From: Daniel Vetter <daniel@ffwll.ch>
To: "Christian König" <christian.koenig@amd.com>
Cc: dri-devel <dri-devel@lists.freedesktop.org>,
Sumit Semwal <sumit.semwal@linaro.org>,
"moderated list:DMA BUFFER SHARING FRAMEWORK"
<linaro-mm-sig@lists.linaro.org>,
"open list:DMA BUFFER SHARING FRAMEWORK"
<linux-media@vger.kernel.org>,
intel-gfx <intel-gfx@lists.freedesktop.org>
Subject: Re: [PATCH 5/5] drm/amdgpu: implement amdgpu_gem_prime_move_notify
Date: Tue, 5 Nov 2019 14:50:42 +0100 [thread overview]
Message-ID: <CAKMK7uEimcoB2vojTHDxQ1p2GaK7kBJQ3hWFzYoMtmDJYabwfA@mail.gmail.com> (raw)
In-Reply-To: <0c506743-1def-2c49-886a-4fa125b33151@gmail.com>
On Tue, Nov 5, 2019 at 2:39 PM Christian König
<ckoenig.leichtzumerken@gmail.com> wrote:
>
> Am 05.11.19 um 11:52 schrieb Daniel Vetter:
> > On Tue, Oct 29, 2019 at 11:40:49AM +0100, Christian König wrote:
> >> Implement the importer side of unpinned DMA-buf handling.
> >>
> >> Signed-off-by: Christian König <christian.koenig@amd.com>
> >> ---
> >> drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 28 ++++++++++++++++++++-
> >> drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 6 +++++
> >> 2 files changed, 33 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
> >> index 3629cfe53aad..af39553c51ad 100644
> >> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
> >> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
> >> @@ -456,7 +456,33 @@ amdgpu_dma_buf_create_obj(struct drm_device *dev, struct dma_buf *dma_buf)
> >> return ERR_PTR(ret);
> >> }
> >>
> >> +/**
> >> + * amdgpu_dma_buf_move_notify - &attach.move_notify implementation
> >> + *
> >> + * @attach: the DMA-buf attachment
> >> + *
> >> + * Invalidate the DMA-buf attachment, making sure that the we re-create the
> >> + * mapping before the next use.
> >> + */
> >> +static void
> >> +amdgpu_dma_buf_move_notify(struct dma_buf_attachment *attach)
> >> +{
> >> + struct ttm_operation_ctx ctx = { false, false };
> >> + struct drm_gem_object *obj = attach->importer_priv;
> >> + struct amdgpu_bo *bo = gem_to_amdgpu_bo(obj);
> >> + struct ttm_placement placement = {};
> >> + int r;
> >> +
> >> + if (bo->tbo.mem.mem_type == TTM_PL_SYSTEM)
> >> + return;
> >> +
> >> + r = ttm_bo_validate(&bo->tbo, &placement, &ctx);
> >> + if (r)
> >> + DRM_ERROR("Failed to invalidate DMA-buf import (%d))\n", r);
> > Where do you update pagetables?
> >
> > The only thing I've found is in the amdgpu CS code, which is way to late
> > for this stuff here. Plus TTM doesn't handle virtual memory at all (aside
> > from the gart tt), so clearly you need to call into amdgpu code somewhere
> > for this. But I didn't find it, neither in your ->move_notify nor the
> > ->move callback in ttm_bo_driver.
> >
> > How does this work?
>
> Page tables are not updated until the next command submission, e.g. in
> amdgpu_cs.c
>
> This is save since all previous command submissions are added to the
> dma_resv object as fences and the dma_buf can't be moved before those
> are signaled.
Hm, I thought you still allow explicit buffer lists for each cs in
amdgpu? Code looks at least like that, not everything goes through the
context working set stuff.
How do you prevent the security leak if userspace simply lies about
not using a given buffer in a batch, and then abusing that to read
that virtual address range anyway and peek at whatever is now going to
be there when an eviction happened?
-Daniel
>
> Christian.
