Improve invalidation mechanism and harden security

[pakmarkthub]

Problems:

• Issue GPU buffer invalidation does not tear-down CPU mappings obtained via gdr_map() #54: GPU buffer invalidation does not tear-down CPU mappings obtained via gdr_map()
• Issue Support for fork #45: Support for fork
• Issue fd to /dev/gdrdrv should not be sharable with other processes #62: fd to /dev/gdrdrv should not be sharable with other processes
• Issue gdr_close does not unmap nor clean up internally alloced gdr_memh_t #65: gdr_close does not unmap nor clean up internally alloced gdr_memh_t
• gdr_mh_t.h is generated by random number and is used as mmap offset. Sometimes, the mapping range may overlap another already-mapped range -- imagine the first gdr_mh_t.h is 0x0000 and the map size is 0x0100, then the second gdr_mh_t.h is 0x0020. Although it rarely happens, this bug can lead to undesirable and hard-to-detect behaviors.

This change:

• fixes the bug that causes unmap_mapping_range to do nothing. We change the address passed to that API to vm_pgoff instead of vm_start.
• prevents copy of vma when fork. Hence, the child processes cannot access the parent's mappings anymore. This behavior aligns with CUDA since CUDA contexts are not transferred to the child processes.
• checks "struct pid *" to ensure that the caller is the same as the process that opens gdrdrv (calls to gdr_open). Hence, the use of opened gdrdrv fd is local to the creator process.
• separates the mapping address space between each process. Two processes map to different GPU memory even with the same mmap offset.
• makes the current gdr_mh_t.h sit next to the previous mapped range. It also guarantees that no two ranges will be overlapped due to the offsets.

Presubmit testings:

• gc04:
  • 4.15.0-50-generic GPU buffer invalidation does not tear-down CPU mappings obtained via gdr_map() #54-Ubuntu SMP Mon May 6 18:46:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
  • P100 GPU
  • Intel(R) Xeon(R) CPU E5-2687W v4 @ 3.00GHz

[pakmarkthub]

@Akshay-Venkatesh Can I ask you to review this PR as well? I would like to make sure that it does not break UCX.

[pakmarkthub]

@drossetti As discussed offline, unmap_mapping_range unmaps all mappings based on the specified file offset and range (see https://elixir.bootlin.com/linux/v4.15.18/source/mm/memory.c#L2811). If we have two mappings that have overlapped file-offset range, unmap_mapping_range will remove both of them.

An example undesirable situation:

• Do cuMemAlloc(&d_A, ...) and cuMemAlloc(&d_B, ...).
• Do gdr_pin_buffer for both d_A and d_B. The handle numbers returned from gdrdrv are very close. This situation rarely occurs but random_get_entropy() cannot guarantee that it will never occur.
• Do gdr_map(..., &bar_ptr_A, ...) on d_A, and gdr_map(..., &bar_ptr_B, ...) on d_B.
• Call cuMemFree(d_A).
• This API triggers call back from nvidia_p2p_get_pages to destroy the bar_ptr_A mapping.
• gdrdrv calls unmap_mapping_range with the offset based on handle_A.
• unmap_mapping_range removes bar_ptr_B mapping as well because the offset based on handle_B is between handle_A and handle_A + size_A, which is a bug.

[drossetti]

What about something like:
// the user-space library passes the memory handle as the mmap offset,
// and offsets are used to determine the VMAs to delete during invalidation.
// Hence, we need [handle,handle+size-1] to correspond to a unique VMA.
// Note that size here must match the original mmap size

[drossetti]

note that %px is not the same as 0x%p, check the kernel doc

[drossetti]

2019

[drossetti]

Why is srand() needed?
Also, I'm not sure srand(rand()) makes sense.

[pakmarkthub]

@drossetti Please review

[drossetti]

I don't like failing eagerly. It should fail when next handle is going to be used.

[pakmarkthub]

@drossetti Thank you. I have fixed the bug.

[drossetti]

Can we use this new test to have all sanity tests? in that case, can we rename it as sanity.cpp ?
Also drop test_ prefix as it does not match the other test names.
We can add a proper prefix during the make install phase.

