> -----Original Message-----
> From: Chris Wilson <[email protected]>
> Sent: Thursday, June 14, 2018 8:22 AM
> To: Bloomfield, Jon <[email protected]>; intel-
> [email protected]
> Cc: Joonas Lahtinen <[email protected]>; Matthew Auld
> <[email protected]>
> Subject: RE: [PATCH 3/5] drm/i915: Prevent writing into a read-only object via
> a GGTT mmap
>
> Quoting Bloomfield, Jon (2018-06-14 16:06:40)
> > > -----Original Message-----
> > > From: Chris Wilson <[email protected]>
> > > Sent: Thursday, June 14, 2018 8:00 AM
> > > To: Bloomfield, Jon <[email protected]>; intel-
> > > [email protected]
> > > Cc: Joonas Lahtinen <[email protected]>; Matthew Auld
> > > <[email protected]>
> > > Subject: RE: [PATCH 3/5] drm/i915: Prevent writing into a read-only
> object via
> > > a GGTT mmap
> > >
> > > Quoting Bloomfield, Jon (2018-06-14 15:53:13)
> > > > > -----Original Message-----
> > > > > From: Chris Wilson <[email protected]>
> > > > > Sent: Thursday, June 14, 2018 5:00 AM
> > > > > To: [email protected]
> > > > > Cc: Chris Wilson <[email protected]>; Bloomfield, Jon
> > > > > <[email protected]>; Joonas Lahtinen
> > > > > <[email protected]>; Matthew Auld
> > > > > <[email protected]>
> > > > > Subject: [PATCH 3/5] drm/i915: Prevent writing into a read-only
> object via
> > > a
> > > > > GGTT mmap
> > > > >
> > > > > If the user has created a read-only object, they should not be allowed
> > > > > to circumvent the write protection by using a GGTT mmapping. Deny
> it.
> > > > >
> > > > > Also most machines do not support read-only GGTT PTEs, so again we
> > > have
> > > > > to reject attempted writes. Fortunately, this is known a priori, so we
> > > > > can at least reject in the call to create the mmap with backup in the
> > > > > fault handler. This is a little draconian as we could blatantly ignore
> > > > > the write protection on the pages, but it is far simply to keep the
> > > > > readonly object pure. (It is easier to lift a restriction than to
> > > > > impose
> > > > > it later!)
> > > > Are you sure this is necessary? I assumed you would just create a ro IA
> > > > mapping to the page, irrespective of the ability of ggtt.
> > >
> > > You are thinking of the CPU mmap? The GTT mmap offers a linear view of
> > > the tiled object. It would be very wrong for us to bypass the PROT_READ
> > > protection of a user page by accessing it via the GTT.
> > No, I was thinking of gtt mmap. That requires both GTT and IA PTE
> mappings
> > right? One to map the object into the GTT, and then a second to point the
> > IA at the aperture. Why wouldn't marking the IA mapping RO protect the
> > object if the GT cannot reach the GTT mapping (from user batches).
>
> Hmm. I keep forgetting that we can get at the vma from mmap(), because
> that's hidden away elsewhere and only see i915_gem_fault() on a daily
> basis. Hmm, is legal to read a PROT_READ-only vma is PROT_WRITE is
> requested, or are meant to return -EINVAL?
> -Chris
That's a trickier question :-) My instinct in -EINVAL if the user specifies
PROT_WRITE, but allowed if they only PROT_READ, and ppgtt is enabled
(including aliased) so that userspace can't see the gtt mapping from the GT.
_______________________________________________
Intel-gfx mailing list
[email protected]
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
