[v3,1/1] drm/ttm: Fix COW check

Message ID	20210712220636.475675-1-Felix.Kuehling@amd.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=8CGg=ME=lists.freedesktop.org=dri-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6022B611C1 Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; From: Felix Kuehling <Felix.Kuehling@amd.com> To: <amd-gfx@lists.freedesktop.org>, <dri-devel@lists.freedesktop.org> Subject: [PATCH v3 1/1] drm/ttm: Fix COW check Date: Mon, 12 Jul 2021 18:06:36 -0400 Message-ID: <20210712220636.475675-1-Felix.Kuehling@amd.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain Precedence: list Cc: Alex Deucher <alexander.deucher@amd.com>, christian.koenig@amd.com Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
Series	[v3,1/1] drm/ttm: Fix COW check \| expand [v3,1/1] drm/ttm: Fix COW check

Felix Kuehling July 12, 2021, 10:06 p.m. UTC

KFD Thunk maps invisible VRAM BOs with PROT_NONE, MAP_PRIVATE.
is_cow_mapping returns true for these mappings. Add a check for
vm_flags & VM_WRITE to avoid mmap failures on private read-only or
PROT_NONE mappings.

v2: protect against mprotect making a mapping writable after the fact
v3: update driver-specific vm_operations_structs

Fixes: f91142c62161 ("drm/ttm: nuke VM_MIXEDMAP on BO mappings v3")
Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c  |  3 ++-
 drivers/gpu/drm/nouveau/nouveau_gem.c    |  3 ++-
 drivers/gpu/drm/radeon/radeon_gem.c      |  3 ++-
 drivers/gpu/drm/ttm/ttm_bo_vm.c          | 14 +++++++++++++-
 drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c |  1 +
 include/drm/ttm/ttm_bo_api.h             |  4 ++++
 6 files changed, 24 insertions(+), 4 deletions(-)

Christian König July 13, 2021, 6:57 a.m. UTC | #1

Am 13.07.21 um 00:06 schrieb Felix Kuehling:
> KFD Thunk maps invisible VRAM BOs with PROT_NONE, MAP_PRIVATE.
> is_cow_mapping returns true for these mappings. Add a check for
> vm_flags & VM_WRITE to avoid mmap failures on private read-only or
> PROT_NONE mappings.
>
> v2: protect against mprotect making a mapping writable after the fact
> v3: update driver-specific vm_operations_structs
>
> Fixes: f91142c62161 ("drm/ttm: nuke VM_MIXEDMAP on BO mappings v3")
> Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

Reviewed-by: Christian König <christian.koenig@amd.com>

> ---
>   drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c  |  3 ++-
>   drivers/gpu/drm/nouveau/nouveau_gem.c    |  3 ++-
>   drivers/gpu/drm/radeon/radeon_gem.c      |  3 ++-
>   drivers/gpu/drm/ttm/ttm_bo_vm.c          | 14 +++++++++++++-
>   drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c |  1 +
>   include/drm/ttm/ttm_bo_api.h             |  4 ++++
>   6 files changed, 24 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> index b3404c43a911..1aa750a6a5d2 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> @@ -79,7 +79,8 @@ static const struct vm_operations_struct amdgpu_gem_vm_ops = {
>   	.fault = amdgpu_gem_fault,
>   	.open = ttm_bo_vm_open,
>   	.close = ttm_bo_vm_close,
> -	.access = ttm_bo_vm_access
> +	.access = ttm_bo_vm_access,
> +	.mprotect = ttm_bo_vm_mprotect
>   };
>   
>   static void amdgpu_gem_object_free(struct drm_gem_object *gobj)
> diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
> index 5b27845075a1..164ea564bb7a 100644
> --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
> +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
> @@ -70,7 +70,8 @@ static const struct vm_operations_struct nouveau_ttm_vm_ops = {
>   	.fault = nouveau_ttm_fault,
>   	.open = ttm_bo_vm_open,
>   	.close = ttm_bo_vm_close,
> -	.access = ttm_bo_vm_access
> +	.access = ttm_bo_vm_access,
> +	.mprotect = ttm_bo_vm_mprotect
>   };
>   
>   void
> diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
> index 458f92a70887..c19ad07eb7b5 100644
> --- a/drivers/gpu/drm/radeon/radeon_gem.c
> +++ b/drivers/gpu/drm/radeon/radeon_gem.c
> @@ -77,7 +77,8 @@ static const struct vm_operations_struct radeon_gem_vm_ops = {
>   	.fault = radeon_gem_fault,
>   	.open = ttm_bo_vm_open,
>   	.close = ttm_bo_vm_close,
> -	.access = ttm_bo_vm_access
> +	.access = ttm_bo_vm_access,
> +	.mprotect = ttm_bo_vm_mprotect
>   };
>   
>   static void radeon_gem_object_free(struct drm_gem_object *gobj)
> diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> index f56be5bc0861..fb325bad5db6 100644
> --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
> +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> @@ -542,17 +542,29 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
>   }
>   EXPORT_SYMBOL(ttm_bo_vm_access);
>   
> +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
> +		       unsigned long end, unsigned long newflags)
> +{
> +	/* Enforce no COW since would have really strange behavior with it. */
> +	if (is_cow_mapping(newflags) && (newflags & VM_WRITE))
> +		return -EINVAL;
> +
> +	return 0;
> +}
> +EXPORT_SYMBOL(ttm_bo_vm_mprotect);
> +
>   static const struct vm_operations_struct ttm_bo_vm_ops = {
>   	.fault = ttm_bo_vm_fault,
>   	.open = ttm_bo_vm_open,
>   	.close = ttm_bo_vm_close,
>   	.access = ttm_bo_vm_access,
> +	.mprotect = ttm_bo_vm_mprotect,
>   };
>   
>   int ttm_bo_mmap_obj(struct vm_area_struct *vma, struct ttm_buffer_object *bo)
>   {
>   	/* Enforce no COW since would have really strange behavior with it. */
> -	if (is_cow_mapping(vma->vm_flags))
> +	if (is_cow_mapping(vma->vm_flags) && (vma->vm_flags & VM_WRITE))
>   		return -EINVAL;
>   
>   	ttm_bo_get(bo);
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> index e6b1f98ec99f..e4bf7dc99320 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> @@ -61,6 +61,7 @@ int vmw_mmap(struct file *filp, struct vm_area_struct *vma)
>   		.fault = vmw_bo_vm_fault,
>   		.open = ttm_bo_vm_open,
>   		.close = ttm_bo_vm_close,
> +		.mprotect = ttm_bo_vm_mprotect,
>   #ifdef CONFIG_TRANSPARENT_HUGEPAGE
>   		.huge_fault = vmw_bo_vm_huge_fault,
>   #endif
> diff --git a/include/drm/ttm/ttm_bo_api.h b/include/drm/ttm/ttm_bo_api.h
> index f681bbdbc698..40eb95875355 100644
> --- a/include/drm/ttm/ttm_bo_api.h
> +++ b/include/drm/ttm/ttm_bo_api.h
> @@ -605,6 +605,10 @@ void ttm_bo_vm_close(struct vm_area_struct *vma);
>   
>   int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
>   		     void *buf, int len, int write);
> +
> +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
> +		       unsigned long end, unsigned long newflags);
> +
>   bool ttm_bo_delayed_delete(struct ttm_device *bdev, bool remove_all);
>   
>   vm_fault_t ttm_bo_vm_dummy_page(struct vm_fault *vmf, pgprot_t prot);

Alex Deucher July 13, 2021, 3:28 p.m. UTC | #2

On Tue, Jul 13, 2021 at 2:57 AM Christian König
<ckoenig.leichtzumerken@gmail.com> wrote:
>
>
>
> Am 13.07.21 um 00:06 schrieb Felix Kuehling:
> > KFD Thunk maps invisible VRAM BOs with PROT_NONE, MAP_PRIVATE.
> > is_cow_mapping returns true for these mappings. Add a check for
> > vm_flags & VM_WRITE to avoid mmap failures on private read-only or
> > PROT_NONE mappings.
> >
> > v2: protect against mprotect making a mapping writable after the fact
> > v3: update driver-specific vm_operations_structs
> >
> > Fixes: f91142c62161 ("drm/ttm: nuke VM_MIXEDMAP on BO mappings v3")
> > Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
> > Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
>
> Reviewed-by: Christian König <christian.koenig@amd.com>

Are you planning to push this to drm-misc?

Alex

>
> > ---
> >   drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c  |  3 ++-
> >   drivers/gpu/drm/nouveau/nouveau_gem.c    |  3 ++-
> >   drivers/gpu/drm/radeon/radeon_gem.c      |  3 ++-
> >   drivers/gpu/drm/ttm/ttm_bo_vm.c          | 14 +++++++++++++-
> >   drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c |  1 +
> >   include/drm/ttm/ttm_bo_api.h             |  4 ++++
> >   6 files changed, 24 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> > index b3404c43a911..1aa750a6a5d2 100644
> > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> > @@ -79,7 +79,8 @@ static const struct vm_operations_struct amdgpu_gem_vm_ops = {
> >       .fault = amdgpu_gem_fault,
> >       .open = ttm_bo_vm_open,
> >       .close = ttm_bo_vm_close,
> > -     .access = ttm_bo_vm_access
> > +     .access = ttm_bo_vm_access,
> > +     .mprotect = ttm_bo_vm_mprotect
> >   };
> >
> >   static void amdgpu_gem_object_free(struct drm_gem_object *gobj)
> > diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
> > index 5b27845075a1..164ea564bb7a 100644
> > --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
> > +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
> > @@ -70,7 +70,8 @@ static const struct vm_operations_struct nouveau_ttm_vm_ops = {
> >       .fault = nouveau_ttm_fault,
> >       .open = ttm_bo_vm_open,
> >       .close = ttm_bo_vm_close,
> > -     .access = ttm_bo_vm_access
> > +     .access = ttm_bo_vm_access,
> > +     .mprotect = ttm_bo_vm_mprotect
> >   };
> >
> >   void
> > diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
> > index 458f92a70887..c19ad07eb7b5 100644
> > --- a/drivers/gpu/drm/radeon/radeon_gem.c
> > +++ b/drivers/gpu/drm/radeon/radeon_gem.c
> > @@ -77,7 +77,8 @@ static const struct vm_operations_struct radeon_gem_vm_ops = {
> >       .fault = radeon_gem_fault,
> >       .open = ttm_bo_vm_open,
> >       .close = ttm_bo_vm_close,
> > -     .access = ttm_bo_vm_access
> > +     .access = ttm_bo_vm_access,
> > +     .mprotect = ttm_bo_vm_mprotect
> >   };
> >
> >   static void radeon_gem_object_free(struct drm_gem_object *gobj)
> > diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> > index f56be5bc0861..fb325bad5db6 100644
> > --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
> > +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> > @@ -542,17 +542,29 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
> >   }
> >   EXPORT_SYMBOL(ttm_bo_vm_access);
> >
> > +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
> > +                    unsigned long end, unsigned long newflags)
> > +{
> > +     /* Enforce no COW since would have really strange behavior with it. */
> > +     if (is_cow_mapping(newflags) && (newflags & VM_WRITE))
> > +             return -EINVAL;
> > +
> > +     return 0;
> > +}
> > +EXPORT_SYMBOL(ttm_bo_vm_mprotect);
> > +
> >   static const struct vm_operations_struct ttm_bo_vm_ops = {
> >       .fault = ttm_bo_vm_fault,
> >       .open = ttm_bo_vm_open,
> >       .close = ttm_bo_vm_close,
> >       .access = ttm_bo_vm_access,
> > +     .mprotect = ttm_bo_vm_mprotect,
> >   };
> >
> >   int ttm_bo_mmap_obj(struct vm_area_struct *vma, struct ttm_buffer_object *bo)
> >   {
> >       /* Enforce no COW since would have really strange behavior with it. */
> > -     if (is_cow_mapping(vma->vm_flags))
> > +     if (is_cow_mapping(vma->vm_flags) && (vma->vm_flags & VM_WRITE))
> >               return -EINVAL;
> >
> >       ttm_bo_get(bo);
> > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> > index e6b1f98ec99f..e4bf7dc99320 100644
> > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> > @@ -61,6 +61,7 @@ int vmw_mmap(struct file *filp, struct vm_area_struct *vma)
> >               .fault = vmw_bo_vm_fault,
> >               .open = ttm_bo_vm_open,
> >               .close = ttm_bo_vm_close,
> > +             .mprotect = ttm_bo_vm_mprotect,
> >   #ifdef CONFIG_TRANSPARENT_HUGEPAGE
> >               .huge_fault = vmw_bo_vm_huge_fault,
> >   #endif
> > diff --git a/include/drm/ttm/ttm_bo_api.h b/include/drm/ttm/ttm_bo_api.h
> > index f681bbdbc698..40eb95875355 100644
> > --- a/include/drm/ttm/ttm_bo_api.h
> > +++ b/include/drm/ttm/ttm_bo_api.h
> > @@ -605,6 +605,10 @@ void ttm_bo_vm_close(struct vm_area_struct *vma);
> >
> >   int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
> >                    void *buf, int len, int write);
> > +
> > +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
> > +                    unsigned long end, unsigned long newflags);
> > +
> >   bool ttm_bo_delayed_delete(struct ttm_device *bdev, bool remove_all);
> >
> >   vm_fault_t ttm_bo_vm_dummy_page(struct vm_fault *vmf, pgprot_t prot);
>

Felix Kuehling July 13, 2021, 3:29 p.m. UTC | #3

Am 2021-07-13 um 2:57 a.m. schrieb Christian König:
>
>
> Am 13.07.21 um 00:06 schrieb Felix Kuehling:
>> KFD Thunk maps invisible VRAM BOs with PROT_NONE, MAP_PRIVATE.
>> is_cow_mapping returns true for these mappings. Add a check for
>> vm_flags & VM_WRITE to avoid mmap failures on private read-only or
>> PROT_NONE mappings.
>>
>> v2: protect against mprotect making a mapping writable after the fact
>> v3: update driver-specific vm_operations_structs
>>
>> Fixes: f91142c62161 ("drm/ttm: nuke VM_MIXEDMAP on BO mappings v3")
>> Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
>> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
>
> Reviewed-by: Christian König <christian.koenig@amd.com>

Thank you!

