linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
From: Lorenzo Stoakes <lstoakes@gmail.com>
To: Alistair Popple <apopple@nvidia.com>
Cc: "Yu, Fenghua" <fenghua.yu@intel.com>,
	Vinod Koul <vkoul@kernel.org>,
	"Jiang, Dave" <dave.jiang@intel.com>,
	"dmaengine@vger.kernel.org" <dmaengine@vger.kernel.org>,
	"Zhu, Tony" <tony.zhu@intel.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	"linux-mm@kvack.org" <linux-mm@kvack.org>,
	Christoph Hellwig <hch@infradead.org>,
	"Shankar, Ravi V" <ravi.v.shankar@intel.com>
Subject: Re: [PATCH 09/17] mm: export access_remote_vm() symbol
Date: Wed, 4 Jan 2023 19:56:35 +0000	[thread overview]
Message-ID: <Y7XZ8zY3KIRDlu/f@lucifer> (raw)
In-Reply-To: <87tu16rdea.fsf@nvidia.com>

On Wed, Jan 04, 2023 at 05:12:31PM +1100, Alistair Popple wrote:
> Obviously something must still be holding a mmgrab() though. That should
> happen as part of the PASID allocation done by iommu_sva_bind_device().

I'm not familiar with the iommu code, but a brief glance suggests that no
mmgrab() is being performed for intel devices? I may have missed something
though.

We do need to be absolutely sure the mm sticks around (hence the
grab) but if we need userland mappings that we have to have a subsequent
mmget_not_zero().

> >> I definitely don't feel as if simply exporting this is a safe option, and you would in
> >> that case need a new function that handles different scenarios of mm
> >> ownership/not.
>
> Note this isn't that different from get_user_pages_remote().

get_user_pages_remote() differs in that, most importantly, it requires the
mm_lock is held on invocation (implying that the mm will stick around), which is
not the case for access_remote_vm() (as __access_remote_vm() subsequently
obtains it), but also in that it pins pages but doesn't copy things to a buffer
(rather returning VMAs or struct page objects).

Also note the comment around get_user_pages_remote() saying nobody should be
using it due to lack of FAULT_FLAG_ALLOW_RETRY handling :) yes it feels like GUP
is a bit of a mess.

> In any case though iommu_sva_find() already takes care of doing
> mmget_not_zero(). I wonder if it makes more sense to define a wrapper
> (eg. iommu_access_pasid) that takes a PASID and does the mm
> lookup/access_vm/mmput?

My concern is exposing something highly delicate _which accesses remote mas a public API with implicit
assumptions whose one and only (core kernel) user treats with enormous
caution. Even if this iommu code were to use it correctly, we'd end up with an
interface which could be subject to real risks which other drivers may misuse.

Another question is - why can't we:-

1. mmgrab() [or safely assume we already have a reference] + mmget_not_zero()
2. acquire mm read lock to stop VMAs disappearing underneath us and pin pages with get_user_pages_remote()
3. copy what we need using e.g. copy_from_user()/copy_to_user()
4. unwind


  parent reply	other threads:[~2023-01-04 19:56 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20230103163505.1569356-1-fenghua.yu@intel.com>
2023-01-03 16:34 ` Fenghua Yu
2023-01-03 17:45   ` Lorenzo Stoakes
2023-01-03 17:50     ` Lorenzo Stoakes
2023-01-03 19:20       ` Yu, Fenghua
2023-01-03 20:13         ` Lorenzo Stoakes
2023-01-04  5:06           ` Yu, Fenghua
2023-01-04  6:12             ` Alistair Popple
2023-01-04 19:00               ` Yu, Fenghua
2023-01-04 20:00                 ` Lorenzo Stoakes
2023-01-04 19:56               ` Lorenzo Stoakes [this message]
2023-01-04 21:05                 ` Lorenzo Stoakes
2023-01-04 23:57                 ` Alistair Popple
2023-01-05  3:08                   ` Yu, Fenghua
2023-01-05  3:22                     ` Alistair Popple
2023-01-05 20:58                       ` Yu, Fenghua
2023-01-05 21:04                         ` Lorenzo Stoakes
2023-01-05  7:26                   ` Lorenzo Stoakes
2023-01-08 17:36     ` Christoph Hellwig
2023-03-01 23:39       ` Fenghua Yu
     [not found] <20230103162920.1569002-1-fenghua.yu@intel.com>
2023-01-03 16:29 ` Fenghua Yu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y7XZ8zY3KIRDlu/f@lucifer \
    --to=lstoakes@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=apopple@nvidia.com \
    --cc=dave.jiang@intel.com \
    --cc=dmaengine@vger.kernel.org \
    --cc=fenghua.yu@intel.com \
    --cc=hch@infradead.org \
    --cc=linux-mm@kvack.org \
    --cc=ravi.v.shankar@intel.com \
    --cc=tony.zhu@intel.com \
    --cc=vkoul@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox