Received: by 10.192.165.148 with SMTP id m20csp313675imm; Tue, 24 Apr 2018 23:13:38 -0700 (PDT) X-Google-Smtp-Source: AIpwx4++0KeIuU51N4LV/tz0ZQ4w5UVxeZ/j2ckoSvn2CyFoPDhFwAsV7s/YWoTa2OLIbjKUU50b X-Received: by 10.99.128.73 with SMTP id j70mr23114844pgd.12.1524636818508; Tue, 24 Apr 2018 23:13:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524636818; cv=none; d=google.com; s=arc-20160816; b=Qqyu1Dvl4DvEfq+UAl3F8wc2IbfxWDcjst90WLBPf3d7Fj1K+DBGQcat9SgoLuNXY6 7dvOJ0pTQ6ywxNCVWmwSDGzqrBU0+GwplZRbfa9dmwYLM3lNsljwtaKBUcWAfUlY61/H lSAZL89i1SutviR0LW0CefhnyJZnu2Lq1y70y0S0BxaxqgcnIN6qxVuOi4gKYHq8bnqL gbi+tcYME0GiFZZuNLdN/g6jchWoz3qXmTgdbbYbKIw1euAMu1ahU4R7XusGWV1Kc6L9 LpbLWLHViKDnCtrIO4koS7sebXRZpLxBiwUxHzPorxLlknG/5WA77uBhdS7DQ4/8pdrC GBZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=G+njhbCNO6+5sfSTWWOyRDMkl5XLDskJHGMgPKs21vo=; b=W+qwcXv09M0qN87yr1uBbuY35k9WBFhahDXXecI+4lRItEEdpOjXALY6h9WYoAVUIR pZyUPKYKMw7OTcXnFJ7/rYhOAgSQ4s7MokBsFRJ3ZcGXHwo4pvMJ6av9BVJGvlzS+RZL tC0K468FmH4nSqcXvZxs81PRcEBJapOHj5p7uDjdwL0tM3WX9qUXjdxw7j4k/5mbHY7C +1PareQrWvVXtYEAO64xK9/WLg3PvfMcd38p+1wmUDWgvMOfuKMf1UNdAPDsJDzXKnBh U6q1ZBdJRQHi2s0vYKGpFAkbuUx1mesAUINHJTZp32GARp8KYb7oYnCTmLqb0zrz2HuX 7fDw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q1-v6si15511153plb.549.2018.04.24.23.13.23; Tue, 24 Apr 2018 23:13:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751346AbeDYGMN (ORCPT + 99 others); Wed, 25 Apr 2018 02:12:13 -0400 Received: from mx2.suse.de ([195.135.220.15]:53696 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750968AbeDYGMM (ORCPT ); Wed, 25 Apr 2018 02:12:12 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id DAAEAAD65; Wed, 25 Apr 2018 06:12:10 +0000 (UTC) Subject: Re: [Xen-devel] [PATCH 0/1] drm/xen-zcopy: Add Xen zero-copy helper DRM driver To: Dongwon Kim , Oleksandr Andrushchenko Cc: Wei Liu , Artem Mygaiev , konrad.wilk@oracle.com, airlied@linux.ie, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, "Potrola, MateuszX" , daniel.vetter@intel.com, xen-devel@lists.xenproject.org, boris.ostrovsky@oracle.com, =?UTF-8?Q?Roger_Pau_Monn=c3=a9?= , "Oleksandr_Andrushchenko@epam.com" References: <41487acb-a67a-8933-d0c3-702c19b0938e@gmail.com> <20180418073508.ptvntwedczpvl7bx@MacBook-Pro-de-Roger.local> <20180418101058.hyqk3gr3b2ibxswu@MacBook-Pro-de-Roger.local> <20180420071914.GG31310@phenom.ffwll.local> <76cdc65a-7bb1-9377-7bc5-6164e32f7b5d@gmail.com> <20180423115242.ywdwqblj2aseu3fr@citrix.com> <61105351-8896-072b-abf0-757c7f6c0edf@gmail.com> <20180424115437.GT31310@phenom.ffwll.local> <18ab5f76-00b0-42a0-fcb8-e0cbf4cdd527@gmail.com> <20180424203514.GA26787@downor-Z87X-UD5H> From: Juergen Gross Message-ID: Date: Wed, 25 Apr 2018 08:12:08 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <20180424203514.GA26787@downor-Z87X-UD5H> Content-Type: text/plain; charset=utf-8 Content-Language: de-DE Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 24/04/18 22:35, Dongwon Kim wrote: > Had a meeting with Daniel and talked about bringing out generic > part of hyper-dmabuf to the userspace, which means we most likely > reuse IOCTLs defined in xen-zcopy for our use-case if we follow > his suggestion. > > So assuming we use these IOCTLs as they are, > Several things I would like you to double-check.. > > 1. returning gref as is to the user space is still unsafe because > it is a constant, easy to guess and any process that hijacks it can easily > exploit the buffer. So I am wondering if it's possible to keep dmabuf-to > -gref or gref-to-dmabuf in kernel space and add other layers on top > of those in actual IOCTLs to add some safety.. We introduced flink like > hyper_dmabuf_id including random number but many says even that is still > not safe. grefs are usable by root only. When you have root access in dom0 you can do evil things to all VMs even without using grants. That is in no way different to root being able to control all other processes on the system. Juergen