Alex, this patch is against your updated amd-staging-drm-next branch.
Please replace my previous version of the patch with this one.

Thanks,
  Felix


>
>> ---
>>   drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c  |  3 ++-
>>   drivers/gpu/drm/nouveau/nouveau_gem.c    |  3 ++-
>>   drivers/gpu/drm/radeon/radeon_gem.c      |  3 ++-
>>   drivers/gpu/drm/ttm/ttm_bo_vm.c          | 14 +++++++++++++-
>>   drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c |  1 +
>>   include/drm/ttm/ttm_bo_api.h             |  4 ++++
>>   6 files changed, 24 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>> b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>> index b3404c43a911..1aa750a6a5d2 100644
>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>> @@ -79,7 +79,8 @@ static const struct vm_operations_struct
>> amdgpu_gem_vm_ops = {
>>       .fault = amdgpu_gem_fault,
>>       .open = ttm_bo_vm_open,
>>       .close = ttm_bo_vm_close,
>> -    .access = ttm_bo_vm_access
>> +    .access = ttm_bo_vm_access,
>> +    .mprotect = ttm_bo_vm_mprotect
>>   };
>>     static void amdgpu_gem_object_free(struct drm_gem_object *gobj)
>> diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c
>> b/drivers/gpu/drm/nouveau/nouveau_gem.c
>> index 5b27845075a1..164ea564bb7a 100644
>> --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
>> +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
>> @@ -70,7 +70,8 @@ static const struct vm_operations_struct
>> nouveau_ttm_vm_ops = {
>>       .fault = nouveau_ttm_fault,
>>       .open = ttm_bo_vm_open,
>>       .close = ttm_bo_vm_close,
>> -    .access = ttm_bo_vm_access
>> +    .access = ttm_bo_vm_access,
>> +    .mprotect = ttm_bo_vm_mprotect
>>   };
>>     void
>> diff --git a/drivers/gpu/drm/radeon/radeon_gem.c
>> b/drivers/gpu/drm/radeon/radeon_gem.c
>> index 458f92a70887..c19ad07eb7b5 100644
>> --- a/drivers/gpu/drm/radeon/radeon_gem.c
>> +++ b/drivers/gpu/drm/radeon/radeon_gem.c
>> @@ -77,7 +77,8 @@ static const struct vm_operations_struct
>> radeon_gem_vm_ops = {
>>       .fault = radeon_gem_fault,
>>       .open = ttm_bo_vm_open,
>>       .close = ttm_bo_vm_close,
>> -    .access = ttm_bo_vm_access
>> +    .access = ttm_bo_vm_access,
>> +    .mprotect = ttm_bo_vm_mprotect
>>   };
>>     static void radeon_gem_object_free(struct drm_gem_object *gobj)
>> diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c
>> b/drivers/gpu/drm/ttm/ttm_bo_vm.c
>> index f56be5bc0861..fb325bad5db6 100644
>> --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
>> +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
>> @@ -542,17 +542,29 @@ int ttm_bo_vm_access(struct vm_area_struct
>> *vma, unsigned long addr,
>>   }
>>   EXPORT_SYMBOL(ttm_bo_vm_access);
>>   +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long
>> start,
>> +               unsigned long end, unsigned long newflags)
>> +{
>> +    /* Enforce no COW since would have really strange behavior with
>> it. */
>> +    if (is_cow_mapping(newflags) && (newflags & VM_WRITE))
>> +        return -EINVAL;
>> +
>> +    return 0;
>> +}
>> +EXPORT_SYMBOL(ttm_bo_vm_mprotect);
>> +
>>   static const struct vm_operations_struct ttm_bo_vm_ops = {
>>       .fault = ttm_bo_vm_fault,
>>       .open = ttm_bo_vm_open,
>>       .close = ttm_bo_vm_close,
>>       .access = ttm_bo_vm_access,
>> +    .mprotect = ttm_bo_vm_mprotect,
>>   };
>>     int ttm_bo_mmap_obj(struct vm_area_struct *vma, struct
>> ttm_buffer_object *bo)
>>   {
>>       /* Enforce no COW since would have really strange behavior with
>> it. */
>> -    if (is_cow_mapping(vma->vm_flags))
>> +    if (is_cow_mapping(vma->vm_flags) && (vma->vm_flags & VM_WRITE))
>>           return -EINVAL;
>>         ttm_bo_get(bo);
>> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>> b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>> index e6b1f98ec99f..e4bf7dc99320 100644
>> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>> @@ -61,6 +61,7 @@ int vmw_mmap(struct file *filp, struct
>> vm_area_struct *vma)
>>           .fault = vmw_bo_vm_fault,
>>           .open = ttm_bo_vm_open,
>>           .close = ttm_bo_vm_close,
>> +        .mprotect = ttm_bo_vm_mprotect,
>>   #ifdef CONFIG_TRANSPARENT_HUGEPAGE
>>           .huge_fault = vmw_bo_vm_huge_fault,
>>   #endif
>> diff --git a/include/drm/ttm/ttm_bo_api.h b/include/drm/ttm/ttm_bo_api.h
>> index f681bbdbc698..40eb95875355 100644
>> --- a/include/drm/ttm/ttm_bo_api.h
>> +++ b/include/drm/ttm/ttm_bo_api.h
>> @@ -605,6 +605,10 @@ void ttm_bo_vm_close(struct vm_area_struct *vma);
>>     int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
>>                void *buf, int len, int write);
>> +
>> +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
>> +               unsigned long end, unsigned long newflags);
>> +
>>   bool ttm_bo_delayed_delete(struct ttm_device *bdev, bool remove_all);
>>     vm_fault_t ttm_bo_vm_dummy_page(struct vm_fault *vmf, pgprot_t
>> prot);
>

Christian König July 14, 2021, 8:51 a.m. UTC | #4

Am 13.07.21 um 17:28 schrieb Alex Deucher:
> On Tue, Jul 13, 2021 at 2:57 AM Christian König
> <ckoenig.leichtzumerken@gmail.com> wrote:
>>
>>
>> Am 13.07.21 um 00:06 schrieb Felix Kuehling:
>>> KFD Thunk maps invisible VRAM BOs with PROT_NONE, MAP_PRIVATE.
>>> is_cow_mapping returns true for these mappings. Add a check for
>>> vm_flags & VM_WRITE to avoid mmap failures on private read-only or
>>> PROT_NONE mappings.
>>>
>>> v2: protect against mprotect making a mapping writable after the fact
>>> v3: update driver-specific vm_operations_structs
>>>
>>> Fixes: f91142c62161 ("drm/ttm: nuke VM_MIXEDMAP on BO mappings v3")
>>> Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
>>> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
>> Reviewed-by: Christian König <christian.koenig@amd.com>
> Are you planning to push this to drm-misc?

Yes, just didn't found time yesterday.

Christian.

>
> Alex
>
>>> ---
>>>    drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c  |  3 ++-
>>>    drivers/gpu/drm/nouveau/nouveau_gem.c    |  3 ++-
>>>    drivers/gpu/drm/radeon/radeon_gem.c      |  3 ++-
>>>    drivers/gpu/drm/ttm/ttm_bo_vm.c          | 14 +++++++++++++-
>>>    drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c |  1 +
>>>    include/drm/ttm/ttm_bo_api.h             |  4 ++++
>>>    6 files changed, 24 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>>> index b3404c43a911..1aa750a6a5d2 100644
>>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>>> @@ -79,7 +79,8 @@ static const struct vm_operations_struct amdgpu_gem_vm_ops = {
>>>        .fault = amdgpu_gem_fault,
>>>        .open = ttm_bo_vm_open,
>>>        .close = ttm_bo_vm_close,
>>> -     .access = ttm_bo_vm_access
>>> +     .access = ttm_bo_vm_access,
>>> +     .mprotect = ttm_bo_vm_mprotect
>>>    };
>>>
>>>    static void amdgpu_gem_object_free(struct drm_gem_object *gobj)
>>> diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
>>> index 5b27845075a1..164ea564bb7a 100644
>>> --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
>>> +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
>>> @@ -70,7 +70,8 @@ static const struct vm_operations_struct nouveau_ttm_vm_ops = {
>>>        .fault = nouveau_ttm_fault,
>>>        .open = ttm_bo_vm_open,
>>>        .close = ttm_bo_vm_close,
>>> -     .access = ttm_bo_vm_access
>>> +     .access = ttm_bo_vm_access,
>>> +     .mprotect = ttm_bo_vm_mprotect
>>>    };
>>>
>>>    void
>>> diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
>>> index 458f92a70887..c19ad07eb7b5 100644
>>> --- a/drivers/gpu/drm/radeon/radeon_gem.c
>>> +++ b/drivers/gpu/drm/radeon/radeon_gem.c
>>> @@ -77,7 +77,8 @@ static const struct vm_operations_struct radeon_gem_vm_ops = {
>>>        .fault = radeon_gem_fault,
>>>        .open = ttm_bo_vm_open,
>>>        .close = ttm_bo_vm_close,
>>> -     .access = ttm_bo_vm_access
>>> +     .access = ttm_bo_vm_access,
>>> +     .mprotect = ttm_bo_vm_mprotect
>>>    };
>>>
>>>    static void radeon_gem_object_free(struct drm_gem_object *gobj)
>>> diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
>>> index f56be5bc0861..fb325bad5db6 100644
>>> --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
>>> +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
>>> @@ -542,17 +542,29 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
>>>    }
>>>    EXPORT_SYMBOL(ttm_bo_vm_access);
>>>
>>> +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
>>> +                    unsigned long end, unsigned long newflags)
>>> +{
>>> +     /* Enforce no COW since would have really strange behavior with it. */
>>> +     if (is_cow_mapping(newflags) && (newflags & VM_WRITE))
>>> +             return -EINVAL;
>>> +
>>> +     return 0;
>>> +}
>>> +EXPORT_SYMBOL(ttm_bo_vm_mprotect);
>>> +
>>>    static const struct vm_operations_struct ttm_bo_vm_ops = {
>>>        .fault = ttm_bo_vm_fault,
>>>        .open = ttm_bo_vm_open,
>>>        .close = ttm_bo_vm_close,
>>>        .access = ttm_bo_vm_access,
>>> +     .mprotect = ttm_bo_vm_mprotect,
>>>    };
>>>
>>>    int ttm_bo_mmap_obj(struct vm_area_struct *vma, struct ttm_buffer_object *bo)
>>>    {
>>>        /* Enforce no COW since would have really strange behavior with it. */
>>> -     if (is_cow_mapping(vma->vm_flags))
>>> +     if (is_cow_mapping(vma->vm_flags) && (vma->vm_flags & VM_WRITE))
>>>                return -EINVAL;
>>>
>>>        ttm_bo_get(bo);
>>> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>>> index e6b1f98ec99f..e4bf7dc99320 100644
>>> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>>> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>>> @@ -61,6 +61,7 @@ int vmw_mmap(struct file *filp, struct vm_area_struct *vma)
>>>                .fault = vmw_bo_vm_fault,
>>>                .open = ttm_bo_vm_open,
>>>                .close = ttm_bo_vm_close,
>>> +             .mprotect = ttm_bo_vm_mprotect,
>>>    #ifdef CONFIG_TRANSPARENT_HUGEPAGE
>>>                .huge_fault = vmw_bo_vm_huge_fault,
>>>    #endif
>>> diff --git a/include/drm/ttm/ttm_bo_api.h b/include/drm/ttm/ttm_bo_api.h
>>> index f681bbdbc698..40eb95875355 100644
>>> --- a/include/drm/ttm/ttm_bo_api.h
>>> +++ b/include/drm/ttm/ttm_bo_api.h
>>> @@ -605,6 +605,10 @@ void ttm_bo_vm_close(struct vm_area_struct *vma);
>>>
>>>    int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
>>>                     void *buf, int len, int write);
>>> +
>>> +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
>>> +                    unsigned long end, unsigned long newflags);
>>> +
>>>    bool ttm_bo_delayed_delete(struct ttm_device *bdev, bool remove_all);
>>>
>>>    vm_fault_t ttm_bo_vm_dummy_page(struct vm_fault *vmf, pgprot_t prot);

Daniel Vetter July 14, 2021, 10:44 a.m. UTC | #5

On Mon, Jul 12, 2021 at 06:06:36PM -0400, Felix Kuehling wrote:
> KFD Thunk maps invisible VRAM BOs with PROT_NONE, MAP_PRIVATE.
> is_cow_mapping returns true for these mappings. Add a check for
> vm_flags & VM_WRITE to avoid mmap failures on private read-only or
> PROT_NONE mappings.
> 
> v2: protect against mprotect making a mapping writable after the fact
> v3: update driver-specific vm_operations_structs
> 
> Fixes: f91142c62161 ("drm/ttm: nuke VM_MIXEDMAP on BO mappings v3")
> Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

So looking at vmf_insert_pfn_prot() and the comment there we can't have
VM_PFNMAP and is_cow_mapping ever be true, or things break. On platforms
without pte_special at least.

