Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp2233122ybh; Fri, 24 Jul 2020 07:44:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxo4C3OFOnGmEUrCvFd4KieVmVVF0IbOfP9F9HYlXqfZKA8YBgPm4GHWGeCPObeeuv3PQb8 X-Received: by 2002:aa7:d9c4:: with SMTP id v4mr3689014eds.372.1595601844706; Fri, 24 Jul 2020 07:44:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595601844; cv=none; d=google.com; s=arc-20160816; b=kEJROymrOqmzBRamP8cMdTeaPMjn/9V4m8DaEDjSBAacAyJDsoc8RavYKolHuMsTyS 3Z3UQBXpMuFKMK/pebxYxm7sb9MAsiDU0l78zp7mZEviBDdzaircPhd+wsefcO88D9Cw jqzphw4xengfFH9hyJCBsPFyCF+wb3RZy+l4bVHKtkLQp7H2vKFt2ADsFC3h2IY2m8QS M/VxDknZtI1UKWTFjsum+MPXHJ8vQlkBiW+/34+WfHtkCVnx6kGdyVm0V5lBAw0gYg9e +J5LotnxldCr5Be00NvlbHxVZFGeSKJnTyFn/J4Z5B/bFMzmudszPQQho6wXtn/gtFgT +w+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=9E66nUvcODIIIOq5t+2qbeVH/MSVvQN11l9oNW6GhyI=; b=VkiJoSgEvkQv46v79frxqnxVDyCR26eSwluWKKli5kHofXUTUPlgl8m0Xp8H+0eEul RieoLJp6AmBvbdl15N+n+mbpvADSwL3OLOPBaEiASDgQCjjmDkVomhL4xm2KwFvpEVHF WqtUuTD4eVd3TWrh2Ov5Durg3VQRIh/BAUxGFrYOARj1ycYo3TeidYHKTZ2yNBw+O8BZ Mb8i1OsByQjMnuvxlhSFavbw++DTbAXXjTd9WWza9wSAri91o1Cnmx3gV8OtDIjIxqYA FcHiBkre9skLdZaBLOou+L/E/4PdubltXFoUJysG5A296Mjd7AAxSg1Z9koxq24D6SkR ssnw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=vyzeWhfz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dc14si608176edb.240.2020.07.24.07.43.42; Fri, 24 Jul 2020 07:44:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=vyzeWhfz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726567AbgGXOlZ (ORCPT + 99 others); Fri, 24 Jul 2020 10:41:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48814 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726424AbgGXOlY (ORCPT ); Fri, 24 Jul 2020 10:41:24 -0400 Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com [IPv6:2607:f8b0:4864:20::d42]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C9833C0619E5 for ; Fri, 24 Jul 2020 07:41:24 -0700 (PDT) Received: by mail-io1-xd42.google.com with SMTP id d18so10042057ion.0 for ; Fri, 24 Jul 2020 07:41:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9E66nUvcODIIIOq5t+2qbeVH/MSVvQN11l9oNW6GhyI=; b=vyzeWhfzUBv+3aCDt4bAbkZMDVC7ooJXOhKnolfXtu9A3d40lBkGooDb91bIunTCM4 JhOzmmvBtL2Xz7JyAwEraF9uTjtY3wRYHxwIqE4gz8WQPxsaMaCXm12OwNRghR7xDBho vaHCMyrYn81hU9KBurVxoZOQgu1Kj2LXvbkrAUPo+aaliJPrSCFcESce3TkrEU0tyzV4 9qIlhXFbZkyNo7yUsDaqowQQrrDfOwNx3smuImtKSzHEFHB1VgLf3BvyFmDQCioY+YKZ 9rNBWCGP3SdRjIaEZGWo+VO6ljJKWzf0P4/9cqtBKzW2bJzvJBM26RwR6PjiwvuKQerz eKnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9E66nUvcODIIIOq5t+2qbeVH/MSVvQN11l9oNW6GhyI=; b=Q6712naKXqDD5wlsoz9ntnuJavj6wkIskOhjwIjydU5MBz5oz64/OKfrtWYkLQ00hV kcsJTYuPmJcZSNVRbuvS/U8BWAad2VkgGzujaPIIFn9qfJi/Rok92ApBJFh2PM5KwFcm 4x9GMTmg5pOK4qg/sF9gj2+QKq1VqvOBVN608/Stsp40Rn84TYHIXPMjqoxMTM6BGqz7 pycseJohK8AZ/GYWf2SfmzIT2orMSHZpl9xxjQdTHedARRgyW8z3sjTjbyPgGDfQSclb 4IzJ+7jTxJ+lginxDrPGa0aJuYMDCEq0NhJshFmdirBWiWvKjw4J721cJ/jrs+fZFE0H lfVg== X-Gm-Message-State: AOAM531xuZdSJXsreXE5qV61s6bdAi/T0kH+DLM+Kmkq8YbeFDtSAcBl O+/zrmEfmpOF/pnU5XU4dmmq/uUH/0A5TiVdgy3G4Q== X-Received: