Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp1594844ybf; Thu, 27 Feb 2020 14:10:45 -0800 (PST) X-Google-Smtp-Source: APXvYqzPkJQxs+wsIF0qUcv5t2KDA1VcUUAepWa91BBZffKWZL6j/aPPycQARPtc4Ay8AA6eZHo4 X-Received: by 2002:a9d:7851:: with SMTP id c17mr895199otm.58.1582841445288; Thu, 27 Feb 2020 14:10:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582841445; cv=none; d=google.com; s=arc-20160816; b=SJGQT1EFwj6Dv+EVeP6iRx5n3k0ZZFR3fAnWS9EOKr2VZP92Jx9UZTpCy++Qw4GdPd cXROQ7oSm2HYfkc+T3fPt3eZY6VSoEm3OHTaVo4LqXyeEK2czmx0SogisPLp4hjMABgB vUdB75P4R3W/xqMoDkU8gWBlI2JnF6l3U1dd3n2cqtDsbhIaDqp56l1jlg7AuJsS2GQQ k5l3eKah+kurlEhPiT+Vn9h9LtNk1zlA1bGnjkxQrQ2OSCMoQrNfoprDI77eC1CVylaI xc6mtxugIUKto3Gxw7z8KQsdx1i/jlLVk/tSy/dYRAC5eaJ3Ijvl8r+kNj2u5Vqj85vl Q0hQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=3gjhjVUPXNwQpqDYUVUeBbAw6akdfak24W+Lj13RneY=; b=fhoKYvg8g3Rwp6eYqkXs4OaZ87G6NkXl8N69ccZBuXjfPVQaUOBNpsh/9u5DISy5Ld w4O7dfi+LQ3sVNNunRbIRz3o5h8hEgOZt19celn1wafmzvVGemHb+9Ey3VNNx2gu1lSW yzXu4u7Duaq75A9piJjT3Mf3YQPDd04Vozv7K2GCA7KtgrJe4LLl/YH/Hid7JmP9LnsS 2jZrXhAH5mk5alkKpcSZATErUavjJ23LXJ6dnBQWnFYXRn+IuKR7931H5XSyTxFfXjip gBDlb5xa6mnFrks+TC7P22rnD1Pbin8Z+IkGtGZfcOHvFXR88T9naMwrJwsq+g+CkUWS gWhw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="b4n5/D8O"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j8si326870otr.161.2020.02.27.14.10.32; Thu, 27 Feb 2020 14:10:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="b4n5/D8O"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729926AbgB0WJX (ORCPT + 99 others); Thu, 27 Feb 2020 17:09:23 -0500 Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:51794 "EHLO us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726460AbgB0WJX (ORCPT ); Thu, 27 Feb 2020 17:09:23 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1582841361; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=3gjhjVUPXNwQpqDYUVUeBbAw6akdfak24W+Lj13RneY=; b=b4n5/D8O6/B5uhM3xZxjp6GSF88lfUI8BjwqzlVL23wZwv10spiYe8lipMW9Wr4rtuPBbE JZhJtdk1sHBT5mB3fQvaF7927ZzDowUh9vw74DYmd139JH6a3nnxpf0QxeCF1hohn1UKL7 oD/pyFcvw1g4I3gCFKcP5Q7uyKxtzqc= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-17-FADPfeCwPky93i4Zls6JDw-1; Thu, 27 Feb 2020 17:09:17 -0500 X-MC-Unique: FADPfeCwPky93i4Zls6JDw-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 2F0BE1005512; Thu, 27 Feb 2020 22:09:16 +0000 (UTC) Received: from treble.redhat.com (ovpn-121-128.rdu2.redhat.com [10.10.121.128]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5CDDA10001BD; Thu, 27 Feb 2020 22:09:15 +0000 (UTC) From: Josh Poimboeuf To: Chris Wilson Cc: linux-kernel@vger.kernel.org, Randy Dunlap , Peter Zijlstra , intel-gfx@lists.freedesktop.org Subject: [PATCH] drm/i915: Minimize uaccess exposure in i915_gem_execbuffer2_ioctl() Date: Thu, 27 Feb 2020 16:08:26 -0600 Message-Id: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org With CONFIG_CC_OPTIMIZE_FOR_SIZE, objtool reports: drivers/gpu/drm/i915/gem/i915_gem_execbuffer.o: warning: objtool: i915_= gem_execbuffer2_ioctl()+0x5b7: call to gen8_canonical_addr() with UACCESS= enabled This means i915_gem_execbuffer2_ioctl() is calling gen8_canonical_addr() -- and indirectly, sign_extend64() -- from the user_access_begin/end critical region (i.e, with SMAP disabled). While it's probably harmless in this case, in general we like to avoid extra function calls in SMAP-disabled regions because it can open up inadvertent security holes. Fix it by moving the gen8_canonical_addr() conversion to a separate loop before user_access_begin() is called. Note that gen8_canonical_addr() is now called *before* masking off the PIN_OFFSET_MASK bits. That should be ok because it just does a sign extension and ignores the masked lower bits anyway. Reported-by: Randy Dunlap Signed-off-by: Josh Poimboeuf --- drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c b/drivers/gpu= /drm/i915/gem/i915_gem_execbuffer.c index d5a0f5ae4a8b..183cab13e028 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c @@ -2947,6 +2947,13 @@ i915_gem_execbuffer2_ioctl(struct drm_device *dev,= void *data, u64_to_user_ptr(args->buffers_ptr); unsigned int i; =20 + /* + * Do the call to gen8_canonical_addr() outside the + * uaccess-enabled region to minimize uaccess exposure. + */ + for (i =3D 0; i < args->buffer_count; i++) + exec2_list[i].offset =3D gen8_canonical_addr(exec2_list[i].offset); + /* Copy the new buffer offsets back to the user's exec list. */ /* * Note: count * sizeof(*user_exec_list) does not overflow, @@ -2962,9 +2969,7 @@ i915_gem_execbuffer2_ioctl(struct drm_device *dev, = void *data, if (!(exec2_list[i].offset & UPDATE)) continue; =20 - exec2_list[i].offset =3D - gen8_canonical_addr(exec2_list[i].offset & PIN_OFFSET_MASK); - unsafe_put_user(exec2_list[i].offset, + unsafe_put_user(exec2_list[i].offset & PIN_OFFSET_MASK, &user_exec_list[i].offset, end_user); } --=20 2.21.1