So I'm not sure this is a great idea, and definitely not for all drivers
...

Can we clear VM_MAYWRITE instead to force this to be a non-cow mapping
instead?
-Daniel

> ---
>  drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c  |  3 ++-
>  drivers/gpu/drm/nouveau/nouveau_gem.c    |  3 ++-
>  drivers/gpu/drm/radeon/radeon_gem.c      |  3 ++-
>  drivers/gpu/drm/ttm/ttm_bo_vm.c          | 14 +++++++++++++-
>  drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c |  1 +
>  include/drm/ttm/ttm_bo_api.h             |  4 ++++
>  6 files changed, 24 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> index b3404c43a911..1aa750a6a5d2 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> @@ -79,7 +79,8 @@ static const struct vm_operations_struct amdgpu_gem_vm_ops = {
>  	.fault = amdgpu_gem_fault,
>  	.open = ttm_bo_vm_open,
>  	.close = ttm_bo_vm_close,
> -	.access = ttm_bo_vm_access
> +	.access = ttm_bo_vm_access,
> +	.mprotect = ttm_bo_vm_mprotect
>  };
>  
>  static void amdgpu_gem_object_free(struct drm_gem_object *gobj)
> diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
> index 5b27845075a1..164ea564bb7a 100644
> --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
> +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
> @@ -70,7 +70,8 @@ static const struct vm_operations_struct nouveau_ttm_vm_ops = {
>  	.fault = nouveau_ttm_fault,
>  	.open = ttm_bo_vm_open,
>  	.close = ttm_bo_vm_close,
> -	.access = ttm_bo_vm_access
> +	.access = ttm_bo_vm_access,
> +	.mprotect = ttm_bo_vm_mprotect
>  };
>  
>  void
> diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
> index 458f92a70887..c19ad07eb7b5 100644
> --- a/drivers/gpu/drm/radeon/radeon_gem.c
> +++ b/drivers/gpu/drm/radeon/radeon_gem.c
> @@ -77,7 +77,8 @@ static const struct vm_operations_struct radeon_gem_vm_ops = {
>  	.fault = radeon_gem_fault,
>  	.open = ttm_bo_vm_open,
>  	.close = ttm_bo_vm_close,
> -	.access = ttm_bo_vm_access
> +	.access = ttm_bo_vm_access,
> +	.mprotect = ttm_bo_vm_mprotect
>  };
>  
>  static void radeon_gem_object_free(struct drm_gem_object *gobj)
> diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> index f56be5bc0861..fb325bad5db6 100644
> --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
> +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> @@ -542,17 +542,29 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
>  }
>  EXPORT_SYMBOL(ttm_bo_vm_access);
>  
> +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
> +		       unsigned long end, unsigned long newflags)
> +{
> +	/* Enforce no COW since would have really strange behavior with it. */
> +	if (is_cow_mapping(newflags) && (newflags & VM_WRITE))
> +		return -EINVAL;
> +
> +	return 0;
> +}
> +EXPORT_SYMBOL(ttm_bo_vm_mprotect);
> +
>  static const struct vm_operations_struct ttm_bo_vm_ops = {
>  	.fault = ttm_bo_vm_fault,
>  	.open = ttm_bo_vm_open,
>  	.close = ttm_bo_vm_close,
>  	.access = ttm_bo_vm_access,
> +	.mprotect = ttm_bo_vm_mprotect,
>  };
>  
>  int ttm_bo_mmap_obj(struct vm_area_struct *vma, struct ttm_buffer_object *bo)
>  {
>  	/* Enforce no COW since would have really strange behavior with it. */
> -	if (is_cow_mapping(vma->vm_flags))
> +	if (is_cow_mapping(vma->vm_flags) && (vma->vm_flags & VM_WRITE))
>  		return -EINVAL;
>  
>  	ttm_bo_get(bo);
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> index e6b1f98ec99f..e4bf7dc99320 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> @@ -61,6 +61,7 @@ int vmw_mmap(struct file *filp, struct vm_area_struct *vma)
>  		.fault = vmw_bo_vm_fault,
>  		.open = ttm_bo_vm_open,
>  		.close = ttm_bo_vm_close,
> +		.mprotect = ttm_bo_vm_mprotect,
>  #ifdef CONFIG_TRANSPARENT_HUGEPAGE
>  		.huge_fault = vmw_bo_vm_huge_fault,
>  #endif
> diff --git a/include/drm/ttm/ttm_bo_api.h b/include/drm/ttm/ttm_bo_api.h
> index f681bbdbc698..40eb95875355 100644
> --- a/include/drm/ttm/ttm_bo_api.h
> +++ b/include/drm/ttm/ttm_bo_api.h
> @@ -605,6 +605,10 @@ void ttm_bo_vm_close(struct vm_area_struct *vma);
>  
>  int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
>  		     void *buf, int len, int write);
> +
> +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
> +		       unsigned long end, unsigned long newflags);
> +
>  bool ttm_bo_delayed_delete(struct ttm_device *bdev, bool remove_all);
>  
>  vm_fault_t ttm_bo_vm_dummy_page(struct vm_fault *vmf, pgprot_t prot);
> -- 
> 2.32.0
>

Daniel Vetter July 14, 2021, 10:46 a.m. UTC | #6

On Wed, Jul 14, 2021 at 12:44:00PM +0200, Daniel Vetter wrote:
> On Mon, Jul 12, 2021 at 06:06:36PM -0400, Felix Kuehling wrote:
> > KFD Thunk maps invisible VRAM BOs with PROT_NONE, MAP_PRIVATE.
> > is_cow_mapping returns true for these mappings. Add a check for
> > vm_flags & VM_WRITE to avoid mmap failures on private read-only or
> > PROT_NONE mappings.
> > 
> > v2: protect against mprotect making a mapping writable after the fact
> > v3: update driver-specific vm_operations_structs
> > 
> > Fixes: f91142c62161 ("drm/ttm: nuke VM_MIXEDMAP on BO mappings v3")
> > Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
> > Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
> 
> So looking at vmf_insert_pfn_prot() and the comment there we can't have
> VM_PFNMAP and is_cow_mapping ever be true, or things break. On platforms
> without pte_special at least.
> 
> So I'm not sure this is a great idea, and definitely not for all drivers
> ...
> 
> Can we clear VM_MAYWRITE instead to force this to be a non-cow mapping
> instead?

Quick git grep says there's plenty of drivers which clear MAYWRITE, and
often with comments to block mprotect upfront. That feels like the cleaner
approach, and maybe limited to an overwrite in just amdgpu with a comment
explaining why it's needed? As in amdgpu mmap function which just clears
VM_MAYWRITE if it's a cow mapping and then calls into ttm mmap
implementation.
-Daniel

> > ---
> >  drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c  |  3 ++-
> >  drivers/gpu/drm/nouveau/nouveau_gem.c    |  3 ++-
> >  drivers/gpu/drm/radeon/radeon_gem.c      |  3 ++-
> >  drivers/gpu/drm/ttm/ttm_bo_vm.c          | 14 +++++++++++++-
> >  drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c |  1 +
> >  include/drm/ttm/ttm_bo_api.h             |  4 ++++
> >  6 files changed, 24 insertions(+), 4 deletions(-)
> > 
> > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> > index b3404c43a911..1aa750a6a5d2 100644
> > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> > @@ -79,7 +79,8 @@ static const struct vm_operations_struct amdgpu_gem_vm_ops = {
> >  	.fault = amdgpu_gem_fault,
> >  	.open = ttm_bo_vm_open,
> >  	.close = ttm_bo_vm_close,
> > -	.access = ttm_bo_vm_access
> > +	.access = ttm_bo_vm_access,
> > +	.mprotect = ttm_bo_vm_mprotect
> >  };
> >  
> >  static void amdgpu_gem_object_free(struct drm_gem_object *gobj)
> > diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
> > index 5b27845075a1..164ea564bb7a 100644
> > --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
> > +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
> > @@ -70,7 +70,8 @@ static const struct vm_operations_struct nouveau_ttm_vm_ops = {
> >  	.fault = nouveau_ttm_fault,
> >  	.open = ttm_bo_vm_open,
> >  	.close = ttm_bo_vm_close,
> > -	.access = ttm_bo_vm_access
> > +	.access = ttm_bo_vm_access,
> > +	.mprotect = ttm_bo_vm_mprotect
> >  };
> >  
> >  void
> > diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
> > index 458f92a70887..c19ad07eb7b5 100644
> > --- a/drivers/gpu/drm/radeon/radeon_gem.c
> > +++ b/drivers/gpu/drm/radeon/radeon_gem.c
> > @@ -77,7 +77,8 @@ static const struct vm_operations_struct radeon_gem_vm_ops = {
> >  	.fault = radeon_gem_fault,
> >  	.open = ttm_bo_vm_open,
> >  	.close = ttm_bo_vm_close,
> > -	.access = ttm_bo_vm_access
> > +	.access = ttm_bo_vm_access,
> > +	.mprotect = ttm_bo_vm_mprotect
> >  };
> >  
> >  static void radeon_gem_object_free(struct drm_gem_object *gobj)
> > diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> > index f56be5bc0861..fb325bad5db6 100644
> > --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
> > +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> > @@ -542,17 +542,29 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
> >  }
> >  EXPORT_SYMBOL(ttm_bo_vm_access);
> >  
> > +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
> > +		       unsigned long end, unsigned long newflags)
> > +{
> > +	/* Enforce no COW since would have really strange behavior with it. */
> > +	if (is_cow_mapping(newflags) && (newflags & VM_WRITE))
> > +		return -EINVAL;
> > +
> > +	return 0;
> > +}
> > +EXPORT_SYMBOL(ttm_bo_vm_mprotect);
> > +
> >  static const struct vm_operations_struct ttm_bo_vm_ops = {
> >  	.fault = ttm_bo_vm_fault,
> >  	.open = ttm_bo_vm_open,
> >  	.close = ttm_bo_vm_close,
> >  	.access = ttm_bo_vm_access,
> > +	.mprotect = ttm_bo_vm_mprotect,
> >  };
> >  
> >  int ttm_bo_mmap_obj(struct vm_area_struct *vma, struct ttm_buffer_object *bo)
> >  {
> >  	/* Enforce no COW since would have really strange behavior with it. */
> > -	if (is_cow_mapping(vma->vm_flags))
> > +	if (is_cow_mapping(vma->vm_flags) && (vma->vm_flags & VM_WRITE))
> >  		return -EINVAL;
> >  
> >  	ttm_bo_get(bo);
> > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> > index e6b1f98ec99f..e4bf7dc99320 100644
> > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> > @@ -61,6 +61,7 @@ int vmw_mmap(struct file *filp, struct vm_area_struct *vma)
> >  		.fault = vmw_bo_vm_fault,
> >  		.open = ttm_bo_vm_open,
> >  		.close = ttm_bo_vm_close,
> > +		.mprotect = ttm_bo_vm_mprotect,
> >  #ifdef CONFIG_TRANSPARENT_HUGEPAGE
> >  		.huge_fault = vmw_bo_vm_huge_fault,
> >  #endif
> > diff --git a/include/drm/ttm/ttm_bo_api.h b/include/drm/ttm/ttm_bo_api.h
> > index f681bbdbc698..40eb95875355 100644
> > --- a/include/drm/ttm/ttm_bo_api.h
> > +++ b/include/drm/ttm/ttm_bo_api.h
> > @@ -605,6 +605,10 @@ void ttm_bo_vm_close(struct vm_area_struct *vma);
> >  
> >  int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
> >  		     void *buf, int len, int write);
> > +
> > +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
> > +		       unsigned long end, unsigned long newflags);
> > +
> >  bool ttm_bo_delayed_delete(struct ttm_device *bdev, bool remove_all);
> >  
> >  vm_fault_t ttm_bo_vm_dummy_page(struct vm_fault *vmf, pgprot_t prot);
> > -- 
> > 2.32.0
> > 
> 
> -- 
> Daniel Vetter
> Software Engineer, Intel Corporation
> http://blog.ffwll.ch

Christian König July 14, 2021, 10:51 a.m. UTC | #7

Am 14.07.21 um 12:44 schrieb Daniel Vetter:
> On Mon, Jul 12, 2021 at 06:06:36PM -0400, Felix Kuehling wrote:
>> KFD Thunk maps invisible VRAM BOs with PROT_NONE, MAP_PRIVATE.
>> is_cow_mapping returns true for these mappings. Add a check for
>> vm_flags & VM_WRITE to avoid mmap failures on private read-only or
>> PROT_NONE mappings.
>>
>> v2: protect against mprotect making a mapping writable after the fact
>> v3: update driver-specific vm_operations_structs
>>
>> Fixes: f91142c62161 ("drm/ttm: nuke VM_MIXEDMAP on BO mappings v3")
>> Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
>> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
> So looking at vmf_insert_pfn_prot() and the comment there we can't have
> VM_PFNMAP and is_cow_mapping ever be true, or things break. On platforms
> without pte_special at least.