>
> > -Daniel
> >
> >> +}
> >> +
> >> static const struct dma_buf_attach_ops amdgpu_dma_buf_attach_ops = {
> >> + .move_notify = amdgpu_dma_buf_move_notify
> >> };
> >>
> >> /**
> >> @@ -492,7 +518,7 @@ struct drm_gem_object *amdgpu_gem_prime_import(struct drm_device *dev,
> >> return obj;
> >>
> >> attach = dma_buf_dynamic_attach(dma_buf, dev->dev,
> >> - &amdgpu_dma_buf_attach_ops, NULL);
> >> + &amdgpu_dma_buf_attach_ops, obj);
> >> if (IS_ERR(attach)) {
> >> drm_gem_object_put(obj);
> >> return ERR_CAST(attach);
> >> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
> >> index ac776d2620eb..cfa46341c9a7 100644
> >> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
> >> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
> >> @@ -861,6 +861,9 @@ int amdgpu_bo_pin_restricted(struct amdgpu_bo *bo, u32 domain,
> >> return 0;
> >> }
> >>
> >> + if (bo->tbo.base.import_attach)
> >> + dma_buf_pin(bo->tbo.base.import_attach);
> >> +
> >> bo->flags |= AMDGPU_GEM_CREATE_VRAM_CONTIGUOUS;
> >> /* force to pin into visible video ram */
> >> if (!(bo->flags & AMDGPU_GEM_CREATE_NO_CPU_ACCESS))
> >> @@ -944,6 +947,9 @@ int amdgpu_bo_unpin(struct amdgpu_bo *bo)
> >>
> >> amdgpu_bo_subtract_pin_size(bo);
> >>
> >> + if (bo->tbo.base.import_attach)
> >> + dma_buf_unpin(bo->tbo.base.import_attach);
> >> +
> >> for (i = 0; i < bo->placement.num_placement; i++) {
> >> bo->placements[i].lpfn = 0;
> >> bo->placements[i].flags &= ~TTM_PL_FLAG_NO_EVICT;
> >> --
> >> 2.17.1
> >>
> >> _______________________________________________
> >> dri-devel mailing list
> >> dri-devel@lists.freedesktop.org
> >> https://lists.freedesktop.org/mailman/listinfo/dri-devel
>
--
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch
WARNING: multiple messages have this Message-ID (diff)
From: Daniel Vetter <daniel@ffwll.ch>
To: "Christian König" <christian.koenig@amd.com>
Cc: "moderated list:DMA BUFFER SHARING FRAMEWORK"
<linaro-mm-sig@lists.linaro.org>,
intel-gfx <intel-gfx@lists.freedesktop.org>,
Sumit Semwal <sumit.semwal@linaro.org>,
dri-devel <dri-devel@lists.freedesktop.org>,
"open list:DMA BUFFER SHARING FRAMEWORK"
<linux-media@vger.kernel.org>
Subject: Re: [PATCH 5/5] drm/amdgpu: implement amdgpu_gem_prime_move_notify
Date: Tue, 5 Nov 2019 14:50:42 +0100 [thread overview]
Message-ID: <CAKMK7uEimcoB2vojTHDxQ1p2GaK7kBJQ3hWFzYoMtmDJYabwfA@mail.gmail.com> (raw)
In-Reply-To: <0c506743-1def-2c49-886a-4fa125b33151@gmail.com>
On Tue, Nov 5, 2019 at 2:39 PM Christian König
<ckoenig.leichtzumerken@gmail.com> wrote:
>
> Am 05.11.19 um 11:52 schrieb Daniel Vetter:
> > On Tue, Oct 29, 2019 at 11:40:49AM +0100, Christian König wrote:
> >> Implement the importer side of unpinned DMA-buf handling.
> >>
> >> Signed-off-by: Christian König <christian.koenig@amd.com>
> >> ---
> >> drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 28 ++++++++++++++++++++-
> >> drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 6 +++++
> >> 2 files changed, 33 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
> >> index 3629cfe53aad..af39553c51ad 100644
> >> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
> >> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
> >> @@ -456,7 +456,33 @@ amdgpu_dma_buf_create_obj(struct drm_device *dev, struct dma_buf *dma_buf)
> >> return ERR_PTR(ret);
> >> }
> >>
> >> +/**
> >> + * amdgpu_dma_buf_move_notify - &attach.move_notify implementation
> >> + *
> >> + * @attach: the DMA-buf attachment
> >> + *
> >> + * Invalidate the DMA-buf attachment, making sure that the we re-create the
> >> + * mapping before the next use.