[drossetti]

Are you really using subunit?
In case https://libcheck.github.io/check/doc/check_html/check_4.html#Subunit-Support shows you'd need to use:

srunner_run_all (sr, CK_SUBUNIT);

[pakmarkthub]

At least on Ubuntu 18.04 with libcheck installed from "apt install check", I cannot compile without "-lsubunit". This seems to be a dependency from libcheck.a itself. The error is as below:

g++ -O2 -I /usr/local/cuda/include -I gdrdrv/ -I /usr/local/cuda/include -D GDRAPI_ARCH=X86 -L /usr/local/cuda/lib64 -L /usr/local/cuda/lib -L /usr/lib64/nvidia -L /usr/lib/nvidia -L /usr/local/cuda/lib64   -o sanity sanity.o libgdrapi.so.1.2 -lcheck -lcudart -lcuda -lpthread -lrt
/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/libcheck.a(check_log.o): In function `subunit_lfun':
(.text+0x5f4): undefined reference to `subunit_test_start'
(.text+0x6bf): undefined reference to `subunit_test_fail'
(.text+0x6d4): undefined reference to `subunit_test_pass'
(.text+0x6ef): undefined reference to `subunit_test_error'
collect2: error: ld returned 1 exit status

[drossetti]

shouldn't we use pkg-config to get the right libraries ?

[drossetti]

this sentence sounds weird. maybe you meant "and" instead of "of"

[drossetti]

can you move this comment one line above.
also drop "create mapping per opened file" and reword similar to:
"GPU driver does not support sharing GPU allocations at fork time. Hence here we track the process owning the driver fd and prevent other process to use it."
Here we store the current pid to prevent

[drossetti]

@pakmarkthub
is the comment in gdrapi.h copied below still true ?

// Note that altough BAR mappings of GPU memory are destroyed, user-space                                                                                                                                                                                                       
// mappings are not. So therefore user code is responsible of calling                                                                                                                                                                                                           
// gdr_unmap on all mappings before calling gdr_close.                                                                                                                                                                                                                          
int gdr_close(gdr_t g);

[pakmarkthub]

@drossetti Thanks Davide. This revision is ready for review.

[pakmarkthub]

@e-ago Could you also take a look? I want to make sure that this PR does not break what you are working on.

[pakmarkthub]

Please help reviewing this PR. It is one of the blockers for the automated test.

[drossetti]

shouldn't we use pkg-config to get the right libraries ?

[drossetti]

should we defer to the gdrdrv/ Makefile for cleanup there?

[drossetti]

'uniqued' should be 'unique'

[drossetti]

I suggest to simply drop support of kernel versions earlier than 2.6.9 here, mainly because the GPU driver has a more stringent requirement.

[drossetti]

This comment might have never been true, i.e. in case of error, the vma is destroyed and all partial mappings are automatically removed.
Still we should verify that.

[pakmarkthub]

Confirmed that if gdrdrv_mmap returns an error, Linux kernel will clean up any partial mappings for us. See https://elixir.bootlin.com/linux/latest/source/mm/mmap.c#L1788 for reference.

[drossetti]

rather than duplicating these type definitions here, I'd rather have a shared header file.

[drossetti]

this looks like stale code

[drossetti]

indentation problem

[pakmarkthub]

@drossetti Thank you for the comments. I have fixed the issues. Please re-review the PR.

[drossetti]

3 not strictly necessary but missing things:

• license header
• protection from multiple inclusions
• extern "C"

[drossetti]

The sanity test is a fairly large piece of code. Would it be possible to move that to a separate PR?
I would rename the current validation test in this PR.

Or at least fix the PR cover letter which still refers to "test_validation.cpp"

[pakmarkthub]

@drossetti As requested, I separated out the sanity test suite to PR #71. This PR now focuses on the invalidation issues only. Please re-review.

[drossetti]

LGTM
just a couple of nits, no need to rereview

[drossetti]

purely for style, I'd rather access mr->handle when it has a sane value only, i.e. when there are no errors so after list_add().

[drossetti]

'child' -> 'children'

[drossetti]

merged