Key idea is that we never end up in vmf_insert_pfn_prot() because the 
vma is mapped with PROT_NONE.

>
> So I'm not sure this is a great idea, and definitely not for all drivers

Yeah, I'm absolutely not happy with this either but it seemed to be the 
least painful thing to do.

> ...
>
> Can we clear VM_MAYWRITE instead to force this to be a non-cow mapping
> instead?

Well we have considered forcefully setting VM_SHARED, which won't work 
easily for a couple of reasons.

But clearing VM_MAYWRITE in amdgpu/amdkfd may actually work as well.

Felix can you test this?

Thanks,
Christian.

> -Daniel
>
>> ---
>>   drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c  |  3 ++-
>>   drivers/gpu/drm/nouveau/nouveau_gem.c    |  3 ++-
>>   drivers/gpu/drm/radeon/radeon_gem.c      |  3 ++-
>>   drivers/gpu/drm/ttm/ttm_bo_vm.c          | 14 +++++++++++++-
>>   drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c |  1 +
>>   include/drm/ttm/ttm_bo_api.h             |  4 ++++
>>   6 files changed, 24 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>> index b3404c43a911..1aa750a6a5d2 100644
>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>> @@ -79,7 +79,8 @@ static const struct vm_operations_struct amdgpu_gem_vm_ops = {
>>   	.fault = amdgpu_gem_fault,
>>   	.open = ttm_bo_vm_open,
>>   	.close = ttm_bo_vm_close,
>> -	.access = ttm_bo_vm_access
>> +	.access = ttm_bo_vm_access,
>> +	.mprotect = ttm_bo_vm_mprotect
>>   };
>>   
>>   static void amdgpu_gem_object_free(struct drm_gem_object *gobj)
>> diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
>> index 5b27845075a1..164ea564bb7a 100644
>> --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
>> +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
>> @@ -70,7 +70,8 @@ static const struct vm_operations_struct nouveau_ttm_vm_ops = {
>>   	.fault = nouveau_ttm_fault,
>>   	.open = ttm_bo_vm_open,
>>   	.close = ttm_bo_vm_close,
>> -	.access = ttm_bo_vm_access
>> +	.access = ttm_bo_vm_access,
>> +	.mprotect = ttm_bo_vm_mprotect
>>   };
>>   
>>   void
>> diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
>> index 458f92a70887..c19ad07eb7b5 100644
>> --- a/drivers/gpu/drm/radeon/radeon_gem.c
>> +++ b/drivers/gpu/drm/radeon/radeon_gem.c
>> @@ -77,7 +77,8 @@ static const struct vm_operations_struct radeon_gem_vm_ops = {
>>   	.fault = radeon_gem_fault,
>>   	.open = ttm_bo_vm_open,
>>   	.close = ttm_bo_vm_close,
>> -	.access = ttm_bo_vm_access
>> +	.access = ttm_bo_vm_access,
>> +	.mprotect = ttm_bo_vm_mprotect
>>   };
>>   
>>   static void radeon_gem_object_free(struct drm_gem_object *gobj)
>> diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
>> index f56be5bc0861..fb325bad5db6 100644
>> --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
>> +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
>> @@ -542,17 +542,29 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
>>   }
>>   EXPORT_SYMBOL(ttm_bo_vm_access);
>>   
>> +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
>> +		       unsigned long end, unsigned long newflags)
>> +{
>> +	/* Enforce no COW since would have really strange behavior with it. */
>> +	if (is_cow_mapping(newflags) && (newflags & VM_WRITE))
>> +		return -EINVAL;
>> +
>> +	return 0;
>> +}
>> +EXPORT_SYMBOL(ttm_bo_vm_mprotect);
>> +
>>   static const struct vm_operations_struct ttm_bo_vm_ops = {
>>   	.fault = ttm_bo_vm_fault,
>>   	.open = ttm_bo_vm_open,
>>   	.close = ttm_bo_vm_close,
>>   	.access = ttm_bo_vm_access,
>> +	.mprotect = ttm_bo_vm_mprotect,
>>   };
>>   
>>   int ttm_bo_mmap_obj(struct vm_area_struct *vma, struct ttm_buffer_object *bo)
>>   {
>>   	/* Enforce no COW since would have really strange behavior with it. */
>> -	if (is_cow_mapping(vma->vm_flags))
>> +	if (is_cow_mapping(vma->vm_flags) && (vma->vm_flags & VM_WRITE))
>>   		return -EINVAL;
>>   
>>   	ttm_bo_get(bo);
>> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>> index e6b1f98ec99f..e4bf7dc99320 100644
>> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>> @@ -61,6 +61,7 @@ int vmw_mmap(struct file *filp, struct vm_area_struct *vma)
>>   		.fault = vmw_bo_vm_fault,
>>   		.open = ttm_bo_vm_open,
>>   		.close = ttm_bo_vm_close,
>> +		.mprotect = ttm_bo_vm_mprotect,
>>   #ifdef CONFIG_TRANSPARENT_HUGEPAGE
>>   		.huge_fault = vmw_bo_vm_huge_fault,
>>   #endif
>> diff --git a/include/drm/ttm/ttm_bo_api.h b/include/drm/ttm/ttm_bo_api.h
>> index f681bbdbc698..40eb95875355 100644
>> --- a/include/drm/ttm/ttm_bo_api.h
>> +++ b/include/drm/ttm/ttm_bo_api.h
>> @@ -605,6 +605,10 @@ void ttm_bo_vm_close(struct vm_area_struct *vma);
>>   
>>   int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
>>   		     void *buf, int len, int write);
>> +
>> +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
>> +		       unsigned long end, unsigned long newflags);
>> +
>>   bool ttm_bo_delayed_delete(struct ttm_device *bdev, bool remove_all);
>>   
>>   vm_fault_t ttm_bo_vm_dummy_page(struct vm_fault *vmf, pgprot_t prot);
>> -- 
>> 2.32.0
>>

Daniel Vetter July 14, 2021, 11:15 a.m. UTC | #8

On Wed, Jul 14, 2021 at 12:51:15PM +0200, Christian König wrote:
> Am 14.07.21 um 12:44 schrieb Daniel Vetter:
> > On Mon, Jul 12, 2021 at 06:06:36PM -0400, Felix Kuehling wrote:
> > > KFD Thunk maps invisible VRAM BOs with PROT_NONE, MAP_PRIVATE.
> > > is_cow_mapping returns true for these mappings. Add a check for
> > > vm_flags & VM_WRITE to avoid mmap failures on private read-only or
> > > PROT_NONE mappings.
> > > 
> > > v2: protect against mprotect making a mapping writable after the fact
> > > v3: update driver-specific vm_operations_structs
> > > 
> > > Fixes: f91142c62161 ("drm/ttm: nuke VM_MIXEDMAP on BO mappings v3")
> > > Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
> > > Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
> > So looking at vmf_insert_pfn_prot() and the comment there we can't have
> > VM_PFNMAP and is_cow_mapping ever be true, or things break. On platforms
> > without pte_special at least.
> 
> Key idea is that we never end up in vmf_insert_pfn_prot() because the vma is
> mapped with PROT_NONE.

Ah right if it's PROT_NONE then it's ok. But the code here only checks for
VM_WRITE, not VM_READ, so PROT_READ can get through and go boom? Or
something else I'm missing?

Maybe time for a few amdgpu mmap tests that go through the combos and make
sure it works/fails all correctly.
-Daniel

> > So I'm not sure this is a great idea, and definitely not for all drivers
> 
> Yeah, I'm absolutely not happy with this either but it seemed to be the
> least painful thing to do.
> 
> > ...
> > 
> > Can we clear VM_MAYWRITE instead to force this to be a non-cow mapping
> > instead?
> 
> Well we have considered forcefully setting VM_SHARED, which won't work
> easily for a couple of reasons.
> 
> But clearing VM_MAYWRITE in amdgpu/amdkfd may actually work as well.
> 
> Felix can you test this?
> 
> Thanks,
> Christian.
> 
> > -Daniel
> > 
> > > ---
> > >   drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c  |  3 ++-
> > >   drivers/gpu/drm/nouveau/nouveau_gem.c    |  3 ++-
> > >   drivers/gpu/drm/radeon/radeon_gem.c      |  3 ++-
> > >   drivers/gpu/drm/ttm/ttm_bo_vm.c          | 14 +++++++++++++-
> > >   drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c |  1 +
> > >   include/drm/ttm/ttm_bo_api.h             |  4 ++++
> > >   6 files changed, 24 insertions(+), 4 deletions(-)
> > > 
> > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> > > index b3404c43a911..1aa750a6a5d2 100644
> > > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> > > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> > > @@ -79,7 +79,8 @@ static const struct vm_operations_struct amdgpu_gem_vm_ops = {
> > >   	.fault = amdgpu_gem_fault,
> > >   	.open = ttm_bo_vm_open,
> > >   	.close = ttm_bo_vm_close,
> > > -	.access = ttm_bo_vm_access
> > > +	.access = ttm_bo_vm_access,
> > > +	.mprotect = ttm_bo_vm_mprotect
> > >   };
> > >   static void amdgpu_gem_object_free(struct drm_gem_object *gobj)
> > > diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
> > > index 5b27845075a1..164ea564bb7a 100644
> > > --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
> > > +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
> > > @@ -70,7 +70,8 @@ static const struct vm_operations_struct nouveau_ttm_vm_ops = {
> > >   	.fault = nouveau_ttm_fault,
> > >   	.open = ttm_bo_vm_open,
> > >   	.close = ttm_bo_vm_close,
> > > -	.access = ttm_bo_vm_access
> > > +	.access = ttm_bo_vm_access,
> > > +	.mprotect = ttm_bo_vm_mprotect
> > >   };
> > >   void
> > > diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
> > > index 458f92a70887..c19ad07eb7b5 100644
> > > --- a/drivers/gpu/drm/radeon/radeon_gem.c
> > > +++ b/drivers/gpu/drm/radeon/radeon_gem.c
> > > @@ -77,7 +77,8 @@ static const struct vm_operations_struct radeon_gem_vm_ops = {
> > >   	.fault = radeon_gem_fault,
> > >   	.open = ttm_bo_vm_open,
> > >   	.close = ttm_bo_vm_close,
> > > -	.access = ttm_bo_vm_access
> > > +	.access = ttm_bo_vm_access,
> > > +	.mprotect = ttm_bo_vm_mprotect
> > >   };
> > >   static void radeon_gem_object_free(struct drm_gem_object *gobj)
> > > diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> > > index f56be5bc0861..fb325bad5db6 100644
> > > --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
> > > +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> > > @@ -542,17 +542,29 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
> > >   }
> > >   EXPORT_SYMBOL(ttm_bo_vm_access);
> > > +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
> > > +		       unsigned long end, unsigned long newflags)
> > > +{
> > > +	/* Enforce no COW since would have really strange behavior with it. */
> > > +	if (is_cow_mapping(newflags) && (newflags & VM_WRITE))
> > > +		return -EINVAL;
> > > +
> > > +	return 0;
> > > +}
> > > +EXPORT_SYMBOL(ttm_bo_vm_mprotect);
> > > +
> > >   static const struct vm_operations_struct ttm_bo_vm_ops = {
> > >   	.fault = ttm_bo_vm_fault,
> > >   	.open = ttm_bo_vm_open,
> > >   	.close = ttm_bo_vm_close,
> > >   	.access = ttm_bo_vm_access,
> > > +	.mprotect = ttm_bo_vm_mprotect,
> > >   };
> > >   int ttm_bo_mmap_obj(struct vm_area_struct *vma, struct ttm_buffer_object *bo)
> > >   {
> > >   	/* Enforce no COW since would have really strange behavior with it. */
> > > -	if (is_cow_mapping(vma->vm_flags))
> > > +	if (is_cow_mapping(vma->vm_flags) && (vma->vm_flags & VM_WRITE))
> > >   		return -EINVAL;
> > >   	ttm_bo_get(bo);
> > > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> > > index e6b1f98ec99f..e4bf7dc99320 100644
> > > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> > > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> > > @@ -61,6 +61,7 @@ int vmw_mmap(struct file *filp, struct vm_area_struct *vma)
> > >   		.fault = vmw_bo_vm_fault,
> > >   		.open = ttm_bo_vm_open,
> > >   		.close = ttm_bo_vm_close,
> > > +		.mprotect = ttm_bo_vm_mprotect,
> > >   #ifdef CONFIG_TRANSPARENT_HUGEPAGE
> > >   		.huge_fault = vmw_bo_vm_huge_fault,
> > >   #endif
> > > diff --git a/include/drm/ttm/ttm_bo_api.h b/include/drm/ttm/ttm_bo_api.h
> > > index f681bbdbc698..40eb95875355 100644
> > > --- a/include/drm/ttm/ttm_bo_api.h
> > > +++ b/include/drm/ttm/ttm_bo_api.h
> > > @@ -605,6 +605,10 @@ void ttm_bo_vm_close(struct vm_area_struct *vma);
> > >   int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
> > >   		     void *buf, int len, int write);
> > > +
> > > +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
> > > +		       unsigned long end, unsigned long newflags);
> > > +
> > >   bool ttm_bo_delayed_delete(struct ttm_device *bdev, bool remove_all);
> > >   vm_fault_t ttm_bo_vm_dummy_page(struct vm_fault *vmf, pgprot_t prot);
> > > -- 
> > > 2.32.0
> > > 
>

