Received: by 2002:a05:7412:8521:b0:e2:908c:2ebd with SMTP id t33csp567644rdf; Fri, 3 Nov 2023 08:36:41 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHNHnMzQaaeSikskqGUxmJsvxdLXpCHD6qjM4S0fQnJxGwglXVp3/C5oCLuWWWoCtpGFp3A X-Received: by 2002:a05:6a00:190b:b0:6c3:69b9:44db with SMTP id y11-20020a056a00190b00b006c369b944dbmr2746708pfi.22.1699025800659; Fri, 03 Nov 2023 08:36:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1699025800; cv=none; d=google.com; s=arc-20160816; b=PEzQhbfaZpui7ciDdCzluoVtt/F79bMxiiaTR3RY1kI9y2vnXWltqmaduP82ppPRjP FuVMFgokZaHme6Fowm6Amj7ybCqXZlckcgRJTd6M+AAg+uxNLD55SCVGFx51ACzgB14K MROb0yFt7gSL6pNcJDF0vamADmXg0pjcDh85U4SBEqakAUMu7zRAl4g1hiM/zWmjDzyb UNgNOAUP75nIbA4cplxIEJIT4+R+sVXDtNv3JTq+WYRIzH6lB8ATvKFsQPetw3Bwnpi2 5EtTdioBtUv7JqXsmLFtQIx4q4kJvhuluy3akMAOdlV5kH6gPbUJrxt+gJFR68U0MYYJ fLAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :organization:from:references:cc:to:content-language:subject :user-agent:mime-version:date:message-id:dkim-signature; bh=6I+svjCQClpGsA/iiv76PtiyM5cXX4stVU2i+dbhzLc=; fh=KHTAx6HpitkTR8vfgEI/ZxprGihy8YPlIcHiQWb+TEU=; b=iBji1h8FlR7d2KRcNtjf9h/gzes1ABmpRvBX+uDvCcjdw1BmMOgpqJqTn8qP96tov3 6nky8f3C00TgUsjJMZ5d2XJyArXUwIgCMM/V/xqNxmy7LhlsOPOYg5hI4tGQWxfjAVZq 3uXYQ1T4n7kz3ZpEGA1MPfDEw9Dk/3Z7lxyDGZymxvLqghUe8cL6KXAzqVeajrez3OE+ mRe6yqhREQcjOAGQb/zTtZbhiRsnORC5jATHzwcaR5iP3b5ADSU8sDWlnMfNXzPcHUtk Iy+AuEkLVtV5TpkKPa4nsVv6vtQn+lGVdCgHUOKk5R8r3kxhTtT9wpAJCQ8zxm72weg1 jdRA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Qe2S4w54; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id b15-20020a056a00114f00b00690da053918si1688210pfm.4.2023.11.03.08.36.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Nov 2023 08:36:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Qe2S4w54; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 12A8F804E2F2; Fri, 3 Nov 2023 08:35:55 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230171AbjKCPfu (ORCPT + 99 others); Fri, 3 Nov 2023 11:35:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53868 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230110AbjKCPfs (ORCPT ); Fri, 3 Nov 2023 11:35:48 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D414D112 for ; Fri, 3 Nov 2023 08:34:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1699025698; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6I+svjCQClpGsA/iiv76PtiyM5cXX4stVU2i+dbhzLc=; b=Qe2S4w54iBeSL1IO1YE0opxpaYw+IekDen0HtFTCJqKvJbuNNQDcVvfw8FqnC0aKc7+EZN zt+vAvCF+aAPFetzqP+p1holaqckcLFkjTEXUGgPP7I5p+bQvVoES3sfA5tnSHVGq+L5CP nOXJhyxt5OVlrwTx4cqYek6eAvJM5sc= Received: from mail-ej1-f70.google.com (mail-ej1-f70.google.com [209.85.218.