1. 04 12月, 2014 3 次提交
  2. 18 7月, 2014 1 次提交
  3. 04 3月, 2014 1 次提交
  4. 06 2月, 2014 1 次提交
  5. 09 1月, 2014 1 次提交
  6. 18 12月, 2013 1 次提交
  7. 06 11月, 2013 1 次提交
  8. 02 11月, 2013 1 次提交
    • M
      drm/radeon: fixup locking inversion between, mmap_sem and reservations · 28a326c5
      Maarten Lankhorst 提交于
      op 08-10-13 18:58, Thomas Hellstrom schreef:
      > On 10/08/2013 06:47 PM, Jerome Glisse wrote:
      >> On Tue, Oct 08, 2013 at 06:29:35PM +0200, Thomas Hellstrom wrote:
      >>> On 10/08/2013 04:55 PM, Jerome Glisse wrote:
      >>>> On Tue, Oct 08, 2013 at 04:45:18PM +0200, Christian König wrote:
      >>>>> Am 08.10.2013 16:33, schrieb Jerome Glisse:
      >>>>>> On Tue, Oct 08, 2013 at 04:14:40PM +0200, Maarten Lankhorst wrote:
      >>>>>>> Allocate and copy all kernel memory before doing reservations. This prevents a locking
      >>>>>>> inversion between mmap_sem and reservation_class, and allows us to drop the trylocking
      >>>>>>> in ttm_bo_vm_fault without upsetting lockdep.
      >>>>>>>
      >>>>>>> Signed-off-by: Maarten Lankhorst <maarten.lankhorst@canonical.com>
      >>>>>> I would say NAK. Current code only allocate temporary page in AGP case.
      >>>>>> So AGP case is userspace -> temp page -> cs checker -> radeon ib.
      >>>>>>
      >>>>>> Non AGP is directly memcpy to radeon IB.
      >>>>>>
      >>>>>> Your patch allocate memory memcpy userspace to it and it will then be
      >>>>>> memcpy to IB. Which means you introduce an extra memcpy in the process
      >>>>>> not something we want.
      >>>>> Totally agree. Additional to that there is no good reason to provide
      >>>>> anything else than anonymous system memory to the CS ioctl, so the
      >>>>> dependency between the mmap_sem and reservations are not really
      >>>>> clear to me.
      >>>>>
      >>>>> Christian.
      >>>> I think is that in other code path you take mmap_sem first then reserve
      >>>> bo. But here we reserve bo and then we take mmap_sem because of copy
      >>> >from user.
      >>>> Cheers,
      >>>> Jerome
      >>>>
      >>> Actually the log message is a little confusing. I think the mmap_sem
      >>> locking inversion problem is orthogonal to what's being fixed here.
      
      > >>> This patch fixes the possible recursive bo::reserve caused by
      > >>> malicious user-space handing a pointer to ttm memory so that the ttm
      > >>> fault handler is called when bos are already reserved. That may
      > >>> cause a (possibly interruptible) livelock.
      
      >>> Once that is fixed, we are free to choose the mmap_sem ->
      >>> bo::reserve locking order. Currently it's bo::reserve->mmap_sem(),
      >>> but the hack required in the ttm fault handler is admittedly a bit
      >>> ugly.  The plan is to change the locking order to
      >>> mmap_sem->bo::reserve
      
      > >>> I'm not sure if it applies to this particular case, but it should be
      > >>> possible to make sure that copy_from_user_inatomic() will always
      > >>> succeed, by making sure the pages are present using
      > >>> get_user_pages(), and release the pages after
      > >>> copy_from_user_inatomic() is done. That way there's no need for a
      > >>> double memcpy slowpath, but if the copied data is very fragmented I
      > >>> guess the resulting code may look ugly. The get_user_pages()
      > >>> function will return an error if it hits TTM pages.
      
      >>> /Thomas
      >> get_user_pages + copy_from_user_inatomic is overkill. We should just
      >> do get_user_pages which fails with ttm memory and then use copy_highpage
      >> helper.
      >>
      >> Cheers,
      >> Jerome
      > Yeah, it may well be that that's the preferred solution.
      >
      > /Thomas
      >
      I still disagree, and shuffled radeon_ib_get around to be called sooner.
      
      How does the patch below look?
      8<-------
      Allocate and copy all kernel memory before doing reservations. This prevents a locking
      inversion between mmap_sem and reservation_class, and allows us to drop the trylocking
      in ttm_bo_vm_fault without upsetting lockdep.
      
      Changes since v1:
      - Kill extra memcpy for !AGP case.
      Signed-off-by: NMaarten Lankhorst <maarten.lankhorst@canonical.com>
      Reviewed-by: NJerome Glisse <jglisse@redhat.com>
      Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
      28a326c5
  9. 12 2月, 2013 1 次提交
  10. 01 2月, 2013 7 次提交
  11. 11 1月, 2013 2 次提交
  12. 05 1月, 2013 1 次提交
  13. 20 12月, 2012 1 次提交
  14. 14 12月, 2012 2 次提交
  15. 13 12月, 2012 1 次提交
  16. 03 10月, 2012 1 次提交
  17. 27 9月, 2012 1 次提交
  18. 21 9月, 2012 1 次提交
  19. 30 8月, 2012 3 次提交
  20. 20 8月, 2012 2 次提交
  21. 13 8月, 2012 2 次提交
  22. 09 8月, 2012 1 次提交
  23. 16 6月, 2012 1 次提交
  24. 10 5月, 2012 1 次提交
  25. 26 3月, 2012 1 次提交
  26. 20 3月, 2012 1 次提交