Christian König July 14, 2021, 1:09 p.m. UTC | #9

Am 14.07.21 um 13:15 schrieb Daniel Vetter:
> On Wed, Jul 14, 2021 at 12:51:15PM +0200, Christian König wrote:
>> Am 14.07.21 um 12:44 schrieb Daniel Vetter:
>>> On Mon, Jul 12, 2021 at 06:06:36PM -0400, Felix Kuehling wrote:
>>>> KFD Thunk maps invisible VRAM BOs with PROT_NONE, MAP_PRIVATE.
>>>> is_cow_mapping returns true for these mappings. Add a check for
>>>> vm_flags & VM_WRITE to avoid mmap failures on private read-only or
>>>> PROT_NONE mappings.
>>>>
>>>> v2: protect against mprotect making a mapping writable after the fact
>>>> v3: update driver-specific vm_operations_structs
>>>>
>>>> Fixes: f91142c62161 ("drm/ttm: nuke VM_MIXEDMAP on BO mappings v3")
>>>> Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
>>>> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
>>> So looking at vmf_insert_pfn_prot() and the comment there we can't have
>>> VM_PFNMAP and is_cow_mapping ever be true, or things break. On platforms
>>> without pte_special at least.
>> Key idea is that we never end up in vmf_insert_pfn_prot() because the vma is
>> mapped with PROT_NONE.
> Ah right if it's PROT_NONE then it's ok. But the code here only checks for
> VM_WRITE, not VM_READ, so PROT_READ can get through and go boom? Or
> something else I'm missing?

Ah, good point. Yeah that is indeed not handled correctly and can cause 
a BUG_ON().

Looks like we need to revert that patch and go back to the drawing board 
then.

Christian.

>
> Maybe time for a few amdgpu mmap tests that go through the combos and make
> sure it works/fails all correctly.
> -Daniel
>
>>> So I'm not sure this is a great idea, and definitely not for all drivers
>> Yeah, I'm absolutely not happy with this either but it seemed to be the
>> least painful thing to do.
>>
>>> ...
>>>
>>> Can we clear VM_MAYWRITE instead to force this to be a non-cow mapping
>>> instead?
>> Well we have considered forcefully setting VM_SHARED, which won't work
>> easily for a couple of reasons.
>>
>> But clearing VM_MAYWRITE in amdgpu/amdkfd may actually work as well.
>>
>> Felix can you test this?
>>
>> Thanks,
>> Christian.
>>
>>> -Daniel
>>>
>>>> ---
>>>>    drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c  |  3 ++-
>>>>    drivers/gpu/drm/nouveau/nouveau_gem.c    |  3 ++-
>>>>    drivers/gpu/drm/radeon/radeon_gem.c      |  3 ++-
>>>>    drivers/gpu/drm/ttm/ttm_bo_vm.c          | 14 +++++++++++++-
>>>>    drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c |  1 +
>>>>    include/drm/ttm/ttm_bo_api.h             |  4 ++++
>>>>    6 files changed, 24 insertions(+), 4 deletions(-)
>>>>
>>>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>>>> index b3404c43a911..1aa750a6a5d2 100644
>>>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>>>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>>>> @@ -79,7 +79,8 @@ static const struct vm_operations_struct amdgpu_gem_vm_ops = {
>>>>    	.fault = amdgpu_gem_fault,
>>>>    	.open = ttm_bo_vm_open,
>>>>    	.close = ttm_bo_vm_close,
>>>> -	.access = ttm_bo_vm_access
>>>> +	.access = ttm_bo_vm_access,
>>>> +	.mprotect = ttm_bo_vm_mprotect
>>>>    };
>>>>    static void amdgpu_gem_object_free(struct drm_gem_object *gobj)
>>>> diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
>>>> index 5b27845075a1..164ea564bb7a 100644
>>>> --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
>>>> +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
>>>> @@ -70,7 +70,8 @@ static const struct vm_operations_struct nouveau_ttm_vm_ops = {
>>>>    	.fault = nouveau_ttm_fault,
>>>>    	.open = ttm_bo_vm_open,
>>>>    	.close = ttm_bo_vm_close,
>>>> -	.access = ttm_bo_vm_access
>>>> +	.access = ttm_bo_vm_access,
>>>> +	.mprotect = ttm_bo_vm_mprotect
>>>>    };
>>>>    void
>>>> diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
>>>> index 458f92a70887..c19ad07eb7b5 100644
>>>> --- a/drivers/gpu/drm/radeon/radeon_gem.c
>>>> +++ b/drivers/gpu/drm/radeon/radeon_gem.c
>>>> @@ -77,7 +77,8 @@ static const struct vm_operations_struct radeon_gem_vm_ops = {
>>>>    	.fault = radeon_gem_fault,
>>>>    	.open = ttm_bo_vm_open,
>>>>    	.close = ttm_bo_vm_close,
>>>> -	.access = ttm_bo_vm_access
>>>> +	.access = ttm_bo_vm_access,
>>>> +	.mprotect = ttm_bo_vm_mprotect
>>>>    };
>>>>    static void radeon_gem_object_free(struct drm_gem_object *gobj)
>>>> diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
>>>> index f56be5bc0861..fb325bad5db6 100644
>>>> --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
>>>> +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
>>>> @@ -542,17 +542,29 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
>>>>    }
>>>>    EXPORT_SYMBOL(ttm_bo_vm_access);
>>>> +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
>>>> +		       unsigned long end, unsigned long newflags)
>>>> +{
>>>> +	/* Enforce no COW since would have really strange behavior with it. */
>>>> +	if (is_cow_mapping(newflags) && (newflags & VM_WRITE))
>>>> +		return -EINVAL;
>>>> +
>>>> +	return 0;
>>>> +}
>>>> +EXPORT_SYMBOL(ttm_bo_vm_mprotect);
>>>> +
>>>>    static const struct vm_operations_struct ttm_bo_vm_ops = {
>>>>    	.fault = ttm_bo_vm_fault,
>>>>    	.open = ttm_bo_vm_open,
>>>>    	.close = ttm_bo_vm_close,
>>>>    	.access = ttm_bo_vm_access,
>>>> +	.mprotect = ttm_bo_vm_mprotect,
>>>>    };
>>>>    int ttm_bo_mmap_obj(struct vm_area_struct *vma, struct ttm_buffer_object *bo)
>>>>    {
>>>>    	/* Enforce no COW since would have really strange behavior with it. */
>>>> -	if (is_cow_mapping(vma->vm_flags))
>>>> +	if (is_cow_mapping(vma->vm_flags) && (vma->vm_flags & VM_WRITE))
>>>>    		return -EINVAL;
>>>>    	ttm_bo_get(bo);
>>>> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>>>> index e6b1f98ec99f..e4bf7dc99320 100644
>>>> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>>>> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>>>> @@ -61,6 +61,7 @@ int vmw_mmap(struct file *filp, struct vm_area_struct *vma)
>>>>    		.fault = vmw_bo_vm_fault,
>>>>    		.open = ttm_bo_vm_open,
>>>>    		.close = ttm_bo_vm_close,
>>>> +		.mprotect = ttm_bo_vm_mprotect,
>>>>    #ifdef CONFIG_TRANSPARENT_HUGEPAGE
>>>>    		.huge_fault = vmw_bo_vm_huge_fault,
>>>>    #endif
>>>> diff --git a/include/drm/ttm/ttm_bo_api.h b/include/drm/ttm/ttm_bo_api.h
>>>> index f681bbdbc698..40eb95875355 100644
>>>> --- a/include/drm/ttm/ttm_bo_api.h
>>>> +++ b/include/drm/ttm/ttm_bo_api.h
>>>> @@ -605,6 +605,10 @@ void ttm_bo_vm_close(struct vm_area_struct *vma);
>>>>    int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
>>>>    		     void *buf, int len, int write);
>>>> +
>>>> +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
>>>> +		       unsigned long end, unsigned long newflags);
>>>> +
>>>>    bool ttm_bo_delayed_delete(struct ttm_device *bdev, bool remove_all);
>>>>    vm_fault_t ttm_bo_vm_dummy_page(struct vm_fault *vmf, pgprot_t prot);
>>>> -- 
>>>> 2.32.0
>>>>

Felix Kuehling July 14, 2021, 4:11 p.m. UTC | #10

Am 2021-07-14 um 6:51 a.m. schrieb Christian König:
> Am 14.07.21 um 12:44 schrieb Daniel Vetter:
>> On Mon, Jul 12, 2021 at 06:06:36PM -0400, Felix Kuehling wrote:
>>> KFD Thunk maps invisible VRAM BOs with PROT_NONE, MAP_PRIVATE.
>>> is_cow_mapping returns true for these mappings. Add a check for
>>> vm_flags & VM_WRITE to avoid mmap failures on private read-only or
>>> PROT_NONE mappings.
>>>
>>> v2: protect against mprotect making a mapping writable after the fact
>>> v3: update driver-specific vm_operations_structs
>>>
>>> Fixes: f91142c62161 ("drm/ttm: nuke VM_MIXEDMAP on BO mappings v3")
>>> Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
>>> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
>> So looking at vmf_insert_pfn_prot() and the comment there we can't have
>> VM_PFNMAP and is_cow_mapping ever be true, or things break. On platforms
>> without pte_special at least.
>
> Key idea is that we never end up in vmf_insert_pfn_prot() because the
> vma is mapped with PROT_NONE.

Ah, thanks for that pointer. I wasn't aware of that BUG_ON. I thought it
was more of an abstract "copy-on-write faults may be bad on these mappings."


>
>>
>> So I'm not sure this is a great idea, and definitely not for all drivers
>
> Yeah, I'm absolutely not happy with this either but it seemed to be
> the least painful thing to do.
>
>> ...
>>
>> Can we clear VM_MAYWRITE instead to force this to be a non-cow mapping
>> instead?
>
> Well we have considered forcefully setting VM_SHARED, which won't work
> easily for a couple of reasons.
>
> But clearing VM_MAYWRITE in amdgpu/amdkfd may actually work as well.
>
> Felix can you test this?

Sounds like it should work and be straight forward (I thought that about
setting VM_SHARED, too ...). I'll give it a try.