> >> + */
> >> +static void
> >> +amdgpu_dma_buf_move_notify(struct dma_buf_attachment *attach)
> >> +{
> >> + struct ttm_operation_ctx ctx = { false, false };
> >> + struct drm_gem_object *obj = attach->importer_priv;
> >> + struct amdgpu_bo *bo = gem_to_amdgpu_bo(obj);
> >> + struct ttm_placement placement = {};
> >> + int r;
> >> +
> >> + if (bo->tbo.mem.mem_type == TTM_PL_SYSTEM)
> >> + return;
> >> +
> >> + r = ttm_bo_validate(&bo->tbo, &placement, &ctx);
> >> + if (r)
> >> + DRM_ERROR("Failed to invalidate DMA-buf import (%d))\n", r);
> > Where do you update pagetables?
> >
> > The only thing I've found is in the amdgpu CS code, which is way to late
> > for this stuff here. Plus TTM doesn't handle virtual memory at all (aside
> > from the gart tt), so clearly you need to call into amdgpu code somewhere
> > for this. But I didn't find it, neither in your ->move_notify nor the
> > ->move callback in ttm_bo_driver.
> >
> > How does this work?
>
> Page tables are not updated until the next command submission, e.g. in
> amdgpu_cs.c
>
> This is save since all previous command submissions are added to the
> dma_resv object as fences and the dma_buf can't be moved before those
> are signaled.
Hm, I thought you still allow explicit buffer lists for each cs in
amdgpu? Code looks at least like that, not everything goes through the
context working set stuff.
How do you prevent the security leak if userspace simply lies about
not using a given buffer in a batch, and then abusing that to read
that virtual address range anyway and peek at whatever is now going to
be there when an eviction happened?
-Daniel
>
> Christian.
>
> > -Daniel
> >
> >> +}
> >> +
> >> static const struct dma_buf_attach_ops amdgpu_dma_buf_attach_ops = {
> >> + .move_notify = amdgpu_dma_buf_move_notify
> >> };
> >>
> >> /**
> >> @@ -492,7 +518,7 @@ struct drm_gem_object *amdgpu_gem_prime_import(struct drm_device *dev,
> >> return obj;
> >>
> >> attach = dma_buf_dynamic_attach(dma_buf, dev->dev,
> >> - &amdgpu_dma_buf_attach_ops, NULL);
> >> + &amdgpu_dma_buf_attach_ops, obj);
> >> if (IS_ERR(attach)) {
> >> drm_gem_object_put(obj);
> >> return ERR_CAST(attach);
> >> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
> >> index ac776d2620eb..cfa46341c9a7 100644
> >> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
> >> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
> >> @@ -861,6 +861,9 @@ int amdgpu_bo_pin_restricted(struct amdgpu_bo *bo, u32 domain,
> >> return 0;
> >> }
> >>
> >> + if (bo->tbo.base.import_attach)
> >> + dma_buf_pin(bo->tbo.base.import_attach);
> >> +
> >> bo->flags |= AMDGPU_GEM_CREATE_VRAM_CONTIGUOUS;
> >> /* force to pin into visible video ram */
> >> if (!(bo->flags & AMDGPU_GEM_CREATE_NO_CPU_ACCESS))
> >> @@ -944,6 +947,9 @@ int amdgpu_bo_unpin(struct amdgpu_bo *bo)
> >>
> >> amdgpu_bo_subtract_pin_size(bo);
> >>
> >> + if (bo->tbo.base.import_attach)
> >> + dma_buf_unpin(bo->tbo.base.import_attach);
> >> +
> >> for (i = 0; i < bo->placement.num_placement; i++) {
> >> bo->placements[i].lpfn = 0;
> >> bo->placements[i].flags &= ~TTM_PL_FLAG_NO_EVICT;
> >> --
> >> 2.17.1
> >>
> >> _______________________________________________
> >> dri-devel mailing list
> >> dri-devel@lists.freedesktop.org
> >> https://lists.freedesktop.org/mailman/listinfo/dri-devel
>
--
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
WARNING: multiple messages have this Message-ID (diff)
From: Daniel Vetter <daniel@ffwll.ch>
