Jason, Christian
In most implementations of the callback mentioned in the subject there's a fence wait. What exactly is it needed for?
Thanks,
Thomas
Am 09.12.20 um 17:46 schrieb Thomas Hellström (Intel):
Well in general an invalidation means that the specified part of the page tables are updated, either with new addresses or new access flags.
In both cases you need to stop the DMA because you could otherwise work with stale data, e.g. read/write with the wrong addresses or write to a read only region etc...
Is it for invlidation before breaking COW after fork or something related?
This is just one of many use cases which could invalidate a range. But there are many more, both from the kernel as well as userspace.
Just imaging that userspace first mmaps() some anonymous memory r/w, starts a DMA to it and while the DMA is ongoing does a readonly mmap() of libc to the same location.
Since most hardware doesn't have recoverable page faults guess what would happen if we don't wait for the DMA to finish? That would be a security hole you can push an elephant through :)
Cheers, Christian.
Hi, Christian
Thanks for the reply.
On 12/10/20 11:53 AM, Christian König wrote:
Yes. That's clear. I'm just trying to understand the complete implications of doing that.
My understanding of this particular case is that hardware would continue to DMA to orphaned pages that are pinned until the driver is done with DMA, unless hardware would somehow in-flight pick up the new PTE addresses pointing to libc but not the protection?
Thanks,
Thomas
Am 11.12.20 um 08:50 schrieb Thomas Hellström (Intel):
Exactly that is not guaranteed under all circumstances. Especially since HMM tries to avoid grabbing a reference to the underlying pages. And it depends when the destination addresses of the DMA are read and when the access flags are evaluated.
But even when it causes no security problem the requirement we have to fulfill here is that the DMA is coherent. In other words we either have to delay updates to the page tables until the DMA operation is completed or apply both address and access flag changes in a way the DMA operation immediately sees it as well.
Regards, Christian.
On Fri, Dec 11, 2020 at 08:50:53AM +0100, Thomas Hellström (Intel) wrote:
mmu notifier replaces pinning as the locking mechanism. Drivers using mmu notifier should not be taking pins.
Keep in mind this was all built for HW with real shadow page tables that can do fine grained manipulation.
The GPU version of this to instead manipulate a command queue is a big aberration from what was intended.
Jason
On 12/11/20 1:46 PM, Jason Gunthorpe wrote:
OK yes, that makes sense and in that context the fence wait is easier to understand. Looks like for example the radeon driver is using the notifier + get_user_pages() but there it looks like it's used to avoid having get_user_pages() clash with invalidation.
/Thomas
On Sun, Dec 13, 2020 at 04:09:25PM +0100, Thomas Hellström (Intel) wrote:
I think the radeon userptr implementation is bad enough that Christian wants to outright remove it. At least he keeps talking about doing that.
So maybe not a good example to look at :-) -Daniel
dri-devel@lists.freedesktop.org
-
Christian König -
Daniel Vetter -
Jason Gunthorpe -
Thomas Hellström (Intel)