Thanks,
  Felix


>
> Thanks,
> Christian.
>
>> -Daniel
>>
>>> ---
>>>   drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c  |  3 ++-
>>>   drivers/gpu/drm/nouveau/nouveau_gem.c    |  3 ++-
>>>   drivers/gpu/drm/radeon/radeon_gem.c      |  3 ++-
>>>   drivers/gpu/drm/ttm/ttm_bo_vm.c          | 14 +++++++++++++-
>>>   drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c |  1 +
>>>   include/drm/ttm/ttm_bo_api.h             |  4 ++++
>>>   6 files changed, 24 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>>> b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>>> index b3404c43a911..1aa750a6a5d2 100644
>>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>>> @@ -79,7 +79,8 @@ static const struct vm_operations_struct
>>> amdgpu_gem_vm_ops = {
>>>       .fault = amdgpu_gem_fault,
>>>       .open = ttm_bo_vm_open,
>>>       .close = ttm_bo_vm_close,
>>> -    .access = ttm_bo_vm_access
>>> +    .access = ttm_bo_vm_access,
>>> +    .mprotect = ttm_bo_vm_mprotect
>>>   };
>>>     static void amdgpu_gem_object_free(struct drm_gem_object *gobj)
>>> diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c
>>> b/drivers/gpu/drm/nouveau/nouveau_gem.c
>>> index 5b27845075a1..164ea564bb7a 100644
>>> --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
>>> +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
>>> @@ -70,7 +70,8 @@ static const struct vm_operations_struct
>>> nouveau_ttm_vm_ops = {
>>>       .fault = nouveau_ttm_fault,
>>>       .open = ttm_bo_vm_open,
>>>       .close = ttm_bo_vm_close,
>>> -    .access = ttm_bo_vm_access
>>> +    .access = ttm_bo_vm_access,
>>> +    .mprotect = ttm_bo_vm_mprotect
>>>   };
>>>     void
>>> diff --git a/drivers/gpu/drm/radeon/radeon_gem.c
>>> b/drivers/gpu/drm/radeon/radeon_gem.c
>>> index 458f92a70887..c19ad07eb7b5 100644
>>> --- a/drivers/gpu/drm/radeon/radeon_gem.c
>>> +++ b/drivers/gpu/drm/radeon/radeon_gem.c
>>> @@ -77,7 +77,8 @@ static const struct vm_operations_struct
>>> radeon_gem_vm_ops = {
>>>       .fault = radeon_gem_fault,
>>>       .open = ttm_bo_vm_open,
>>>       .close = ttm_bo_vm_close,
>>> -    .access = ttm_bo_vm_access
>>> +    .access = ttm_bo_vm_access,
>>> +    .mprotect = ttm_bo_vm_mprotect
>>>   };
>>>     static void radeon_gem_object_free(struct drm_gem_object *gobj)
>>> diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c
>>> b/drivers/gpu/drm/ttm/ttm_bo_vm.c
>>> index f56be5bc0861..fb325bad5db6 100644
>>> --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
>>> +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
>>> @@ -542,17 +542,29 @@ int ttm_bo_vm_access(struct vm_area_struct
>>> *vma, unsigned long addr,
>>>   }
>>>   EXPORT_SYMBOL(ttm_bo_vm_access);
>>>   +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long
>>> start,
>>> +               unsigned long end, unsigned long newflags)
>>> +{
>>> +    /* Enforce no COW since would have really strange behavior with
>>> it. */
>>> +    if (is_cow_mapping(newflags) && (newflags & VM_WRITE))
>>> +        return -EINVAL;
>>> +
>>> +    return 0;
>>> +}
>>> +EXPORT_SYMBOL(ttm_bo_vm_mprotect);
>>> +
>>>   static const struct vm_operations_struct ttm_bo_vm_ops = {
>>>       .fault = ttm_bo_vm_fault,
>>>       .open = ttm_bo_vm_open,
>>>       .close = ttm_bo_vm_close,
>>>       .access = ttm_bo_vm_access,
>>> +    .mprotect = ttm_bo_vm_mprotect,
>>>   };
>>>     int ttm_bo_mmap_obj(struct vm_area_struct *vma, struct
>>> ttm_buffer_object *bo)
>>>   {
>>>       /* Enforce no COW since would have really strange behavior
>>> with it. */
>>> -    if (is_cow_mapping(vma->vm_flags))
>>> +    if (is_cow_mapping(vma->vm_flags) && (vma->vm_flags & VM_WRITE))
>>>           return -EINVAL;
>>>         ttm_bo_get(bo);
>>> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>>> b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>>> index e6b1f98ec99f..e4bf7dc99320 100644
>>> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>>> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>>> @@ -61,6 +61,7 @@ int vmw_mmap(struct file *filp, struct
>>> vm_area_struct *vma)
>>>           .fault = vmw_bo_vm_fault,
>>>           .open = ttm_bo_vm_open,
>>>           .close = ttm_bo_vm_close,
>>> +        .mprotect = ttm_bo_vm_mprotect,
>>>   #ifdef CONFIG_TRANSPARENT_HUGEPAGE
>>>           .huge_fault = vmw_bo_vm_huge_fault,
>>>   #endif
>>> diff --git a/include/drm/ttm/ttm_bo_api.h
>>> b/include/drm/ttm/ttm_bo_api.h
>>> index f681bbdbc698..40eb95875355 100644
>>> --- a/include/drm/ttm/ttm_bo_api.h
>>> +++ b/include/drm/ttm/ttm_bo_api.h
>>> @@ -605,6 +605,10 @@ void ttm_bo_vm_close(struct vm_area_struct *vma);
>>>     int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long
>>> addr,
>>>                void *buf, int len, int write);
>>> +
>>> +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long
>>> start,
>>> +               unsigned long end, unsigned long newflags);
>>> +
>>>   bool ttm_bo_delayed_delete(struct ttm_device *bdev, bool remove_all);
>>>     vm_fault_t ttm_bo_vm_dummy_page(struct vm_fault *vmf, pgprot_t
>>> prot);
>>> -- 
>>> 2.32.0
>>>
>

Daniel Vetter July 23, 2021, 8:21 a.m. UTC | #11

On Wed, Jul 14, 2021 at 10:51 AM Christian König
<christian.koenig@amd.com> wrote:
>
>
>
> Am 13.07.21 um 17:28 schrieb Alex Deucher:
> > On Tue, Jul 13, 2021 at 2:57 AM Christian König
> > <ckoenig.leichtzumerken@gmail.com> wrote:
> >>
> >>
> >> Am 13.07.21 um 00:06 schrieb Felix Kuehling:
> >>> KFD Thunk maps invisible VRAM BOs with PROT_NONE, MAP_PRIVATE.
> >>> is_cow_mapping returns true for these mappings. Add a check for
> >>> vm_flags & VM_WRITE to avoid mmap failures on private read-only or
> >>> PROT_NONE mappings.
> >>>
> >>> v2: protect against mprotect making a mapping writable after the fact
> >>> v3: update driver-specific vm_operations_structs
> >>>
> >>> Fixes: f91142c62161 ("drm/ttm: nuke VM_MIXEDMAP on BO mappings v3")
> >>> Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
> >>> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
> >> Reviewed-by: Christian König <christian.koenig@amd.com>
> > Are you planning to push this to drm-misc?
>
> Yes, just didn't found time yesterday.

This is pushed to the wrong tree drm-misc-next-fixes, should have been
in drm-misc-fixes. Please be careful with that because every time that
goes wrong the script gets confused about which the current tree is,
and pushes the wrong tree to linux-next branches.

I'm going to hard-reset drm-misc-next-fixes now and hope that's good
enough to fix things up (since Thomas is not around all the time for
this merge window).
-Daniel


>
> Christian.
>
> >
> > Alex
> >
> >>> ---
> >>>    drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c  |  3 ++-
> >>>    drivers/gpu/drm/nouveau/nouveau_gem.c    |  3 ++-
> >>>    drivers/gpu/drm/radeon/radeon_gem.c      |  3 ++-
> >>>    drivers/gpu/drm/ttm/ttm_bo_vm.c          | 14 +++++++++++++-
> >>>    drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c |  1 +
> >>>    include/drm/ttm/ttm_bo_api.h             |  4 ++++
> >>>    6 files changed, 24 insertions(+), 4 deletions(-)
> >>>
> >>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> >>> index b3404c43a911..1aa750a6a5d2 100644
> >>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> >>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> >>> @@ -79,7 +79,8 @@ static const struct vm_operations_struct amdgpu_gem_vm_ops = {
> >>>        .fault = amdgpu_gem_fault,
> >>>        .open = ttm_bo_vm_open,
> >>>        .close = ttm_bo_vm_close,
> >>> -     .access = ttm_bo_vm_access
> >>> +     .access = ttm_bo_vm_access,
> >>> +     .mprotect = ttm_bo_vm_mprotect
> >>>    };
> >>>
> >>>    static void amdgpu_gem_object_free(struct drm_gem_object *gobj)
> >>> diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
> >>> index 5b27845075a1..164ea564bb7a 100644
> >>> --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
> >>> +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
> >>> @@ -70,7 +70,8 @@ static const struct vm_operations_struct nouveau_ttm_vm_ops = {
> >>>        .fault = nouveau_ttm_fault,
> >>>        .open = ttm_bo_vm_open,
> >>>        .close = ttm_bo_vm_close,
> >>> -     .access = ttm_bo_vm_access
> >>> +     .access = ttm_bo_vm_access,
> >>> +     .mprotect = ttm_bo_vm_mprotect
> >>>    };
> >>>
> >>>    void
> >>> diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
> >>> index 458f92a70887..c19ad07eb7b5 100644
> >>> --- a/drivers/gpu/drm/radeon/radeon_gem.c
> >>> +++ b/drivers/gpu/drm/radeon/radeon_gem.c
> >>> @@ -77,7 +77,8 @@ static const struct vm_operations_struct radeon_gem_vm_ops = {
> >>>        .fault = radeon_gem_fault,
> >>>        .open = ttm_bo_vm_open,
> >>>        .close = ttm_bo_vm_close,
> >>> -     .access = ttm_bo_vm_access
> >>> +     .access = ttm_bo_vm_access,
> >>> +     .mprotect = ttm_bo_vm_mprotect
> >>>    };
> >>>
> >>>    static void radeon_gem_object_free(struct drm_gem_object *gobj)
> >>> diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> >>> index f56be5bc0861..fb325bad5db6 100644
> >>> --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
> >>> +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> >>> @@ -542,17 +542,29 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
> >>>    }
> >>>    EXPORT_SYMBOL(ttm_bo_vm_access);
> >>>
> >>> +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
> >>> +                    unsigned long end, unsigned long newflags)
> >>> +{
> >>> +     /* Enforce no COW since would have really strange behavior with it. */
> >>> +     if (is_cow_mapping(newflags) && (newflags & VM_WRITE))
> >>> +             return -EINVAL;
> >>> +
> >>> +     return 0;
> >>> +}
> >>> +EXPORT_SYMBOL(ttm_bo_vm_mprotect);
> >>> +
> >>>    static const struct vm_operations_struct ttm_bo_vm_ops = {
> >>>        .fault = ttm_bo_vm_fault,
> >>>        .open = ttm_bo_vm_open,
> >>>        .close = ttm_bo_vm_close,
> >>>        .access = ttm_bo_vm_access,
> >>> +     .mprotect = ttm_bo_vm_mprotect,
> >>>    };
> >>>
> >>>    int ttm_bo_mmap_obj(struct vm_area_struct *vma, struct ttm_buffer_object *bo)
> >>>    {
> >>>        /* Enforce no COW since would have really strange behavior with it. */
> >>> -     if (is_cow_mapping(vma->vm_flags))
> >>> +     if (is_cow_mapping(vma->vm_flags) && (vma->vm_flags & VM_WRITE))
> >>>                return -EINVAL;
> >>>
> >>>        ttm_bo_get(bo);
> >>> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> >>> index e6b1f98ec99f..e4bf7dc99320 100644
> >>> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> >>> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> >>> @@ -61,6 +61,7 @@ int vmw_mmap(struct file *filp, struct vm_area_struct *vma)
> >>>                .fault = vmw_bo_vm_fault,
> >>>                .open = ttm_bo_vm_open,
> >>>                .close = ttm_bo_vm_close,
> >>> +             .mprotect = ttm_bo_vm_mprotect,
> >>>    #ifdef CONFIG_TRANSPARENT_HUGEPAGE
> >>>                .huge_fault = vmw_bo_vm_huge_fault,
> >>>    #endif
> >>> diff --git a/include/drm/ttm/ttm_bo_api.h b/include/drm/ttm/ttm_bo_api.h
> >>> index f681bbdbc698..40eb95875355 100644
> >>> --- a/include/drm/ttm/ttm_bo_api.h
> >>> +++ b/include/drm/ttm/ttm_bo_api.h
> >>> @@ -605,6 +605,10 @@ void ttm_bo_vm_close(struct vm_area_struct *vma);
> >>>
> >>>    int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
> >>>                     void *buf, int len, int write);
> >>> +
> >>> +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
> >>> +                    unsigned long end, unsigned long newflags);
> >>> +
> >>>    bool ttm_bo_delayed_delete(struct ttm_device *bdev, bool remove_all);
> >>>
> >>>    vm_fault_t ttm_bo_vm_dummy_page(struct vm_fault *vmf, pgprot_t prot);
>

Christian König July 23, 2021, 8:33 a.m. UTC | #12

Am 23.07.21 um 10:21 schrieb Daniel Vetter:
> On Wed, Jul 14, 2021 at 10:51 AM Christian König
> <christian.koenig@amd.com> wrote:
>>
>>
>> Am 13.07.21 um 17:28 schrieb Alex Deucher:
>>> On Tue, Jul 13, 2021 at 2:57 AM Christian König
>>> <ckoenig.leichtzumerken@gmail.com> wrote:
>>>>
>>>> Am 13.07.21 um 00:06 schrieb Felix Kuehling:
>>>>> KFD Thunk maps invisible VRAM BOs with PROT_NONE, MAP_PRIVATE.
>>>>> is_cow_mapping returns true for these mappings. Add a check for
>>>>> vm_flags & VM_WRITE to avoid mmap failures on private read-only or
>>>>> PROT_NONE mappings.
>>>>>
>>>>> v2: protect against mprotect making a mapping writable after the fact
>>>>> v3: update driver-specific vm_operations_structs
>>>>>
>>>>> Fixes: f91142c62161 ("drm/ttm: nuke VM_MIXEDMAP on BO mappings v3")
>>>>> Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
>>>>> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
>>>> Reviewed-by: Christian König <christian.koenig@amd.com>
>>> Are you planning to push this to drm-misc?
>> Yes, just didn't found time yesterday.
> This is pushed to the wrong tree drm-misc-next-fixes, should have been
> in drm-misc-fixes. Please be careful with that because every time that
> goes wrong the script gets confused about which the current tree is,
> and pushes the wrong tree to linux-next branches.
>
> I'm going to hard-reset drm-misc-next-fixes now and hope that's good
> enough to fix things up (since Thomas is not around all the time for
> this merge window).