To: "Christian König" <christian.koenig@amd.com>
Cc: "moderated list:DMA BUFFER SHARING FRAMEWORK"
<linaro-mm-sig@lists.linaro.org>,
intel-gfx <intel-gfx@lists.freedesktop.org>,
dri-devel <dri-devel@lists.freedesktop.org>,
"open list:DMA BUFFER SHARING FRAMEWORK"
<linux-media@vger.kernel.org>
Subject: Re: [PATCH 5/5] drm/amdgpu: implement amdgpu_gem_prime_move_notify
Date: Tue, 5 Nov 2019 14:50:42 +0100 [thread overview]
Message-ID: <CAKMK7uEimcoB2vojTHDxQ1p2GaK7kBJQ3hWFzYoMtmDJYabwfA@mail.gmail.com> (raw)
Message-ID: <20191105135042.KO9aLvFIdA1yuvbh0EY9cgs_RWtVIC-ng1Kb_aKTVrI@z> (raw)
In-Reply-To: <0c506743-1def-2c49-886a-4fa125b33151@gmail.com>
On Tue, Nov 5, 2019 at 2:39 PM Christian König
<ckoenig.leichtzumerken@gmail.com> wrote:
>
> Am 05.11.19 um 11:52 schrieb Daniel Vetter:
> > On Tue, Oct 29, 2019 at 11:40:49AM +0100, Christian König wrote:
> >> Implement the importer side of unpinned DMA-buf handling.
> >>
> >> Signed-off-by: Christian König <christian.koenig@amd.com>
> >> ---
> >> drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 28 ++++++++++++++++++++-
> >> drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 6 +++++
> >> 2 files changed, 33 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
> >> index 3629cfe53aad..af39553c51ad 100644
> >> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
> >> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
> >> @@ -456,7 +456,33 @@ amdgpu_dma_buf_create_obj(struct drm_device *dev, struct dma_buf *dma_buf)
> >> return ERR_PTR(ret);
> >> }
> >>
> >> +/**
> >> + * amdgpu_dma_buf_move_notify - &attach.move_notify implementation
> >> + *
> >> + * @attach: the DMA-buf attachment
> >> + *
> >> + * Invalidate the DMA-buf attachment, making sure that the we re-create the
> >> + * mapping before the next use.
> >> + */
> >> +static void
> >> +amdgpu_dma_buf_move_notify(struct dma_buf_attachment *attach)
> >> +{
> >> + struct ttm_operation_ctx ctx = { false, false };
> >> + struct drm_gem_object *obj = attach->importer_priv;
> >> + struct amdgpu_bo *bo = gem_to_amdgpu_bo(obj);
> >> + struct ttm_placement placement = {};
> >> + int r;
> >> +
> >> + if (bo->tbo.mem.mem_type == TTM_PL_SYSTEM)
> >> + return;
> >> +
> >> + r = ttm_bo_validate(&bo->tbo, &placement, &ctx);
> >> + if (r)
> >> + DRM_ERROR("Failed to invalidate DMA-buf import (%d))\n", r);
> > Where do you update pagetables?
> >
> > The only thing I've found is in the amdgpu CS code, which is way to late
> > for this stuff here. Plus TTM doesn't handle virtual memory at all (aside
> > from the gart tt), so clearly you need to call into amdgpu code somewhere
> > for this. But I didn't find it, neither in your ->move_notify nor the
> > ->move callback in ttm_bo_driver.
> >
> > How does this work?
>
> Page tables are not updated until the next command submission, e.g. in
> amdgpu_cs.c
>
> This is save since all previous command submissions are added to the
> dma_resv object as fences and the dma_buf can't be moved before those
> are signaled.
Hm, I thought you still allow explicit buffer lists for each cs in
amdgpu? Code looks at least like that, not everything goes through the
context working set stuff.
How do you prevent the security leak if userspace simply lies about
not using a given buffer in a batch, and then abusing that to read
that virtual address range anyway and peek at whatever is now going to
be there when an eviction happened?
-Daniel
>
> Christian.
