Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754874AbbDUMUg (ORCPT ); Tue, 21 Apr 2015 08:20:36 -0400 Received: from mail-wg0-f46.google.com ([74.125.82.46]:33750 "EHLO mail-wg0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751322AbbDUMUe (ORCPT ); Tue, 21 Apr 2015 08:20:34 -0400 Date: Tue, 21 Apr 2015 14:20:31 +0200 From: Michal Hocko To: David Herrmann Cc: One Thousand Gnomes , Andy Lutomirski , Greg Kroah-Hartman , Richard Weinberger , Linus Torvalds , Steven Rostedt , Jiri Kosina , Al Viro , Borislav Petkov , Andrew Morton , Arnd Bergmann , "Eric W. Biederman" , Tom Gundersen , "linux-kernel@vger.kernel.org" , Daniel Mack , Djalal Harouni Subject: Re: [GIT PULL] kdbus for 4.1-rc1 Message-ID: <20150421122031.GA32624@dhcp22.suse.cz> References: <20150420205638.GA3015@kroah.com> <55356CC1.1040301@nod.at> <20150420214651.GA4215@kroah.com> <20150421103519.5b0de5ea@lxorguk.ukuu.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1579 Lines: 36 On Tue 21-04-15 12:17:49, David Herrmann wrote: > Hi > > On Tue, Apr 21, 2015 at 11:35 AM, One Thousand Gnomes > wrote: > >> On top of that, I think that someone into resource management needs to > >> seriously consider whether having a broadcast send do get_user_pages > >> or the equivalent on pages supplied by untrusted recipients (plural!) > >> is a good idea. > > > > Oh but its so much fun if you pass pages belonging to a device driver, or > > pass bits of a GEM object thereby keeping entire graphics textures > > referenced 8) > > We do not use GUP, nor do we pass around pinned pages. All we use is > __vfs_read() / __vfs_write() on shmem. Whether generic_file_write() / > copy_from_user() internally relies on GUP or not, is an orthogonal > issue that does not belong here. It kind of does AFAIU. If for nothing else then the memcg reasons mentioned in other email (http://marc.info/?l=linux-kernel&m=142953380508188). If an untrusted user is allowed to hand over a shmem backed buffer which hasn't been charged yet (read faulted in) and then kdbus forced to fault it in a different user's context then you basically allow to hide memory allocations from the memcg. That is a clear show stopper. Or have I misunderstood the way how shmem buffers are used here? -- Michal Hocko SUSE Labs -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/