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-73-0VydoCMTNK62x7U9OHxnZQ-1; Fri, 03 Nov 2023 11:34:57 -0400 X-MC-Unique: 0VydoCMTNK62x7U9OHxnZQ-1 Received: by mail-ej1-f70.google.com with SMTP id a640c23a62f3a-9dd58f58281so37661866b.0 for ; Fri, 03 Nov 2023 08:34:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699025696; x=1699630496; h=content-transfer-encoding:in-reply-to:organization:from:references :cc:to:content-language:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6I+svjCQClpGsA/iiv76PtiyM5cXX4stVU2i+dbhzLc=; b=bI2xog2OHrMJYINbCZMHHGuu2PMqfDF4BUxdrztAy0fbvyYwcxQRqRz2oqE7gpM+a/ BwO2IIXTIAe6rnpS9PwNkwgfADCWEZ327gH+2a7XQB0fxW+psFHnT8/lRknqYUnwydpG l71XVBq3cKW/Q8zthi6f7g2UzOLKmju0kU8HMGZcr6FDZ116t4bucBl7Cb/0lxoGCk+n Jwrnsm1C5IjHqT8QrUWHJs8T7vyZ+Ou4gG9bc3hcSXq/GIqFdOkYlQ2AH82EaWcUxl1b W6h+dWiYC5KlVJFSpetEml5i4ZxIONtN1yt94UBVXDJ7DjkQIrgwi8GAFGWmD4RH02dK ghkg== X-Gm-Message-State: AOJu0Yz0IfmpXL5cUklygYaqaOA0SUCuQ3zN/UgF9WK2g2d9RK2QqGzf cS88eXypRhLydclcTO4jLxb2fay+WsuFrH1eEsS/cEYGvrDhg/IYyamgE+ShT6KJ2bI3IJoOGA9 D/EX4wRBHtF3qpZQCzoxfXmlJ X-Received: by 2002:a17:907:70b:b0:9d2:20ee:b18b with SMTP id xb11-20020a170907070b00b009d220eeb18bmr7011271ejb.42.1699025696194; Fri, 03 Nov 2023 08:34:56 -0700 (PDT) X-Received: by 2002:a17:907:70b:b0:9d2:20ee:b18b with SMTP id xb11-20020a170907070b00b009d220eeb18bmr7011213ejb.42.1699025695692; Fri, 03 Nov 2023 08:34:55 -0700 (PDT) Received: from ?IPV6:2a02:810d:4b3f:de9c:abf:b8ff:feee:998b? ([2a02:810d:4b3f:de9c:abf:b8ff:feee:998b]) by smtp.gmail.com with ESMTPSA id o11-20020a1709062e8b00b0099ce025f8ccsm1022109eji.186.2023.11.03.08.34.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 03 Nov 2023 08:34:55 -0700 (PDT) Message-ID: Date: Fri, 3 Nov 2023 16:34:51 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH drm-misc-next v8 09/12] drm/gpuvm: reference count drm_gpuvm structures Content-Language: en-US To: =?UTF-8?Q?Christian_K=C3=B6nig?= Cc: airlied@gmail.com, daniel@ffwll.ch, matthew.brost@intel.com, thomas.hellstrom@linux.intel.com, sarah.walker@imgtec.com, donald.robson@imgtec.com, boris.brezillon@collabora.com, faith@gfxstrand.net, dri-devel@lists.freedesktop.org, nouveau@lists.freedesktop.org, linux-kernel@vger.kernel.org References: <20231101233113.8059-1-dakr@redhat.com> <20231101233113.8059-10-dakr@redhat.com> From: Danilo Krummrich Organization: RedHat In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE, T_FILL_THIS_FORM_SHORT,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Fri, 03 Nov 2023 08:35:55 -0700 (PDT) On 11/3/23 15:04, Christian König wrote: > Am 03.11.23 um 14:14 schrieb Danilo Krummrich: >> On Fri, Nov 03, 2023 at 08:18:35AM +0100, Christian König wrote: >>> Am 02.11.23 um 00:31 schrieb Danilo Krummrich: >>>> Implement reference counting for struct drm_gpuvm. >>> From the design point of view what is that good for? >> It was discussed in this thread [1]. >> >> Essentially, the idea is to make sure that vm_bo->vm is always valid without the >> driver having the need to take extra care. It also ensures that GPUVM can't be >> freed with mappings still held. > > Well in this case I have some objections to