>
> > -Daniel
> >
> >> +}
> >> +
> >> static const struct dma_buf_attach_ops amdgpu_dma_buf_attach_ops = {
> >> + .move_notify = amdgpu_dma_buf_move_notify
> >> };
> >>
> >> /**
> >> @@ -492,7 +518,7 @@ struct drm_gem_object *amdgpu_gem_prime_import(struct drm_device *dev,
> >> return obj;
> >>
> >> attach = dma_buf_dynamic_attach(dma_buf, dev->dev,
> >> - &amdgpu_dma_buf_attach_ops, NULL);
> >> + &amdgpu_dma_buf_attach_ops, obj);
> >> if (IS_ERR(attach)) {
> >> drm_gem_object_put(obj);
> >> return ERR_CAST(attach);
> >> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
> >> index ac776d2620eb..cfa46341c9a7 100644
> >> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
> >> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
> >> @@ -861,6 +861,9 @@ int amdgpu_bo_pin_restricted(struct amdgpu_bo *bo, u32 domain,
> >> return 0;
> >> }
> >>
> >> + if (bo->tbo.base.import_attach)
> >> + dma_buf_pin(bo->tbo.base.import_attach);
> >> +
> >> bo->flags |= AMDGPU_GEM_CREATE_VRAM_CONTIGUOUS;
> >> /* force to pin into visible video ram */
> >> if (!(bo->flags & AMDGPU_GEM_CREATE_NO_CPU_ACCESS))
> >> @@ -944,6 +947,9 @@ int amdgpu_bo_unpin(struct amdgpu_bo *bo)
> >>
> >> amdgpu_bo_subtract_pin_size(bo);
> >>
> >> + if (bo->tbo.base.import_attach)
> >> + dma_buf_unpin(bo->tbo.base.import_attach);
> >> +
> >> for (i = 0; i < bo->placement.num_placement; i++) {
> >> bo->placements[i].lpfn = 0;
> >> bo->placements[i].flags &= ~TTM_PL_FLAG_NO_EVICT;
> >> --
> >> 2.17.1
> >>
> >> _______________________________________________
> >> dri-devel mailing list
> >> dri-devel@lists.freedesktop.org
> >> https://lists.freedesktop.org/mailman/listinfo/dri-devel
>
--
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: Daniel Vetter <daniel@ffwll.ch>
To: "Christian König" <christian.koenig@amd.com>
Cc: "moderated list:DMA BUFFER SHARING FRAMEWORK"
<linaro-mm-sig@lists.linaro.org>,
intel-gfx <intel-gfx@lists.freedesktop.org>,
Sumit Semwal <sumit.semwal@linaro.org>,
dri-devel <dri-devel@lists.freedesktop.org>,
"open list:DMA BUFFER SHARING FRAMEWORK"
<linux-media@vger.kernel.org>
Subject: Re: [Intel-gfx] [PATCH 5/5] drm/amdgpu: implement amdgpu_gem_prime_move_notify
Date: Tue, 5 Nov 2019 14:50:42 +0100 [thread overview]
Message-ID: <CAKMK7uEimcoB2vojTHDxQ1p2GaK7kBJQ3hWFzYoMtmDJYabwfA@mail.gmail.com> (raw)
Message-ID: <20191105135042.r5Rub_-3lzGb2lpsbmPQdfhUV5wQu6eis4Hl9_FOp38@z> (raw)
In-Reply-To: <0c506743-1def-2c49-886a-4fa125b33151@gmail.com>
On Tue, Nov 5, 2019 at 2:39 PM Christian König
<ckoenig.leichtzumerken@gmail.com> wrote:
>
> Am 05.11.19 um 11:52 schrieb Daniel Vetter:
> > On Tue, Oct 29, 2019 at 11:40:49AM +0100, Christian König wrote:
> >> Implement the importer side of unpinned DMA-buf handling.
> >>
> >> Signed-off-by: Christian König <christian.koenig@amd.com>
> >> ---
> >> drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 28 ++++++++++++++++++++-
> >> drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 6 +++++
> >> 2 files changed, 33 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
> >> index 3629cfe53aad..af39553c51ad 100644
> >> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
> >> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
> >> @@ -456,7 +456,33 @@ amdgpu_dma_buf_create_obj(struct drm_device *dev, struct dma_buf *dma_buf)
> >> return ERR_PTR(ret);
> >> }
> >>
> >> +/**
> >> + * amdgpu_dma_buf_move_notify - &attach.move_notify implementation
> >> + *
> >> + * @attach: the DMA-buf attachment
> >> + *
> >> + * Invalidate the DMA-buf attachment, making sure that the we re-create the
> >> + * mapping before the next use.
