From 78bde53e351bc89cff85d1c2c7e6d7c2ffdf120d Mon Sep 17 00:00:00 2001 From: Benjamin Herrenschmidt Date: Tue, 13 Feb 2007 11:46:06 +1100 Subject: [POWERPC] spufs: remove need for struct page for SPEs This patch removes the need for struct page for SPE local store and registers from spufs. It also makes the locking much more obvious and no longer relying on the truncate logic black magic for protecting against races between unmap_mapping_range() and new pages faulted in. It does so by switching to a nopfn() handler and using the new vm_insert_pfn() to setup the PTEs itself while holding a lock on the SPE. The nice thing is that this patch actually removes a lot more code than it adds :-) Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Paul Mackerras --- arch/powerpc/platforms/cell/spufs/file.c | 121 ++++++++++++++----------------- 1 file changed, 55 insertions(+), 66 deletions(-) (limited to 'arch/powerpc/platforms/cell/spufs/file.c') diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c index af9e9455a70..7fb9a6dc4f1 100644 --- a/arch/powerpc/platforms/cell/spufs/file.c +++ b/arch/powerpc/platforms/cell/spufs/file.c @@ -95,14 +95,12 @@ spufs_mem_write(struct file *file, const char __user *buffer, return ret; } -static struct page * -spufs_mem_mmap_nopage(struct vm_area_struct *vma, - unsigned long address, int *type) +static unsigned long spufs_mem_mmap_nopfn(struct vm_area_struct *vma, + unsigned long address) { - struct page *page = NOPAGE_SIGBUS; - struct spu_context *ctx = vma->vm_file->private_data; - unsigned long offset = address - vma->vm_start; + unsigned long pfn, offset = address - vma->vm_start; + offset += vma->vm_pgoff << PAGE_SHIFT; spu_acquire(ctx); @@ -110,24 +108,22 @@ spufs_mem_mmap_nopage(struct vm_area_struct *vma, if (ctx->state == SPU_STATE_SAVED) { vma->vm_page_prot = __pgprot(pgprot_val(vma->vm_page_prot) & ~_PAGE_NO_CACHE); - page = vmalloc_to_page(ctx->csa.lscsa->ls + offset); + pfn = vmalloc_to_pfn(ctx->csa.lscsa->ls + offset); } else { vma->vm_page_prot = __pgprot(pgprot_val(vma->vm_page_prot) - | _PAGE_NO_CACHE); - page = pfn_to_page((ctx->spu->local_store_phys + offset) - >> PAGE_SHIFT); + | _PAGE_NO_CACHE); + pfn = (ctx->spu->local_store_phys + offset) >> PAGE_SHIFT; } - spu_release(ctx); + vm_insert_pfn(vma, address, pfn); - if (type) - *type = VM_FAULT_MINOR; + spu_release(ctx); - page_cache_get(page); - return page; + return NOPFN_REFAULT; } + static struct vm_operations_struct spufs_mem_mmap_vmops = { - .nopage = spufs_mem_mmap_nopage, + .nopfn = spufs_mem_mmap_nopfn, }; static int @@ -136,7 +132,7 @@ spufs_mem_mmap(struct file *file, struct vm_area_struct *vma) if (!(vma->vm_flags & VM_SHARED)) return -EINVAL; - vma->vm_flags |= VM_IO; + vma->vm_flags |= VM_IO | VM_PFNMAP; vma->vm_page_prot = __pgprot(pgprot_val(vma->vm_page_prot) | _PAGE_NO_CACHE); @@ -152,49 +148,42 @@ static const struct file_operations spufs_mem_fops = { .mmap = spufs_mem_mmap, }; -static struct page *spufs_ps_nopage(struct vm_area_struct *vma, +static unsigned long spufs_ps_nopfn(struct vm_area_struct *vma, unsigned long address, - int *type, unsigned long ps_offs, + unsigned long ps_offs, unsigned long ps_size) { - struct page *page = NOPAGE_SIGBUS; - int fault_type = VM_FAULT_SIGBUS; struct spu_context *ctx = vma->vm_file->private_data; - unsigned long offset = address - vma->vm_start; - unsigned long area; + unsigned long area, offset = address - vma->vm_start; int ret; offset += vma->vm_pgoff << PAGE_SHIFT; if (offset >= ps_size) - goto out; + return NOPFN_SIGBUS; + /* error here usually means a signal.. we might want to test + * the error code more precisely though + */ ret = spu_acquire_runnable(ctx); if (ret) - goto out; + return NOPFN_REFAULT; area = ctx->spu->problem_phys + ps_offs; - page = pfn_to_page((area + offset) >> PAGE_SHIFT); - fault_type = VM_FAULT_MINOR; - page_cache_get(page); - + vm_insert_pfn(vma, address, (area + offset) >> PAGE_SHIFT); spu_release(ctx); - out: - if (type) - *type = fault_type; - - return page; + return NOPFN_REFAULT; } #if SPUFS_MMAP_4K -static struct page *spufs_cntl_mmap_nopage(struct vm_area_struct *vma, - unsigned long address, int *type) +static unsigned long spufs_cntl_mmap_nopfn(struct vm_area_struct *vma, + unsigned long address) { - return spufs_ps_nopage(vma, address, type, 0x4000, 0x1000); + return spufs_ps_nopfn(vma, address, 0x4000, 0x1000); } static struct vm_operations_struct spufs_cntl_mmap_vmops = { - .nopage = spufs_cntl_mmap_nopage, + .nopfn = spufs_cntl_mmap_nopfn, }; /* @@ -205,7 +194,7 @@ static int spufs_cntl_mmap(struct file *file, struct vm_area_struct *vma) if (!(vma->vm_flags & VM_SHARED)) return -EINVAL; - vma->vm_flags |= VM_IO; + vma->vm_flags |= VM_IO | VM_PFNMAP; vma->vm_page_prot = __pgprot(pgprot_val(vma->vm_page_prot) | _PAGE_NO_CACHE | _PAGE_GUARDED); @@ -791,23 +780,23 @@ static ssize_t spufs_signal1_write(struct file *file, const char __user *buf, return 4; } -static struct page *spufs_signal1_mmap_nopage(struct vm_area_struct *vma, - unsigned long address, int *type) +static unsigned long spufs_signal1_mmap_nopfn(struct vm_area_struct *vma, + unsigned long address) { #if PAGE_SIZE == 0x1000 - return spufs_ps_nopage(vma, address, type, 0x14000, 0x1000); + return spufs_ps_nopfn(vma, address, 0x14000, 0x1000); #elif PAGE_SIZE == 0x10000 /* For 64k pages, both signal1 and signal2 can be used to mmap the whole * signal 1 and 2 area */ - return spufs_ps_nopage(vma, address, type, 0x10000, 0x10000); + return spufs_ps_nopfn(vma, address, 0x10000, 0x10000); #else #error unsupported page size #endif } static struct vm_operations_struct spufs_signal1_mmap_vmops = { - .nopage = spufs_signal1_mmap_nopage, + .nopfn = spufs_signal1_mmap_nopfn, }; static int spufs_signal1_mmap(struct file *file, struct vm_area_struct *vma) @@ -815,7 +804,7 @@ static int spufs_signal1_mmap(struct file *file, struct vm_area_struct *vma) if (!(vma->vm_flags & VM_SHARED)) return -EINVAL; - vma->vm_flags |= VM_IO; + vma->vm_flags |= VM_IO | VM_PFNMAP; vma->vm_page_prot = __pgprot(pgprot_val(vma->vm_page_prot) | _PAGE_NO_CACHE | _PAGE_GUARDED); @@ -899,23 +888,23 @@ static ssize_t spufs_signal2_write(struct file *file, const char __user *buf, } #if SPUFS_MMAP_4K -static struct page *spufs_signal2_mmap_nopage(struct vm_area_struct *vma, - unsigned long address, int *type) +static unsigned long spufs_signal2_mmap_nopfn(struct vm_area_struct *vma, + unsigned long address) { #if PAGE_SIZE == 0x1000 - return spufs_ps_nopage(vma, address, type, 0x1c000, 0x1000); + return spufs_ps_nopfn(vma, address, 0x1c000, 0x1000); #elif PAGE_SIZE == 0x10000 /* For 64k pages, both signal1 and signal2 can be used to mmap the whole * signal 1 and 2 area */ - return spufs_ps_nopage(vma, address, type, 0x10000, 0x10000); + return spufs_ps_nopfn(vma, address, 0x10000, 0x10000); #else #error unsupported page size #endif } static struct vm_operations_struct spufs_signal2_mmap_vmops = { - .nopage = spufs_signal2_mmap_nopage, + .nopfn = spufs_signal2_mmap_nopfn, }; static int spufs_signal2_mmap(struct file *file, struct vm_area_struct *vma) @@ -923,7 +912,7 @@ static int spufs_signal2_mmap(struct file *file, struct vm_area_struct *vma) if (!(vma->vm_flags & VM_SHARED)) return -EINVAL; - vma->vm_flags |= VM_IO; + vma->vm_flags |= VM_IO | VM_PFNMAP; vma->vm_page_prot = __pgprot(pgprot_val(vma->vm_page_prot) | _PAGE_NO_CACHE | _PAGE_GUARDED); @@ -1000,14 +989,14 @@ DEFINE_SIMPLE_ATTRIBUTE(spufs_signal2_type, spufs_signal2_type_get, spufs_signal2_type_set, "%llu"); #if SPUFS_MMAP_4K -static struct page *spufs_mss_mmap_nopage(struct vm_area_struct *vma, - unsigned long address, int *type) +static unsigned long spufs_mss_mmap_nopfn(struct vm_area_struct *vma, + unsigned long address) { - return spufs_ps_nopage(vma, address, type, 0x0000, 0x1000); + return spufs_ps_nopfn(vma, address, 0x0000, 0x1000); } static struct vm_operations_struct spufs_mss_mmap_vmops = { - .nopage = spufs_mss_mmap_nopage, + .nopfn = spufs_mss_mmap_nopfn, }; /* @@ -1018,7 +1007,7 @@ static int spufs_mss_mmap(struct file *file, struct vm_area_struct *vma) if (!(vma->vm_flags & VM_SHARED)) return -EINVAL; - vma->vm_flags |= VM_IO; + vma->vm_flags |= VM_IO | VM_PFNMAP; vma->vm_page_prot = __pgprot(pgprot_val(vma->vm_page_prot) | _PAGE_NO_CACHE | _PAGE_GUARDED); @@ -1042,14 +1031,14 @@ static const struct file_operations spufs_mss_fops = { .mmap = spufs_mss_mmap, }; -static struct page *spufs_psmap_mmap_nopage(struct vm_area_struct *vma, - unsigned long address, int *type) +static unsigned long spufs_psmap_mmap_nopfn(struct vm_area_struct *vma, + unsigned long address) { - return spufs_ps_nopage(vma, address, type, 0x0000, 0x20000); + return spufs_ps_nopfn(vma, address, 0x0000, 0x20000); } static struct vm_operations_struct spufs_psmap_mmap_vmops = { - .nopage = spufs_psmap_mmap_nopage, + .nopfn = spufs_psmap_mmap_nopfn, }; /* @@ -1060,7 +1049,7 @@ static int spufs_psmap_mmap(struct file *file, struct vm_area_struct *vma) if (!(vma->vm_flags & VM_SHARED)) return -EINVAL; - vma->vm_flags |= VM_IO; + vma->vm_flags |= VM_IO | VM_PFNMAP; vma->vm_page_prot = __pgprot(pgprot_val(vma->vm_page_prot) | _PAGE_NO_CACHE | _PAGE_GUARDED); @@ -1083,14 +1072,14 @@ static const struct file_operations spufs_psmap_fops = { #if SPUFS_MMAP_4K -static struct page *spufs_mfc_mmap_nopage(struct vm_area_struct *vma, - unsigned long address, int *type) +static unsigned long spufs_mfc_mmap_nopfn(struct vm_area_struct *vma, + unsigned long address) { - return spufs_ps_nopage(vma, address, type, 0x3000, 0x1000); + return spufs_ps_nopfn(vma, address, 0x3000, 0x1000); } static struct vm_operations_struct spufs_mfc_mmap_vmops = { - .nopage = spufs_mfc_mmap_nopage, + .nopfn = spufs_mfc_mmap_nopfn, }; /* @@ -1101,7 +1090,7 @@ static int spufs_mfc_mmap(struct file *file, struct vm_area_struct *vma) if (!