STOP! I'm about to push a revert for this patch.

And yes that was pushed to the wrong branch, but it turned out that this 
was fortunate since the patch doesn't work correctly.

Christian.

> -Daniel
>
>
>> Christian.
>>
>>> Alex
>>>
>>>>> ---
>>>>>     drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c  |  3 ++-
>>>>>     drivers/gpu/drm/nouveau/nouveau_gem.c    |  3 ++-
>>>>>     drivers/gpu/drm/radeon/radeon_gem.c      |  3 ++-
>>>>>     drivers/gpu/drm/ttm/ttm_bo_vm.c          | 14 +++++++++++++-
>>>>>     drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c |  1 +
>>>>>     include/drm/ttm/ttm_bo_api.h             |  4 ++++
>>>>>     6 files changed, 24 insertions(+), 4 deletions(-)
>>>>>
>>>>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>>>>> index b3404c43a911..1aa750a6a5d2 100644
>>>>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>>>>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>>>>> @@ -79,7 +79,8 @@ static const struct vm_operations_struct amdgpu_gem_vm_ops = {
>>>>>         .fault = amdgpu_gem_fault,
>>>>>         .open = ttm_bo_vm_open,
>>>>>         .close = ttm_bo_vm_close,
>>>>> -     .access = ttm_bo_vm_access
>>>>> +     .access = ttm_bo_vm_access,
>>>>> +     .mprotect = ttm_bo_vm_mprotect
>>>>>     };
>>>>>
>>>>>     static void amdgpu_gem_object_free(struct drm_gem_object *gobj)
>>>>> diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
>>>>> index 5b27845075a1..164ea564bb7a 100644
>>>>> --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
>>>>> +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
>>>>> @@ -70,7 +70,8 @@ static const struct vm_operations_struct nouveau_ttm_vm_ops = {
>>>>>         .fault = nouveau_ttm_fault,
>>>>>         .open = ttm_bo_vm_open,
>>>>>         .close = ttm_bo_vm_close,
>>>>> -     .access = ttm_bo_vm_access
>>>>> +     .access = ttm_bo_vm_access,
>>>>> +     .mprotect = ttm_bo_vm_mprotect
>>>>>     };
>>>>>
>>>>>     void
>>>>> diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
>>>>> index 458f92a70887..c19ad07eb7b5 100644
>>>>> --- a/drivers/gpu/drm/radeon/radeon_gem.c
>>>>> +++ b/drivers/gpu/drm/radeon/radeon_gem.c
>>>>> @@ -77,7 +77,8 @@ static const struct vm_operations_struct radeon_gem_vm_ops = {
>>>>>         .fault = radeon_gem_fault,
>>>>>         .open = ttm_bo_vm_open,
>>>>>         .close = ttm_bo_vm_close,
>>>>> -     .access = ttm_bo_vm_access
>>>>> +     .access = ttm_bo_vm_access,
>>>>> +     .mprotect = ttm_bo_vm_mprotect
>>>>>     };
>>>>>
>>>>>     static void radeon_gem_object_free(struct drm_gem_object *gobj)
>>>>> diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
>>>>> index f56be5bc0861..fb325bad5db6 100644
>>>>> --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
>>>>> +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
>>>>> @@ -542,17 +542,29 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
>>>>>     }
>>>>>     EXPORT_SYMBOL(ttm_bo_vm_access);
>>>>>
>>>>> +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
>>>>> +                    unsigned long end, unsigned long newflags)
>>>>> +{
>>>>> +     /* Enforce no COW since would have really strange behavior with it. */
>>>>> +     if (is_cow_mapping(newflags) && (newflags & VM_WRITE))
>>>>> +             return -EINVAL;
>>>>> +
>>>>> +     return 0;
>>>>> +}
>>>>> +EXPORT_SYMBOL(ttm_bo_vm_mprotect);
>>>>> +
>>>>>     static const struct vm_operations_struct ttm_bo_vm_ops = {
>>>>>         .fault = ttm_bo_vm_fault,
>>>>>         .open = ttm_bo_vm_open,
>>>>>         .close = ttm_bo_vm_close,
>>>>>         .access = ttm_bo_vm_access,
>>>>> +     .mprotect = ttm_bo_vm_mprotect,
>>>>>     };
>>>>>
>>>>>     int ttm_bo_mmap_obj(struct vm_area_struct *vma, struct ttm_buffer_object *bo)
>>>>>     {
>>>>>         /* Enforce no COW since would have really strange behavior with it. */
>>>>> -     if (is_cow_mapping(vma->vm_flags))
>>>>> +     if (is_cow_mapping(vma->vm_flags) && (vma->vm_flags & VM_WRITE))
>>>>>                 return -EINVAL;
>>>>>
>>>>>         ttm_bo_get(bo);
>>>>> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>>>>> index e6b1f98ec99f..e4bf7dc99320 100644
>>>>> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>>>>> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>>>>> @@ -61,6 +61,7 @@ int vmw_mmap(struct file *filp, struct vm_area_struct *vma)
>>>>>                 .fault = vmw_bo_vm_fault,
>>>>>                 .open = ttm_bo_vm_open,
>>>>>                 .close = ttm_bo_vm_close,
>>>>> +             .mprotect = ttm_bo_vm_mprotect,
>>>>>     #ifdef CONFIG_TRANSPARENT_HUGEPAGE
>>>>>                 .huge_fault = vmw_bo_vm_huge_fault,
>>>>>     #endif
>>>>> diff --git a/include/drm/ttm/ttm_bo_api.h b/include/drm/ttm/ttm_bo_api.h
>>>>> index f681bbdbc698..40eb95875355 100644
>>>>> --- a/include/drm/ttm/ttm_bo_api.h
>>>>> +++ b/include/drm/ttm/ttm_bo_api.h
>>>>> @@ -605,6 +605,10 @@ void ttm_bo_vm_close(struct vm_area_struct *vma);
>>>>>
>>>>>     int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
>>>>>                      void *buf, int len, int write);
>>>>> +
>>>>> +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
>>>>> +                    unsigned long end, unsigned long newflags);
>>>>> +
>>>>>     bool ttm_bo_delayed_delete(struct ttm_device *bdev, bool remove_all);
>>>>>
>>>>>     vm_fault_t ttm_bo_vm_dummy_page(struct vm_fault *vmf, pgprot_t prot);
>

Daniel Vetter July 23, 2021, 9 a.m. UTC | #13

On Fri, Jul 23, 2021 at 10:33:48AM +0200, Christian König wrote:
> 
> 
> Am 23.07.21 um 10:21 schrieb Daniel Vetter:
> > On Wed, Jul 14, 2021 at 10:51 AM Christian König
> > <christian.koenig@amd.com> wrote:
> > > 
> > > 
> > > Am 13.07.21 um 17:28 schrieb Alex Deucher:
> > > > On Tue, Jul 13, 2021 at 2:57 AM Christian König
> > > > <ckoenig.leichtzumerken@gmail.com> wrote:
> > > > > 
> > > > > Am 13.07.21 um 00:06 schrieb Felix Kuehling:
> > > > > > KFD Thunk maps invisible VRAM BOs with PROT_NONE, MAP_PRIVATE.
> > > > > > is_cow_mapping returns true for these mappings. Add a check for
> > > > > > vm_flags & VM_WRITE to avoid mmap failures on private read-only or
> > > > > > PROT_NONE mappings.
> > > > > > 
> > > > > > v2: protect against mprotect making a mapping writable after the fact
> > > > > > v3: update driver-specific vm_operations_structs
> > > > > > 
> > > > > > Fixes: f91142c62161 ("drm/ttm: nuke VM_MIXEDMAP on BO mappings v3")
> > > > > > Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
> > > > > > Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
> > > > > Reviewed-by: Christian König <christian.koenig@amd.com>
> > > > Are you planning to push this to drm-misc?
> > > Yes, just didn't found time yesterday.
> > This is pushed to the wrong tree drm-misc-next-fixes, should have been
> > in drm-misc-fixes. Please be careful with that because every time that
> > goes wrong the script gets confused about which the current tree is,
> > and pushes the wrong tree to linux-next branches.
> > 
> > I'm going to hard-reset drm-misc-next-fixes now and hope that's good
> > enough to fix things up (since Thomas is not around all the time for
> > this merge window).
> 
> STOP! I'm about to push a revert for this patch.
> 
> And yes that was pushed to the wrong branch, but it turned out that this was
> fortunate since the patch doesn't work correctly.

Well I just hard-reset, so you can push the right patch to the right
branch now. The trouble is that outside of the merge window no one is
allowed to push to drm-misc-next-fixes. If you do, then dim pushes
drm-misc-next-fixes to for-linux-next instead of drm-misc-next, and we
have bad surprises.

Which unfortunately happens like every merge window a few times and always
takes a few days/weeks to get caught.
-Danie

