| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c742707e-eb6d-6a22-3006-52dc3bf458d8@gmail.com>
Date: Fri, 15 Jan 2021 16:23:31 +0000
From: Jinoh Kang <jinoh.kang.kr@...il.com>
To: Marek Marczykowski-Górecki
<marmarek@...isiblethingslab.com>
Cc: Jani Nikula <jani.nikula@...ux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@...ux.intel.com>,
Rodrigo Vivi <rodrigo.vivi@...el.com>,
David Airlie <airlied@...ux.ie>,
Daniel Vetter <daniel@...ll.ch>,
Chris Wilson <chris@...is-wilson.co.uk>,
Matthew Auld <matthew.auld@...el.com>,
intel-gfx@...ts.freedesktop.org, dri-devel@...ts.freedesktop.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] drm/i915/userptr: detect un-GUP-able pages early
If GUP-ineligible pages are passed to a GEM userptr object, -EFAULT is
returned only when the object is actually bound.
The xf86-video-intel userspace driver cannot differentiate this
condition, and marks the GPU as wedged. This not only disables graphics
acceleration but may also cripple other functions such as VT switch.
Solve this by "prefaulting" user pages on GEM object creation, testing
whether all pages are eligible for get_user_pages() in the process.
On failure, return -EFAULT so that userspace can fallback to software
blitting.
This behavior can be enabled via a new modparam "gem_userptr_prefault",
which is false by default.
Known use cases:
- As a debugging aid, invalid pointers and/or wrong pages passed to
userptr could be caught much earlier.
- Qubes OS R4.0 uses VM_PFNMAP pages from drivers/xen/privcmd.c, in
order to map framebuffers from Xen guest to dom0. These pages are not
GUP-able, but they cannot be exposed via DMA-BUF either. Previously
this issue had gone somehow undetected, until some patch between
v4.14 and v4.19 triggered it.
Signed-off-by: Jinoh Kang <jinoh.kang.kr@...il.com>
Cc: Marek Marczykowski-Górecki <marmarek@...isiblethingslab.com>
Cc: Jani Nikula <jani.nikula@...ux.intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@...ux.intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@...el.com>
Cc: David Airlie <airlied@...ux.ie>
Cc: Daniel Vetter <daniel@...ll.ch>
Cc: Chris Wilson <chris@...is-wilson.co.uk>
Cc: Matthew Auld <matthew.auld@...el.com>
---
drivers/gpu/drm/i915/gem/i915_gem_userptr.c | 35 +++++++++++++++++++++
drivers/gpu/drm/i915/i915_params.c | 3 ++
drivers/gpu/drm/i915/i915_params.h | 1 +
3 files changed, 39 insertions(+)
diff --git a/drivers/gpu/drm/i915/gem/i915_gem_userptr.c b/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
index f2eaed6aca3d..5d653df2f759 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
@@ -712,6 +712,33 @@ static const struct drm_i915_gem_object_ops i915_gem_userptr_ops = {
.release = i915_gem_userptr_release,
};
+static int i915_gem_userptr_prefault(unsigned long start,
+ unsigned long nr_pages,
+ bool readonly)
+{
+ unsigned int gup_flags = (readonly ? 0 : FOLL_WRITE) | FOLL_NOWAIT;
+ int err = 0;
+
+ mmap_read_lock(current->mm);
+ while (nr_pages) {
+ long ret;
+
+ ret = get_user_pages(start, nr_pages, gup_flags, NULL, NULL);
+ if (ret < 0) {
+ err = (int)ret;
+ break;
+ }
+ if (ret == 0)
+ ret = 1; /* skip this page */
+
+ start += ret << PAGE_SHIFT;
+ nr_pages -= ret;
+ }
+ mmap_read_unlock(current->mm);
+
+ return err;
+}
+
/*
* Creates a new mm object that wraps some normal memory from the process
* context - user memory.
@@ -796,6 +823,14 @@ i915_gem_userptr_ioctl(struct drm_device *dev,
if (!access_ok((char __user *)(unsigned long)args->user_ptr, args->user_size))
return -EFAULT;
+ if (i915_modparams.gem_userptr_prefault) {
+ ret = i915_gem_userptr_prefault((unsigned long)args->user_ptr,
+ args->user_size >> PAGE_SHIFT,
+ args->flags & I915_USERPTR_READ_ONLY);
+ if (ret)
+ return ret;
+ }
+
if (args->flags & I915_USERPTR_READ_ONLY) {
/*
* On almost all of the older hw, we cannot tell the GPU that
diff --git a/drivers/gpu/drm/i915/i915_params.c b/drivers/gpu/drm/i915/i915_params.c
index 7f139ea4a90b..b5e0a88c059f 100644
--- a/drivers/gpu/drm/i915/i915_params.c
+++ b/drivers/gpu/drm/i915/i915_params.c
@@ -197,6 +197,9 @@ i915_param_named_unsafe(fake_lmem_start, ulong, 0400,
"Fake LMEM start offset (default: 0)");
#endif
+i915_param_named(gem_userptr_prefault, bool, 0600,
+ "Prefault pages when userptr GEM object is created (default: false)");
+
static __always_inline void _print_param(struct drm_printer *p,
const char *name,
const char *type,
diff --git a/drivers/gpu/drm/i915/i915_params.h b/drivers/gpu/drm/i915/i915_params.h
index 330c03e2b4f7..323f60298b05 100644
--- a/drivers/gpu/drm/i915/i915_params.h
+++ b/drivers/gpu/drm/i915/i915_params.h
@@ -79,6 +79,7 @@ struct drm_printer;
param(bool, disable_display, false, 0400) \
param(bool, verbose_state_checks, true, 0) \
param(bool, nuclear_pageflip, false, 0400) \
+ param(bool, gem_userptr_prefault, false, 0600) \
param(bool, enable_dp_mst, true, 0600) \
param(bool, enable_gvt, false, 0400)
--
2.26.2
Powered by blists - more mailing lists