Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp178351ybf; Thu, 27 Feb 2020 18:43:08 -0800 (PST) X-Google-Smtp-Source: APXvYqx1fa3nUaubtjm/S2wiCVshXCfrOOi+7XGrYyi1rna/NsOCnfeQCdjZwKnxe+mgA3Z7UNBc X-Received: by 2002:a9d:5e18:: with SMTP id d24mr1649211oti.155.1582857788526; Thu, 27 Feb 2020 18:43:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582857788; cv=none; d=google.com; s=arc-20160816; b=rfc7T6HjpUgyh7jHfTvBCejUwzvz/hY1mSsjrhFyZrBF6WpsstJJpPu4PLPI7LvOrv Np2CaYa0Qpn+pSopynaDZQH44GKsOmEm4bCqv3oEoYzeZfbbD3JBaasClSUbQjLxRnUX YLrJHbgwe+byawn3cBdE6sGRT5q0RgJRvsgddT1MzloqWjdLUP4Rr+a4PDTqKw2LdhYb lgepDNcKt/MecXevUl5I3PLf+4dgg7s1bXe/qwc65JqKyW9jM5wXPl03ZGlWLYogrbic uPQgRlEE1nX+znf9uCcEE5vLj9Iv104ejh5dp1q86I9zQIvp9+oFckIO5QwLM9qnEWvV /8bA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=SVhRGz+3DcDzU1Ha2pvts5FzZy/+QHF1f/pR5Dd8W6Y=; b=yK38iSN2QwSZO8tlJGgjrAWF7Qf1x1fBwbeRzseffTFSaRIRejIYkpXlaga/Xrkqdp K7nGYCcz2O/RhdVrzrQFfww21UpdrUw0XOI9NKW3N7fBTZhUnguZChw1FeFcJQ80Pj/5 WjAWTZudIv03n7g6W7GOS8FPz+ze/0WE0fsQPxMUgarwsI4g5jjYfxHrepiP5e63Lups dssTpnmJnQ9QFYY1Sm1WCqT1jz5kN7L6VreMxBIWZxUUgPSG0HAVOGR32pUipMSu+kQJ Znc2+nrVlEjeXwyvtlww83A6zNb20Dt3keT8PkEZ/JHCE2yFvR2dDDzdeVjcuo5JR1ns VRTA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=Vb8DhHmu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k19si663338otr.52.2020.02.27.18.42.56; Thu, 27 Feb 2020 18:43:08 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=Vb8DhHmu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730569AbgB1CmH (ORCPT + 99 others); Thu, 27 Feb 2020 21:42:07 -0500 Received: from bombadil.infradead.org ([198.137.202.133]:49346 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726943AbgB1CmH (ORCPT ); Thu, 27 Feb 2020 21:42:07 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=Content-Transfer-Encoding: Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To: Subject:Sender:Reply-To:Content-ID:Content-Description; bh=SVhRGz+3DcDzU1Ha2pvts5FzZy/+QHF1f/pR5Dd8W6Y=; b=Vb8DhHmuasRPL6xCh0EdgruJoj X1N+IjaB+8sXL8W5x9dSEFL93d76zfrZJqQCZ1UEdlxo9dWc0/DDLEe8Y07eQiWUG9iaqURsmgC6M zjUgmoqniXoTLc11IAULjTXdS5QapV4qKdlI4ey+phs3zLLu+e36G49+pYT99qDKGKJXB6Lcg6OV6 dZdPZCysI7RyLwzsSehAlB5drPVciWwEmurONouiOzgfMx6wc4FTgwG/H0iXqqofnWU1Tg3Ylbato euVM1xICRkV0WHk0HJZpgNiWmLcW1yLm43r8+Jb8k9X5B4Ll9fX99PtWYiCpMiCOQHOngTFDI2Lxm rnzfmFGw==; Received: from [2601:1c0:6280:3f0::19c2] by bombadil.infradead.org with esmtpsa (Exim 4.92.3 #3 (Red Hat Linux)) id 1j7VbH-0000TZ-Gl; Fri, 28 Feb 2020 02:42:03 +0000 Subject: Re: [PATCH] drm/i915: Minimize uaccess exposure in i915_gem_execbuffer2_ioctl() To: Josh Poimboeuf , Al Viro Cc: Chris Wilson , linux-kernel@vger.kernel.org, Peter Zijlstra , intel-gfx@lists.freedesktop.org References: <20200227223542.GE23230@ZenIV.linux.org.uk> <20200228010342.3j3awgvvgvitif7z@treble> From: Randy Dunlap Message-ID: Date: Thu, 27 Feb 2020 18:42:02 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: <20200228010342.3j3awgvvgvitif7z@treble> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2/27/20 5:03 PM, Josh Poimboeuf wrote: > On Thu, Feb 27, 2020 at 10:35:42PM +0000, Al Viro wrote: >> On Thu, Feb 27, 2020 at 04:08:26PM -0600, Josh Poimboeuf wrote: >>> With CONFIG_CC_OPTIMIZE_FOR_SIZE, objtool reports: >>> >>> drivers/gpu/drm/i915/gem/i915_gem_execbuffer.o: warning: objtool: i915_gem_execbuffer2_ioctl()+0x5b7: call to gen8_canonical_addr() with UACCESS enabled >>> >>> This means i915_gem_execbuffer2_ioctl() is calling gen8_canonical_addr() >>> -- and indirectly, sign_extend64() -- from the user_access_begin/end >>> critical region (i.e, with SMAP disabled). >>> >>> While it's probably harmless in this case, in general we like to avoid >>> extra function calls in SMAP-disabled regions because it can open up >>> inadvertent security holes. >>> >>> Fix it by moving the gen8_canonical_addr() conversion to a separate loop >>> before user_access_begin() is called. >>> >>> Note that gen8_canonical_addr() is now called *before* masking off the >>> PIN_OFFSET_MASK bits. That should be ok because it just does a sign >>> extension and ignores the masked lower bits anyway. >> >> How painful would it be to inline the damn thing? >> >> static inline u64 gen8_canonical_addr(u64 address) >> { >> return sign_extend64(address, GEN8_HIGH_ADDRESS_BIT); >> } >> static inline __s64 sign_extend64(__u64 value, int index) >> { >> __u8 shift = 63 - index; >> return (__s64)(value << shift) >> shift; >> } >> >> What the hell? Josh, what kind of .config do you have that these are >> _not_ inlined? > > I think this was seen with CONFIG_CC_OPTIMIZE_FOR_SIZE, which tends to so the commit message correctly says. > ignore inline. > >> And why not mark gen8_canonical_addr() __always_inline? > > Right, marking those two functions as __always_inline is the other > option. The problem is, if you keep doing it, eventually you end up > with __always_inline-itis spreading all over the place. And it affects > all the other callers, at least in the CONFIG_CC_OPTIMIZE_FOR_SIZE case. > At least this fix is localized. > > But I agree my patch isn't ideal either. fwiw, Acked-by: Randy Dunlap # build-tested thanks. -- ~Randy