(vma->vm_flags & VM_SHARED)) return -EINVAL; - vma->vm_flags |= VM_IO; + vma->vm_flags |= VM_IO | VM_PFNMAP; vma->vm_page_prot = __pgprot(pgprot_val(vma->vm_page_prot) | _PAGE_NO_CACHE | _PAGE_GUARDED); -- cgit v1.2.3 From 17e0e27020d028a790d97699aff85a43af5be472 Mon Sep 17 00:00:00 2001 From: Benjamin Herrenschmidt Date: Tue, 13 Feb 2007 11:46:08 +1100 Subject: [POWERPC] spufs: Fix bitrot of the SPU mmap facility It looks like we've had some serious bitrot there mostly due to tracking of address_space's of mmap'ed files getting out of sync with the actual mmap code. The mfc, mss and psmap were not tracked properly and thus not invalidated on context switches (oops !) I also removed the various file->f_mapping = inode->i_mapping; assignments that were done in the other open() routines since that is already done for us by __dentry_open. One improvement we might want to do later is to assign the various ctx-> fields at mmap time instead of file open/close time so that we don't call unmap_mapping_range() on thing that have not been mmap'ed Finally, I added some smp_wmb's after assigning the ctx-> fields to make sure they are visible to other CPUs. I don't think this is really necessary as I suspect locking in the fs layer will make that happen anyway but better safe than sorry. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Paul Mackerras --- arch/powerpc/platforms/cell/spufs/file.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) (limited to 'arch/powerpc/platforms/cell/spufs/file.c') diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c index 7fb9a6dc4f1..a528020baa1 100644 --- a/arch/powerpc/platforms/cell/spufs/file.c +++ b/arch/powerpc/platforms/cell/spufs/file.c @@ -45,8 +45,8 @@ spufs_mem_open(struct inode *inode, struct file *file) struct spufs_inode_info *i = SPUFS_I(inode); struct spu_context *ctx = i->i_ctx; file->private_data = ctx; - file->f_mapping = inode->i_mapping; ctx->local_store = inode->i_mapping; + smp_wmb(); return 0; } @@ -232,8 +232,8 @@ static int spufs_cntl_open(struct inode *inode, struct file *file) struct spu_context *ctx = i->i_ctx; file->private_data = ctx; - file->f_mapping = inode->i_mapping; ctx->cntl = inode->i_mapping; + smp_wmb(); return simple_attr_open(inode, file, spufs_cntl_get, spufs_cntl_set, "0x%08lx"); } @@ -717,8 +717,8 @@ static int spufs_signal1_open(struct inode *inode, struct file *file) struct spufs_inode_info *i = SPUFS_I(inode); struct spu_context *ctx = i->i_ctx; file->private_data = ctx; - file->f_mapping = inode->i_mapping; ctx->signal1 = inode->i_mapping; + smp_wmb(); return nonseekable_open(inode, file); } @@ -824,8 +824,8 @@ static int spufs_signal2_open(struct inode *inode, struct file *file) struct spufs_inode_info *i = SPUFS_I(inode); struct spu_context *ctx = i->i_ctx; file->private_data = ctx; - file->f_mapping = inode->i_mapping; ctx->signal2 = inode->i_mapping; + smp_wmb(); return nonseekable_open(inode, file); } @@ -1021,8 +1021,11 @@ static int spufs_mss_mmap(struct file *file, struct vm_area_struct *vma) static int spufs_mss_open(struct inode *inode, struct file *file) { struct spufs_inode_info *i = SPUFS_I(inode); + struct spu_context *ctx = i->i_ctx; file->private_data = i->i_ctx; + ctx->mss = inode->i_mapping; + smp_wmb(); return nonseekable_open(inode, file); } @@ -1060,8 +1063,11 @@ static int spufs_psmap_mmap(struct file *file, struct vm_area_struct *vma) static int spufs_psmap_open(struct inode *inode, struct file *file) { struct spufs_inode_info *i = SPUFS_I(inode); + struct spu_context *ctx = i->i_ctx; file->private_data = i->i_ctx; + ctx->psmap = inode->i_mapping; + smp_wmb(); return nonseekable_open(inode, file); } @@ -1114,6 +1120,8 @@ static int spufs_mfc_open(struct inode *inode, struct file *file) return -EBUSY; file->private_data = ctx; + ctx->mfc = inode->i_mapping; + smp_wmb(); return nonseekable_open(inode, file); } -- cgit v1.2.3 From 26bec67386dbf6ef887254e815398842e182cdcd Mon Sep 17 00:00:00 2001 From: Christoph Hellwig Date: Tue, 13 Feb 2007 21:54:24 +0100 Subject: [POWERPC] spufs: optimize spu_run There is no need to directly wake up contexts in spu_activate when called from spu_run, so add a flag to surpress this wakeup. Signed-off-by: Christoph Hellwig Signed-off-by: Arnd Bergmann --- arch/powerpc/platforms/cell/spufs/file.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'arch/powerpc/platforms/cell/spufs/file.c') diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c index a528020baa1..c729813043a 100644 --- a/arch/powerpc/platforms/cell/spufs/file.c +++ b/arch/powerpc/platforms/cell/spufs/file.c @@ -164,7 +164,7 @@ static unsigned long spufs_ps_nopfn(struct vm_area_struct *vma, /* error here usually means a signal.. we might want to test * the error code more precisely though */ - ret = spu_acquire_runnable(ctx); + ret = spu_acquire_runnable(ctx, 0); if (ret) return NOPFN_REFAULT; @@ -1306,7 +1306,7 @@ static ssize_t spufs_mfc_write(struct file *file, const char __user *buffer, if (ret) goto out; - spu_acquire_runnable(ctx); + spu_acquire_runnable(ctx, 0); if (file->f_flags & O_NONBLOCK) { ret = ctx->ops->send_mfc_command(ctx, &cmd); } else { -- cgit v1.2.3 From 128b8546a83a9e37448bc126e1045dc1db291165 Mon Sep 17 00:00:00 2001 From: Masato Noguchi Date: Tue, 13 Feb 2007 21:54:30 +0100 Subject: [POWERPC] spufs: avoid accessing kernel memory through mmapped /mem node I found an exploit in current kernel. Currently, there is no range check about mmapping "/mem" node in spufs. Thus, an application can access privilege memory region. In case this kernel already worked on a public server, I send this information only here. If there are such servers in somewhere, please replace it, ASAP. Signed-off-by: Masato Noguchi Signed-off-by: Arnd Bergmann --- arch/powerpc/platforms/cell/spufs/file.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'arch/powerpc/platforms/cell/spufs/file.c') diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c index c729813043a..b00653d69c0 100644 --- a/arch/powerpc/platforms/cell/spufs/file.c +++ b/arch/powerpc/platforms/cell/spufs/file.c @@ -103,6 +103,9 @@ static unsigned long spufs_mem_mmap_nopfn(struct vm_area_struct *vma, offset += vma->vm_pgoff << PAGE_SHIFT; + if (offset >= LS_SIZE) + return NOPFN_SIGBUS; + spu_acquire(ctx); if (ctx->state == SPU_STATE_SAVED) { -- cgit v1.2.3