this. The lifetime of the VM is driver and use case specific. That's fine, I don't see how this changes with a reference count. > > Especially we most likely don't want the VM to live longer than the application which originally used it. If you make the GPUVM an independent object you actually open up driver abuse for the lifetime of this. Right, we don't want that. But I don't see how the reference count prevents that. Independant object is relative. struct drm_gpuvm is still embedded into a driver specific structure. It's working the same way as with struct drm_gem_obejct. > > Additional to that see below for a quite real problem with this. > >>> Background is that the most common use case I see is that this object is >>> embedded into something else and a reference count is then not really a good >>> idea. >> Do you have a specific use-case in mind where this would interfere? > > Yes, absolutely. For an example see amdgpu_mes_self_test(), here we initialize a temporary amdgpu VM for an in kernel unit test which runs during driver load. > > When the function returns I need to guarantee that the VM is destroyed or otherwise I will mess up normal operation. Nothing prevents that. The reference counting is well defined. If the driver did not take additional references (which is clearly up to the driver taking care of) and all VM_BOs and mappings are cleaned up, the reference count is guaranteed to be 1 at this point. Also note that if the driver would have not cleaned up all VM_BOs and mappings before shutting down the VM, it would have been a bug anyways and the driver would potentially leak memory and UAF issues. Hence, If the VM is still alive at a point where you don't expect it to be, then it's simply a driver bug. > > Reference counting is nice when you don't know who else is referring to your VM, but the cost is that you also don't know when the object will guardedly be destroyed. > > I can trivially work around this by saying that the generic GPUVM object has a different lifetime than the amdgpu specific object, but that opens up doors for use after free again. If your driver never touches the VM's reference count and exits the VM with a clean state (no mappings and no VM_BOs left), effectively, this is the same as having no reference count. In the very worst case you could argue that we trade a potential UAF *and* memroy leak (no reference count) with *only* a memory leak (with reference count), which to me seems reasonable. > > Regards, > Christian. > >>> Thanks, >>> Christian. >> [1]https://lore.kernel.org/dri-devel/6fa058a4-20d3-44b9-af58-755cfb375d75@redhat.com/ >> >>>> Signed-off-by: Danilo Krummrich >>>> --- >>>> drivers/gpu/drm/drm_gpuvm.c | 44 +++++++++++++++++++------- >>>> drivers/gpu/drm/nouveau/nouveau_uvmm.c | 20 +++++++++--- >>>> include/drm/drm_gpuvm.h | 31 +++++++++++++++++- >>>> 3 files changed, 78 insertions(+), 17 