> >> + */
> >> +static void
> >> +amdgpu_dma_buf_move_notify(struct dma_buf_attachment *attach)
> >> +{
> >> + struct ttm_operation_ctx ctx = { false, false };
> >> + struct drm_gem_object *obj = attach->importer_priv;
> >> + struct amdgpu_bo *bo = gem_to_amdgpu_bo(obj);
> >> + struct ttm_placement placement = {};
> >> + int r;
> >> +
> >> + if (bo->tbo.mem.mem_type == TTM_PL_SYSTEM)
> >> + return;
> >> +
> >> + r = ttm_bo_validate(&bo->tbo, &placement, &ctx);
> >> + if (r)
> >> + DRM_ERROR("Failed to invalidate DMA-buf import (%d))\n", r);
> > Where do you update pagetables?
> >
> > The only thing I've found is in the amdgpu CS code, which is way to late
> > for this stuff here. Plus TTM doesn't handle virtual memory at all (aside
> > from the gart tt), so clearly you need to call into amdgpu code somewhere
> > for this. But I didn't find it, neither in your ->move_notify nor the
> > ->move callback in ttm_bo_driver.
> >
> > How does this work?
>
> Page tables are not updated until the next command submission, e.g. in
> amdgpu_cs.c
>
> This is save since all previous command submissions are added to the
> dma_resv object as fences and the dma_buf can't be moved before those
> are signaled.
Hm, I thought you still allow explicit buffer lists for each cs in
amdgpu? Code looks at least like that, not everything goes through the
context working set stuff.
How do you prevent the security leak if userspace simply lies about
not using a given buffer in a batch, and then abusing that to read
that virtual address range anyway and peek at whatever is now going to
be there when an eviction happened?
-Daniel
>
> Christian.
>
> > -Daniel
> >
> >> +}
> >> +
> >> static const struct dma_buf_attach_ops amdgpu_dma_buf_attach_ops = {
> >> + .move_notify = amdgpu_dma_buf_move_notify
> >> };
> >>
> >> /**
> >> @@ -492,7 +518,7 @@ struct drm_gem_object *amdgpu_gem_prime_import(struct drm_device *dev,
> >> return obj;
> >>
> >> attach = dma_buf_dynamic_attach(dma_buf, dev->dev,
> >> - &amdgpu_dma_buf_attach_ops, NULL);
> >> + &amdgpu_dma_buf_attach_ops, obj);
> >> if (IS_ERR(attach)) {
> >> drm_gem_object_put(obj);
> >> return ERR_CAST(attach);
> >> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
> >> index ac776d2620eb..cfa46341c9a7 100644
> >> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
> >> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
> >> @@ -861,6 +861,9 @@ int amdgpu_bo_pin_restricted(struct amdgpu_bo *bo, u32 domain,
> >> return 0;
> >> }
> >>
> >> + if (bo->tbo.base.import_attach)
> >> + dma_buf_pin(bo->tbo.base.import_attach);
> >> +
> >> bo->flags |= AMDGPU_GEM_CREATE_VRAM_CONTIGUOUS;
> >> /* force to pin into visible video ram */
> >> if (!(bo->flags & AMDGPU_GEM_CREATE_NO_CPU_ACCESS))
> >> @@ -944,6 +947,9 @@ int amdgpu_bo_unpin(struct amdgpu_bo *bo)
> >>
> >> amdgpu_bo_subtract_pin_size(bo);
> >>
> >> + if (bo->tbo.base.import_attach)
> >> + dma_buf_unpin(bo->tbo.base.import_attach);
> >> +
> >> for (i = 0; i < bo->placement.num_placement; i++) {
> >> bo->placements[i].lpfn = 0;
> >> bo->placements[i].flags &= ~TTM_PL_FLAG_NO_EVICT;
> >> --
> >> 2.17.1
> >>