> 
> Christian.
> 
> > -Daniel
> > 
> > 
> > > Christian.
> > > 
> > > > Alex
> > > > 
> > > > > > ---
> > > > > >     drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c  |  3 ++-
> > > > > >     drivers/gpu/drm/nouveau/nouveau_gem.c    |  3 ++-
> > > > > >     drivers/gpu/drm/radeon/radeon_gem.c      |  3 ++-
> > > > > >     drivers/gpu/drm/ttm/ttm_bo_vm.c          | 14 +++++++++++++-
> > > > > >     drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c |  1 +
> > > > > >     include/drm/ttm/ttm_bo_api.h             |  4 ++++
> > > > > >     6 files changed, 24 insertions(+), 4 deletions(-)
> > > > > > 
> > > > > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> > > > > > index b3404c43a911..1aa750a6a5d2 100644
> > > > > > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> > > > > > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
> > > > > > @@ -79,7 +79,8 @@ static const struct vm_operations_struct amdgpu_gem_vm_ops = {
> > > > > >         .fault = amdgpu_gem_fault,
> > > > > >         .open = ttm_bo_vm_open,
> > > > > >         .close = ttm_bo_vm_close,
> > > > > > -     .access = ttm_bo_vm_access
> > > > > > +     .access = ttm_bo_vm_access,
> > > > > > +     .mprotect = ttm_bo_vm_mprotect
> > > > > >     };
> > > > > > 
> > > > > >     static void amdgpu_gem_object_free(struct drm_gem_object *gobj)
> > > > > > diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
> > > > > > index 5b27845075a1..164ea564bb7a 100644
> > > > > > --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
> > > > > > +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
> > > > > > @@ -70,7 +70,8 @@ static const struct vm_operations_struct nouveau_ttm_vm_ops = {
> > > > > >         .fault = nouveau_ttm_fault,
> > > > > >         .open = ttm_bo_vm_open,
> > > > > >         .close = ttm_bo_vm_close,
> > > > > > -     .access = ttm_bo_vm_access
> > > > > > +     .access = ttm_bo_vm_access,
> > > > > > +     .mprotect = ttm_bo_vm_mprotect
> > > > > >     };
> > > > > > 
> > > > > >     void
> > > > > > diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
> > > > > > index 458f92a70887..c19ad07eb7b5 100644
> > > > > > --- a/drivers/gpu/drm/radeon/radeon_gem.c
> > > > > > +++ b/drivers/gpu/drm/radeon/radeon_gem.c
> > > > > > @@ -77,7 +77,8 @@ static const struct vm_operations_struct radeon_gem_vm_ops = {
> > > > > >         .fault = radeon_gem_fault,
> > > > > >         .open = ttm_bo_vm_open,
> > > > > >         .close = ttm_bo_vm_close,
> > > > > > -     .access = ttm_bo_vm_access
> > > > > > +     .access = ttm_bo_vm_access,
> > > > > > +     .mprotect = ttm_bo_vm_mprotect
> > > > > >     };
> > > > > > 
> > > > > >     static void radeon_gem_object_free(struct drm_gem_object *gobj)
> > > > > > diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> > > > > > index f56be5bc0861..fb325bad5db6 100644
> > > > > > --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
> > > > > > +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
> > > > > > @@ -542,17 +542,29 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
> > > > > >     }
> > > > > >     EXPORT_SYMBOL(ttm_bo_vm_access);
> > > > > > 
> > > > > > +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
> > > > > > +                    unsigned long end, unsigned long newflags)
> > > > > > +{
> > > > > > +     /* Enforce no COW since would have really strange behavior with it. */
> > > > > > +     if (is_cow_mapping(newflags) && (newflags & VM_WRITE))
> > > > > > +             return -EINVAL;
> > > > > > +
> > > > > > +     return 0;
> > > > > > +}
> > > > > > +EXPORT_SYMBOL(ttm_bo_vm_mprotect);
> > > > > > +
> > > > > >     static const struct vm_operations_struct ttm_bo_vm_ops = {
> > > > > >         .fault = ttm_bo_vm_fault,
> > > > > >         .open = ttm_bo_vm_open,
> > > > > >         .close = ttm_bo_vm_close,
> > > > > >         .access = ttm_bo_vm_access,
> > > > > > +     .mprotect = ttm_bo_vm_mprotect,
> > > > > >     };
> > > > > > 
> > > > > >     int ttm_bo_mmap_obj(struct vm_area_struct *vma, struct ttm_buffer_object *bo)
> > > > > >     {
> > > > > >         /* Enforce no COW since would have really strange behavior with it. */
> > > > > > -     if (is_cow_mapping(vma->vm_flags))
> > > > > > +     if (is_cow_mapping(vma->vm_flags) && (vma->vm_flags & VM_WRITE))
> > > > > >                 return -EINVAL;
> > > > > > 
> > > > > >         ttm_bo_get(bo);
> > > > > > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> > > > > > index e6b1f98ec99f..e4bf7dc99320 100644
> > > > > > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> > > > > > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
> > > > > > @@ -61,6 +61,7 @@ int vmw_mmap(struct file *filp, struct vm_area_struct *vma)
> > > > > >                 .fault = vmw_bo_vm_fault,
> > > > > >                 .open = ttm_bo_vm_open,
> > > > > >                 .close = ttm_bo_vm_close,
> > > > > > +             .mprotect = ttm_bo_vm_mprotect,
> > > > > >     #ifdef CONFIG_TRANSPARENT_HUGEPAGE
> > > > > >                 .huge_fault = vmw_bo_vm_huge_fault,
> > > > > >     #endif
> > > > > > diff --git a/include/drm/ttm/ttm_bo_api.h b/include/drm/ttm/ttm_bo_api.h
> > > > > > index f681bbdbc698..40eb95875355 100644
> > > > > > --- a/include/drm/ttm/ttm_bo_api.h
> > > > > > +++ b/include/drm/ttm/ttm_bo_api.h
> > > > > > @@ -605,6 +605,10 @@ void ttm_bo_vm_close(struct vm_area_struct *vma);
> > > > > > 
> > > > > >     int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
> > > > > >                      void *buf, int len, int write);
> > > > > > +
> > > > > > +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
> > > > > > +                    unsigned long end, unsigned long newflags);
> > > > > > +
> > > > > >     bool ttm_bo_delayed_delete(struct ttm_device *bdev, bool remove_all);
> > > > > > 
> > > > > >     vm_fault_t ttm_bo_vm_dummy_page(struct vm_fault *vmf, pgprot_t prot);
> > 
>

Christian König July 23, 2021, 9:09 a.m. UTC | #14

Am 23.07.21 um 11:00 schrieb Daniel Vetter:
> On Fri, Jul 23, 2021 at 10:33:48AM +0200, Christian König wrote:
>>
>> Am 23.07.21 um 10:21 schrieb Daniel Vetter:
>>> On Wed, Jul 14, 2021 at 10:51 AM Christian König
>>> <christian.koenig@amd.com> wrote:
>>>>
>>>> Am 13.07.21 um 17:28 schrieb Alex Deucher:
>>>>> On Tue, Jul 13, 2021 at 2:57 AM Christian König
>>>>> <ckoenig.leichtzumerken@gmail.com> wrote:
>>>>>> Am 13.07.21 um 00:06 schrieb Felix Kuehling:
>>>>>>> KFD Thunk maps invisible VRAM BOs with PROT_NONE, MAP_PRIVATE.
>>>>>>> is_cow_mapping returns true for these mappings. Add a check for
>>>>>>> vm_flags & VM_WRITE to avoid mmap failures on private read-only or
>>>>>>> PROT_NONE mappings.
>>>>>>>
>>>>>>> v2: protect against mprotect making a mapping writable after the fact
>>>>>>> v3: update driver-specific vm_operations_structs
>>>>>>>
>>>>>>> Fixes: f91142c62161 ("drm/ttm: nuke VM_MIXEDMAP on BO mappings v3")
>>>>>>> Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
>>>>>>> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
>>>>>> Reviewed-by: Christian König <christian.koenig@amd.com>
>>>>> Are you planning to push this to drm-misc?
>>>> Yes, just didn't found time yesterday.
>>> This is pushed to the wrong tree drm-misc-next-fixes, should have been
>>> in drm-misc-fixes. Please be careful with that because every time that
>>> goes wrong the script gets confused about which the current tree is,
>>> and pushes the wrong tree to linux-next branches.
>>>
>>> I'm going to hard-reset drm-misc-next-fixes now and hope that's good
>>> enough to fix things up (since Thomas is not around all the time for
>>> this merge window).
>> STOP! I'm about to push a revert for this patch.
>>
>> And yes that was pushed to the wrong branch, but it turned out that this was
>> fortunate since the patch doesn't work correctly.
> Well I just hard-reset, so you can push the right patch to the right
> branch now. The trouble is that outside of the merge window no one is
> allowed to push to drm-misc-next-fixes. If you do, then dim pushes
> drm-misc-next-fixes to for-linux-next instead of drm-misc-next, and we
> have bad surprises.

Could we then make the branch read-only for that time?

> Which unfortunately happens like every merge window a few times and always
> takes a few days/weeks to get caught.

Yeah, at least to me it's absolutely not obvious when the merge windows 
for a certain version start/end.

Christian.

> -Danie
>
>> Christian.
>>
>>> -Daniel
>>>
>>>
>>>> Christian.
>>>>
>>>>> Alex
>>>>>
>>>>>>> ---
>>>>>>>      drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c  |  3 ++-
>>>>>>>      drivers/gpu/drm/nouveau/nouveau_gem.c    |  3 ++-
>>>>>>>      drivers/gpu/drm/radeon/radeon_gem.c      |  3 ++-
>>>>>>>      drivers/gpu/drm/ttm/ttm_bo_vm.c          | 14 +++++++++++++-
>>>>>>>      drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c |  1 +
>>>>>>>      include/drm/ttm/ttm_bo_api.h             |  4 ++++
>>>>>>>      6 files changed, 24 insertions(+), 4 deletions(-)
>>>>>>>
>>>>>>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>>>>>>> index b3404c43a911..1aa750a6a5d2 100644
>>>>>>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>>>>>>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
>>>>>>> @@ -79,7 +79,8 @@ static const struct vm_operations_struct amdgpu_gem_vm_ops = {
>>>>>>>          .fault = amdgpu_gem_fault,
>>>>>>>          .open = ttm_bo_vm_open,
>>>>>>>          .close = ttm_bo_vm_close,
>>>>>>> -     .access = ttm_bo_vm_access
>>>>>>> +     .access = ttm_bo_vm_access,
>>>>>>> +     .mprotect = ttm_bo_vm_mprotect
>>>>>>>      };
>>>>>>>
>>>>>>>      static void amdgpu_gem_object_free(struct drm_gem_object *gobj)
>>>>>>> diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
>>>>>>> index 5b27845075a1..164ea564bb7a 100644
>>>>>>> --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
>>>>>>> +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
>>>>>>> @@ -70,7 +70,8 @@ static const struct vm_operations_struct nouveau_ttm_vm_ops = {
>>>>>>>          .fault = nouveau_ttm_fault,
>>>>>>>          .open = ttm_bo_vm_open,
>>>>>>>          .close = ttm_bo_vm_close,
>>>>>>> -     .access = ttm_bo_vm_access
>>>>>>> +     .access = ttm_bo_vm_access,
>>>>>>> +     .mprotect = ttm_bo_vm_mprotect
>>>>>>>      };
>>>>>>>
>>>>>>>      void
>>>>>>> diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
>>>>>>> index 458f92a70887..c19ad07eb7b5 100644
>>>>>>> --- a/drivers/gpu/drm/radeon/radeon_gem.c
>>>>>>> +++ b/drivers/gpu/drm/radeon/radeon_gem.c
>>>>>>> @@ -77,7 +77,8 @@ static const struct vm_operations_struct radeon_gem_vm_ops = {
>>>>>>>          .fault = radeon_gem_fault,
>>>>>>>          .open = ttm_bo_vm_open,
>>>>>>>          .close = ttm_bo_vm_close,
>>>>>>> -     .access = ttm_bo_vm_access
>>>>>>> +     .access = ttm_bo_vm_access,
>>>>>>> +     .mprotect = ttm_bo_vm_mprotect
>>>>>>>      };
>>>>>>>
>>>>>>>      static void radeon_gem_object_free(struct drm_gem_object *gobj)
>>>>>>> diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
>>>>>>> index f56be5bc0861..fb325bad5db6 100644
>>>>>>> --- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
>>>>>>> +++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
>>>>>>> @@ -542,17 +542,29 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
>>>>>>>      }
>>>>>>>      EXPORT_SYMBOL(ttm_bo_vm_access);
>>>>>>>
>>>>>>> +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
>>>>>>> +                    unsigned long end, unsigned long newflags)
>>>>>>> +{
>>>>>>> +     /* Enforce no COW since would have really strange behavior with it. */
>>>>>>> +     if (is_cow_mapping(newflags) && (newflags & VM_WRITE))
>>>>>>> +             return -EINVAL;
>>>>>>> +
>>>>>>> +     return 0;
>>>>>>> +}
>>>>>>> +EXPORT_SYMBOL(ttm_bo_vm_mprotect);
>>>>>>> +
>>>>>>>      static const struct vm_operations_struct ttm_bo_vm_ops = {
>>>>>>>          .fault = ttm_bo_vm_fault,
>>>>>>>          .open = ttm_bo_vm_open,
>>>>>>>          .close = ttm_bo_vm_close,
>>>>>>>          .access = ttm_bo_vm_access,
>>>>>>> +     .mprotect = ttm_bo_vm_mprotect,
>>>>>>>      };
>>>>>>>
>>>>>>>      int ttm_bo_mmap_obj(struct vm_area_struct *vma, struct ttm_buffer_object *bo)
>>>>>>>      {
>>>>>>>          /* Enforce no COW since would have really strange behavior with it. */
>>>>>>> -     if (is_cow_mapping(vma->vm_flags))
>>>>>>> +     if (is_cow_mapping(vma->vm_flags) && (vma->vm_flags & VM_WRITE))
>>>>>>>                  return -EINVAL;
>>>>>>>
>>>>>>>          ttm_bo_get(bo);
>>>>>>> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>>>>>>> index e6b1f98ec99f..e4bf7dc99320 100644
>>>>>>> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>>>>>>> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c
>>>>>>> @@ -61,6 +61,7 @@ int vmw_mmap(struct file *filp, struct vm_area_struct *vma)
>>>>>>>                  .fault = vmw_bo_vm_fault,
>>>>>>>                  .open = ttm_bo_vm_open,
>>>>>>>                  .close = ttm_bo_vm_close,
>>>>>>> +             .mprotect = ttm_bo_vm_mprotect,
>>>>>>>      #ifdef CONFIG_TRANSPARENT_HUGEPAGE
>>>>>>>                  .huge_fault = vmw_bo_vm_huge_fault,
>>>>>>>      #endif
>>>>>>> diff --git a/include/drm/ttm/ttm_bo_api.h b/include/drm/ttm/ttm_bo_api.h
>>>>>>> index f681bbdbc698..40eb95875355 100644
>>>>>>> --- a/include/drm/ttm/ttm_bo_api.h
>>>>>>> +++ b/include/drm/ttm/ttm_bo_api.h
>>>>>>> @@ -605,6 +605,10 @@ void ttm_bo_vm_close(struct vm_area_struct *vma);
>>>>>>>
>>>>>>>      int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
>>>>>>>                       void *buf, int len, int write);
>>>>>>> +
>>>>>>> +int ttm_bo_vm_mprotect(struct vm_area_struct *vma, unsigned long start,
>>>>>>> +                    unsigned long end, unsigned long newflags);
>>>>>>> +
>>>>>>>      bool ttm_bo_delayed_delete(struct ttm_device *bdev, bool remove_all);
>>>>>>>
>>>>>>>      vm_fault_t ttm_bo_vm_dummy_page(struct vm_fault *vmf, pgprot_t prot);

[v3,1/1] drm/ttm: Fix COW check

Commit Message

Comments

Patch