From mboxrd@z Thu Jan  1 00:00:00 1970
From: Chris Wilson <chris@chris-wilson.co.uk>
Subject: [PATCH 11/13] drm/i915: Prevent mmap access through the
	GTT of snooped pages
Date: Thu, 14 Apr 2011 10:03:45 +0100
Message-ID: <1302771827-26112-12-git-send-email-chris@chris-wilson.co.uk>
References: <1302771827-26112-1-git-send-email-chris@chris-wilson.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org>
Received: from fireflyinternet.com (server109-228-6-236.live-servers.net
	[109.228.6.236])
	by gabe.freedesktop.org (Postfix) with ESMTP id 49DC79E760
	for <intel-gfx@lists.freedesktop.org>;
	Thu, 14 Apr 2011 02:03:56 -0700 (PDT)
In-Reply-To: <1302771827-26112-1-git-send-email-chris@chris-wilson.co.uk>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
Sender: intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org
Errors-To: intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org
To: intel-gfx@lists.freedesktop.org
List-Id: intel-gfx@lists.freedesktop.org

The docs have a dire warning not to attempt to access snooped (the old
style of cache sharing on pre-SandyBridge chipsets) pages through the GTT.
Prevent userspace from doing so by sending them a SIGBUS if they try.

[Now it is possible with a bit of extra complexity to map the snooped
CPU page into the vma and return that through i915_gem_fault() instead.
The question is: is it simpler to do that workaround in the kernel than
it is to do it in userspace?]

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
---
 drivers/gpu/drm/i915/i915_gem.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index dd2dc9d..1f57f99 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -1211,6 +1211,16 @@ int i915_gem_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
 
 	trace_i915_gem_object_fault(obj, page_offset, true, write);
 
+	/* The docs warn of dire consequences if we try to write to a snooped
+	 * page through the GTT. So kill the driver/app early with a SIGBUS.
+	 */
+	if (INTEL_INFO(dev)->gen < 6 && obj->cache_level != I915_CACHE_NONE) {
+		DRM_DEBUG("Attempting to read a snooped page through the GTT, "
+			  "this is illegal on pre-SandyBridge chipsets.\n");
+		ret = -EINVAL;
+		goto unlock;
+	}
+
 	/* Now bind it into the GTT if needed */
 	if (!obj->map_and_fenceable) {
 		ret = i915_gem_object_unbind(obj);
-- 
1.7.4.1