by 2002:a5d:97d1:: with SMTP id k17mr10702728ios.100.1595601683730; Fri, 24 Jul 2020 07:41:23 -0700 (PDT) MIME-Version: 1.0 References: <20200423002632.224776-1-dancol@google.com> <20200724094505-mutt-send-email-mst@kernel.org> In-Reply-To: <20200724094505-mutt-send-email-mst@kernel.org> From: Lokesh Gidra Date: Fri, 24 Jul 2020 07:41:12 -0700 Message-ID: Subject: Re: [PATCH 0/2] Control over userfaultfd kernel-fault handling To: "Michael S. Tsirkin" , kernel@android.com Cc: Jonathan Corbet , Alexander Viro , Luis Chamberlain , Kees Cook , Iurii Zaikin , Mauro Carvalho Chehab , Andrew Morton , Andy Shevchenko , Vlastimil Babka , Mel Gorman , Sebastian Andrzej Siewior , Peter Xu , Andrea Arcangeli , Mike Rapoport , Jerome Glisse , Shaohua Li , linux-doc@vger.kernel.org, linux-kernel , Linux FS Devel , Tim Murray , Minchan Kim , Sandeep Patil , Nick Kralevich , Jeffrey Vander Stoep , Daniel Colascione Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 24, 2020 at 7:01 AM Michael S. Tsirkin wrote: > > On Wed, Apr 22, 2020 at 05:26:30PM -0700, Daniel Colascione wrote: > > This small patch series adds a new flag to userfaultfd(2) that allows > > callers to give up the ability to handle user-mode faults with the > > resulting UFFD file object. In then add a new sysctl to require > > unprivileged callers to use this new flag. > > > > The purpose of this new interface is to decrease the change of an > > unprivileged userfaultfd user taking advantage of userfaultfd to > > enhance security vulnerabilities by lengthening the race window in > > kernel code. > > There are other ways to lengthen the race window, such as madvise > MADV_DONTNEED, mmap of fuse files ... > Could the patchset commit log include some discussion about > why these are not the concern please? > > Multiple subsystems including vhost have come to rely on > copy from/to user behaving identically to userspace access. > > Could the patchset please include discussion on what effect blocking > these will have? E.g. I guess Android doesn't use vhost right now. > Will it want to do it to run VMs in 2021? > > Thanks! > > > This patch series is split from [1]. > > > > [1] https://lore.kernel.org/lkml/20200211225547.235083-1-dancol@google.com/ > > So in that series, Kees said: > https://lore.kernel.org/lkml/202002112332.BE71455@keescook/#t > > What is the threat being solved? (I understand the threat, but detailing > it in the commit log is important for people who don't know it.) > Adding Android security folks, Nick and Jeff, to answer. > Could you pls do that? > > > Daniel Colascione (2): > > Add UFFD_USER_MODE_ONLY > > Add a new sysctl knob: unprivileged_userfaultfd_user_mode_only > > > > Documentation/admin-guide/sysctl/vm.rst | 13 +++++++++++++ > > fs/userfaultfd.c | 18 ++++++++++++++++-- > > include/linux/userfaultfd_k.h | 1 + > > include/uapi/linux/userfaultfd.h | 9 +++++++++ > > kernel/sysctl.c | 9 +++++++++ > > 5 files changed, 48 insertions(+), 2 deletions(-) > > > > -- > > 2.26.2.303.gf8c07b1a785-goog > > >