Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4030598ybl; Mon, 3 Feb 2020 11:10:49 -0800 (PST) X-Google-Smtp-Source: APXvYqzq9WKC9e1ZvOpNCiUWfMrfgZ3fA9/96k5U6fh+CMRy+YHtEV/yMzIUBwyeupm6huDMjlxl X-Received: by 2002:aca:f584:: with SMTP id t126mr387682oih.132.1580757048810; Mon, 03 Feb 2020 11:10:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580757048; cv=none; d=google.com; s=arc-20160816; b=kLJ93nNQYA/vQRswYC4iX12Ml/bURakFWmemmp9nu2ofV+zZNaEeaP8BoocKlrY1ts sezafSKKVdUGixtCbiw9R6lFEHY4FcQLrJRQMrxy2Pg/Vp7/QFTjI+t198AQesCKC/am +Vq33AihGjz70G/kHUdCsRkUf3tdR6py2Ie2tEVemIyVxXpTYRDjy4jN4sbFPAIROTt0 B/TW1DZaULb4ilDcbAwF/wJgL2S0t00NRdFTE+6a68ZDQaVk4A5s3U5sMmndjPq5xdd9 ItcTmYuveM21f1Auh19KSqicO2yoNLjxg0yjJQBwmvcslKzspiHEofxTFXIz5heg6Mmf OqGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=m5X7HEtnOnQXbN/sddNWpeOVFq9PT+3WrfrbyQzTz3g=; b=nnhdKFHYIPCGro6Lx/rI+EHuTmqlQowjXA7mYBQZSjCRQx3hc79uzZ1z8rUm9a3ILH TKEYnTYylAkXBHL/Z9nwbkHYFV3evVWrMjGQ92cYMBeIvfJVseKIU2PT/o3sZfSAedEr lUcCN9lNrVbwuVNvsOOBDEqU9Ux8IHCZhV8OC+A2HFi9oYRqiRh/xJ4YnxVEevOwmqc9 E9qEbnQ7IpvzSR2Swl3ixk1C5n2S/TD7go/pxsuB3gqj6rla9tNjB6od4boYLkoN2XZw s3aK/WU6jV8mKpCMqWPM9Chnv+BU1OSBwb8dB4Kbe3kY3Rdh0ySSW/hVGP9zfIDVWDlo T/eg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b="N95/11Ys"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g5si9663250otn.232.2020.02.03.11.10.36; Mon, 03 Feb 2020 11:10:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b="N95/11Ys"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728547AbgBCRll (ORCPT + 98 others); Mon, 3 Feb 2020 12:41:41 -0500 Received: from bombadil.infradead.org ([198.137.202.133]:49032 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726561AbgBCRll (ORCPT ); Mon, 3 Feb 2020 12:41:41 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=In-Reply-To:Content-Type:MIME-Version :References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=m5X7HEtnOnQXbN/sddNWpeOVFq9PT+3WrfrbyQzTz3g=; b=N95/11YsOrwnHffWbeoB4BWA+u hqp995pRji8gqPPrZYbqJL5zhdfvxVSic0OOcMqULsBeX6tGPtfU3KtjW1tRTB6XpRs+HyEBNJzD4 8DBu76kx5P4mUsBN6q0OMKp9Hg9WEI1xxxkaNSLQ3936nEYmpAicjUQiBHztOgAoUV1rEuzlnXfIO jTnnMUjjtZbqJgcDBxZHgqP58s/4x1/ameMy2ZHWrRGmG5z7dBe2eKS0sB/OD2oPon2CmCEh3DeBx 9jRDnQwVxjGLB/f1Pg5JlX/gHdtK1CACCetBB7Q8XzvfBgg5HzV+bwT+rbaDYQK3/K43/9xHpN3kR bMEJTLcg==; Received: from hch by bombadil.infradead.org with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1iyfj4-0002Pi-8T; Mon, 03 Feb 2020 17:41:34 +0000 Date: Mon, 3 Feb 2020 09:41:34 -0800 From: Christoph Hellwig To: Matthew Wilcox Cc: Jann Horn , Kees Cook , Christian Borntraeger , Christoph Hellwig , Christopher Lameter , Jiri Slaby , Julian Wiedmann , Ursula Braun , Alexander Viro , kernel list , David Windsor , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Linux-MM , linux-xfs@vger.kernel.org, Linus Torvalds , Andy Lutomirski , "David S. Miller" , Laura Abbott , Mark Rutland , "Martin K. Petersen" , Paolo Bonzini , Dave Kleikamp , Jan Kara , Marc Zyngier , Matthew Garrett , linux-fsdevel , linux-arch , Network Development , Kernel Hardening , Vlastimil Babka , Michal Kubecek Subject: Re: [kernel-hardening] [PATCH 09/38] usercopy: Mark kmalloc caches as usercopy caches Message-ID: <20200203174134.GC30011@infradead.org> References: <202001281457.FA11CC313A@keescook> <6844ea47-8e0e-4fb7-d86f-68046995a749@de.ibm.com> <20200129170939.GA4277@infradead.org> <771c5511-c5ab-3dd1-d938-5dbc40396daa@de.ibm.com> <202001300945.7D465B5F5@keescook> <202002010952.ACDA7A81@keescook> <20200203074644.GD8731@bombadil.infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200203074644.GD8731@bombadil.infradead.org> X-SRS-Rewrite: SMTP reverse-path rewritten from by bombadil.infradead.org. See http://www.infradead.org/rpr.html Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Feb 02, 2020 at 11:46:44PM -0800, Matthew Wilcox wrote: > > gives the hardware access to completely unrelated memory.) Instead, > > they get pages from the page allocator, and these pages may e.g. be > > allocated from the DMA, DMA32 or NORMAL zones depending on the > > restrictions imposed by hardware. So I think the usercopy restriction > > only affects a few oddball drivers (like this s390 stuff), which is > > why you're not seeing more bug reports caused by this. > > Getting pages from the page allocator is true for dma_alloc_coherent() > and friends. dma_alloc_coherent also has a few other memory sources than the page allocator.. > But it's not true for streaming DMA mappings (dma_map_*) > for which the memory usually comes from kmalloc(). If this is something > we want to fix (and I have an awful feeling we're going to regret it > if we say "no, we trust the hardware"), we're going to have to come up > with a new memory allocation API for these cases. Or bounce bugger the > memory for devices we don't trust. There aren't too many places that use slab allocations for streaming mappings, and then do usercopies into them. But I vaguely remember some usb code getting the annotations for that a while ago. But if you don't trust your hardware you will need to use IOMMUs and page aligned memory, or IOMMUs plus bounce buffering for the kmalloc allocations (we've recently grown code to do that for the intel-iommu driver, which needs to be lifted into the generic IOMMU code).