> Dave.