deletions(-) >>>> >>>> diff --git a/drivers/gpu/drm/drm_gpuvm.c b/drivers/gpu/drm/drm_gpuvm.c >>>> index 53e2c406fb04..6a88eafc5229 100644 >>>> --- a/drivers/gpu/drm/drm_gpuvm.c >>>> +++ b/drivers/gpu/drm/drm_gpuvm.c >>>> @@ -746,6 +746,8 @@ drm_gpuvm_init(struct drm_gpuvm *gpuvm, const char *name, >>>> gpuvm->rb.tree = RB_ROOT_CACHED; >>>> INIT_LIST_HEAD(&gpuvm->rb.list); >>>> + kref_init(&gpuvm->kref); >>>> + >>>> gpuvm->name = name ? name : "unknown"; >>>> gpuvm->flags = flags; >>>> gpuvm->ops = ops; >>>> @@ -770,15 +772,8 @@ drm_gpuvm_init(struct drm_gpuvm *gpuvm, const char *name, >>>> } >>>> EXPORT_SYMBOL_GPL(drm_gpuvm_init); >>>> -/** >>>> - * drm_gpuvm_destroy() - cleanup a &drm_gpuvm >>>> - * @gpuvm: pointer to the &drm_gpuvm to clean up >>>> - * >>>> - * Note that it is a bug to call this function on a manager that still >>>> - * holds GPU VA mappings. >>>> - */ >>>> -void >>>> -drm_gpuvm_destroy(struct drm_gpuvm *gpuvm) >>>> +static void >>>> +drm_gpuvm_fini(struct drm_gpuvm *gpuvm) >>>> { >>>> gpuvm->name = NULL; >>>> @@ -790,7 +785,33 @@ drm_gpuvm_destroy(struct drm_gpuvm *gpuvm) >>>> drm_gem_object_put(gpuvm->r_obj); >>>> } >>>> -EXPORT_SYMBOL_GPL(drm_gpuvm_destroy); >>>> + >>>> +static void >>>> +drm_gpuvm_free(struct kref *kref) >>>> +{ >>>> + struct drm_gpuvm *gpuvm = container_of(kref, struct drm_gpuvm, kref); >>>> + >>>> + if (drm_WARN_ON(gpuvm->drm, !gpuvm->ops->vm_free)) >>>> + return; >>>> + >>>> + drm_gpuvm_fini(gpuvm); >>>> + >>>> + gpuvm->ops->vm_free(gpuvm); >>>> +} >>>> + >>>> +/** >>>> + * drm_gpuvm_bo_put() - drop a struct drm_gpuvm reference >>>> + * @gpuvm: the &drm_gpuvm to release the reference of >>>> + * >>>> + * This releases a reference to @gpuvm. >>>> + */ >>>> +void >>>> +drm_gpuvm_put(struct drm_gpuvm *gpuvm) >>>> +{ >>>> + if (gpuvm) >>>> + kref_put(&gpuvm->kref, drm_gpuvm_free); >>>> +} >>>> +EXPORT_SYMBOL_GPL(drm_gpuvm_put); >>>> static int >>>> __drm_gpuva_insert(struct drm_gpuvm *gpuvm, >>>> @@ -843,7 +864,7 @@ drm_gpuva_insert(struct drm_gpuvm *gpuvm, >>>> if (unlikely(!drm_gpuvm_range_valid(gpuvm, addr, range))) >>>> return -EINVAL; >>>> - return __drm_gpuva_insert(gpuvm, va); >>>> + return __drm_gpuva_insert(drm_gpuvm_get(gpuvm), va); >>>> } >>>> EXPORT_SYMBOL_GPL(drm_gpuva_insert); >>>> @@ -876,6 +897,7 @@ drm_gpuva_remove(struct drm_gpuva *va) >>>> } >>>> __drm_gpuva_remove(va); >>>> + drm_gpuvm_put(va->vm); >>>> } >>>> EXPORT_SYMBOL_GPL(drm_gpuva_remove); >>>> diff --git a/drivers/gpu/drm/nouveau/nouveau_uvmm.c b/drivers/gpu/drm/nouveau/nouveau_uvmm.c >>>> index 54be12c1272f..cb2f06565c46 100644 >>>> --- a/drivers/gpu/drm/nouveau/nouveau_uvmm.c >>>> +++ b/drivers/gpu/drm/nouveau/nouveau_uvmm.c >>>> @@ -1780,6 +1780,18 @@ nouveau_uvmm_bo_unmap_all(struct nouveau_bo *nvbo) >>>> } >>>> } >>>> +static void >>>> +nouveau_uvmm_free(struct drm_gpuvm *gpuvm) >>>> +{ >>>> + struct nouveau_uvmm *uvmm = uvmm_from_gpuvm(gpuvm); >>>> + >>>> + kfree(uvmm); >>>> +} >>>> + >>>> +static const struct drm_gpuvm_ops gpuvm_ops = { >>>> + .vm_free = nouveau_uvmm_free, >>>> +}; >>>> + >>>> int >>>> nouveau_uvmm_ioctl_vm_init(struct drm_device *dev, >>>> void *data, >>>> @@ -1830,7 +1842,7 @@ nouveau_uvmm_ioctl_vm_init(struct drm_device *dev, >>>> NOUVEAU_VA_SPACE_END, >>>> init->kernel_managed_addr, >>>> init->kernel_managed_size, >>>> - NULL); >>>> + &gpuvm_ops); >>>> /* GPUVM takes care from here on. */ >>>> drm_gem_object_put(r_obj); >>>> @@ -1849,8 +1861,7 @@ nouveau_uvmm_ioctl_vm_init(struct drm_device *dev, >>>> return 0; >>>> out_gpuvm_fini: >>>> - drm_gpuvm_destroy(&uvmm->base); >>>> - kfree(uvmm); >>>> + drm_gpuvm_put(&uvmm->base); >>>> out_unlock: >>>> mutex_unlock(&cli->mutex); >>>> return ret; >>>> @@ -1902,7 +1913,6 @@ nouveau_uvmm_fini(struct nouveau_uvmm *uvmm) >>>> mutex_lock(&cli->mutex); >>>> nouveau_vmm_fini(&uvmm->vmm); >>>> - drm_gpuvm_destroy(&uvmm->base); >>>> - kfree(uvmm); >>>> + drm_gpuvm_put(&uvmm->base); >>>> mutex_unlock(&cli->mutex); >>>> } >>>> diff --git a/include/drm/drm_gpuvm.h b/include/drm/drm_gpuvm.h >>>> index 0c2e24155a93..4e6e1fd3485a 100644 >>>> --- a/include/drm/drm_gpuvm.h >>>> +++ b/include/drm/drm_gpuvm.h >>>> @@ -247,6 +247,11 @@ struct drm_gpuvm { >>>> struct list_head list; >>>> } rb; >>>> + /** >>>> + * @kref: reference count of this object >>>> + */ >>>> + struct kref kref; >>>> + >>>> /** >>>> * @kernel_alloc_node: >>>> * >>>> @@ -273,7 +278,23 @@ void drm_gpuvm_init(struct drm_gpuvm *gpuvm, const char *name, >>>> u64 start_offset, u64 range, >>>> u64 reserve_offset, u64 reserve_range, >>>> const struct drm_gpuvm_ops *ops); >>>> -void drm_gpuvm_destroy(struct drm_gpuvm *gpuvm); >>>> + >>>> +/** >>>> + * drm_gpuvm_get() - acquire a struct drm_gpuvm reference >>>> + * @gpuvm: the &drm_gpuvm to acquire the reference of >>>> + * >>>> + * This function acquires an additional reference to @gpuvm. It is illegal to >>>> + * call this without already holding a reference. No locks required. >>>> + */ >>>> +static inline struct drm_gpuvm * >>>> +drm_gpuvm_get(struct drm_gpuvm *gpuvm) >>>> +{ >>>> + kref_get(&gpuvm->kref); >>>> + >>>> + return gpuvm; >>>> +} >>>> + >>>> +void drm_gpuvm_put(struct drm_gpuvm *gpuvm); >>>> bool drm_gpuvm_range_valid(struct drm_gpuvm *gpuvm, u64 addr, u64 range); >>>> bool drm_gpuvm_interval_empty(struct drm_gpuvm *gpuvm, u64 addr, u64 range); >>>> @@ -673,6 +694,14 @@ static inline void drm_gpuva_init_from_op(struct drm_gpuva *va, >>>> * operations to drivers. >>>> */ >>>> struct drm_gpuvm_ops { >>>> + /** >>>> + * @vm_free: called when the last reference of a struct drm_gpuvm is >>>> + * dropped >>>> + * >>>> + * This callback is mandatory. >>>> + */ >>>> + void (*vm_free)(struct drm_gpuvm *gpuvm); >>>> + >>>> /** >>>> * @op_alloc: called when the &drm_gpuvm allocates >>>> * a struct drm_gpuva_op >