> >> _______________________________________________
> >> dri-devel mailing list
> >> dri-devel@lists.freedesktop.org
> >> https://lists.freedesktop.org/mailman/listinfo/dri-devel
>
--
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
next prev parent reply other threads:[~2019-11-05 13:50 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-29 10:40 RFC: Unpinned DMA-buf handling Christian König
2019-10-29 10:40 ` [Intel-gfx] " Christian König
2019-10-29 10:40 ` Christian König
2019-10-29 10:40 ` [PATCH 1/5] dma-buf: add dynamic DMA-buf handling v14 Christian König
2019-10-29 10:40 ` [Intel-gfx] " Christian König
2019-10-29 10:40 ` Christian König
2019-11-05 10:20 ` Daniel Vetter
2019-11-05 10:20 ` [Intel-gfx] " Daniel Vetter
2019-11-05 10:20 ` Daniel Vetter
2020-02-18 13:20 ` Christian König
2020-02-18 13:20 ` [Intel-gfx] " Christian König
2020-02-18 13:20 ` Christian König
2020-02-18 14:14 ` Daniel Vetter
2020-02-18 14:14 ` [Intel-gfx] " Daniel Vetter
2020-02-18 14:14 ` Daniel Vetter
2019-10-29 10:40 ` [PATCH 2/5] drm/ttm: remove the backing store if no placement is given Christian König
2019-10-29 10:40 ` [Intel-gfx] " Christian König
2019-10-29 10:40 ` Christian König
2019-10-29 10:40 ` [PATCH 3/5] drm/amdgpu: use allowed_domains for exported DMA-bufs Christian König
2019-10-29 10:40 ` [Intel-gfx] " Christian König
2019-10-29 10:40 ` Christian König
2019-10-29 10:40 ` [PATCH 4/5] drm/amdgpu: add amdgpu_dma_buf_pin/unpin Christian König
2019-10-29 10:40 ` [Intel-gfx] " Christian König
2019-10-29 10:40 ` Christian König
2019-10-29 10:40 ` [PATCH 5/5] drm/amdgpu: implement amdgpu_gem_prime_move_notify Christian König
2019-10-29 10:40 ` [Intel-gfx] " Christian König
2019-10-29 10:40 ` Christian König
2019-11-05 10:52 ` Daniel Vetter
2019-11-05 10:52 ` [Intel-gfx] " Daniel Vetter
2019-11-05 10:52 ` Daniel Vetter
2019-11-05 13:39 ` Christian König
2019-11-05 13:39 ` [Intel-gfx] " Christian König
2019-11-05 13:39 ` Christian König
2019-11-05 13:50 ` Daniel Vetter [this message]
2019-11-05 13:50 ` [Intel-gfx] " Daniel Vetter
2019-11-05 13:50 ` Daniel Vetter
2019-11-05 13:50 ` Daniel Vetter
2019-11-05 15:20 ` Koenig, Christian
2019-11-05 15:20 ` [Intel-gfx] " Koenig, Christian
2019-11-05 15:20 ` Koenig, Christian
2019-11-05 15:20 ` Koenig, Christian
2019-11-05 15:23 ` Daniel Vetter
2019-11-05 15:23 ` [Intel-gfx] " Daniel Vetter
2019-11-05 15:23 ` Daniel Vetter
2019-11-05 15:23 ` Daniel Vetter
2019-10-29 17:38 ` ✗ Fi.CI.CHECKPATCH: warning for series starting with [1/5] dma-buf: add dynamic DMA-buf handling v14 Patchwork
2019-10-29 17:38 ` [Intel-gfx] " Patchwork
2019-10-29 18:09 ` ✗ Fi.CI.BAT: failure " Patchwork
2019-10-29 18:09 ` [Intel-gfx] " Patchwork
2019-11-05 13:46 ` RFC: Unpinned DMA-buf handling Daniel Vetter
2019-11-05 13:46 ` [Intel-gfx] " Daniel Vetter
2019-11-05 13:46 ` Daniel Vetter
2019-11-05 13:46 ` Daniel Vetter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKMK7uEimcoB2vojTHDxQ1p2GaK7kBJQ3hWFzYoMtmDJYabwfA@mail.gmail.com \
--to=daniel@ffwll.ch \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-media@vger.kernel.org \
--cc=sumit.semwal@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.