Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2621306pxj; Mon, 10 May 2021 07:12:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw1bcg5fol9sg76SYY4Ki1DhEaIpQF4lFiQIpiKt8Wv9nlMOBK1SBosjKQZ3KT86OaSOm6V X-Received: by 2002:a05:6e02:12cb:: with SMTP id i11mr21629055ilm.221.1620655935967; Mon, 10 May 2021 07:12:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620655935; cv=none; d=google.com; s=arc-20160816; b=rufI9zCxHsRGe2N2UngKGA11dBADDMVpEZKTBoIgzq2B5mH9QUTSpFD3Ps28AilS4q 1/7M9O3M4ALzCfIR/PwuDi1idsgu7jAh+bsm6dwrxK7vlP9EbDmk+m2WU8aos/wzoCD3 pbO5PX86zJ4047BRt0nUeVShKCl2X9eHXzgrQXQ1zdhaBh2E47QdkPcAlm79GSzLyVhw LDqGDDY9CeOaRP2n7A0o2RR/JWooOwslFO7CS8Ny6uZxJQ6US+uUYwsdVtk6FgZB8EGq hWnEpvPxBmXn5N3SvLsHNHvQTbsKujyorEI9VK8zStw+KAC4My4+KoNrEIcF1Ozyfvp1 QcoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=+2U891pcT5PFaAL7+dZJNGYBFLIb+qctBvykRURXgBY=; b=rcY34dXPenIQykwhnkUxsCCRx3DmXABjpaYcLAK/4vDVFgxR0qnPz5do+RbMXVZ8Wv ecgwnMKMkE47iF4k/cReXmrNBICNfmmPh03/3B0m08rO/D9qeFEAK5H2RKKJB1m0rcHp rs4faayBFh36CUUhXgpuY1PEDnCHJg6++c3UfEpwUQ0xPdb5F8pGR67VMl46XAswEse9 mxY57W3ilKOVY+tizPB2Cl79dqEfAPO5Vtu5hYIrqML4yWHgvwaX1z0HKY07D/1hD11r WPm51kQw+2ZyfEYSBy5mEUcNBGsK5WV6CcB1em9jewmjbSKPSKt8Wqjz7R8ET8yqnrsI Lj0A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ziepe.ca header.s=google header.b=dACYFzmZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w5si17934100iov.91.2021.05.10.07.12.02; Mon, 10 May 2021 07:12:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ziepe.ca header.s=google header.b=dACYFzmZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238229AbhEJOMX (ORCPT + 99 others); Mon, 10 May 2021 10:12:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58804 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232917AbhEJOKD (ORCPT ); Mon, 10 May 2021 10:10:03 -0400 Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com [IPv6:2607:f8b0:4864:20::72f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 85929C0610E4 for ; Mon, 10 May 2021 06:50:34 -0700 (PDT) Received: by mail-qk1-x72f.google.com with SMTP id a2so15295966qkh.11 for ; Mon, 10 May 2021 06:50:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ziepe.ca; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=+2U891pcT5PFaAL7+dZJNGYBFLIb+qctBvykRURXgBY=; b=dACYFzmZp5FCubbaz661EkjXMEr4yIw8M3uTK3Kyf9WGXPYwdZw+Te0aQwLTIgwwC2 IcIyUfISzla30F1Y5z5YNyfFMSuvpPToFEKyFwyWyzNO8J90FAq4FSLctkLmbUnqXieu lMQ7sIa6zzDWNW+3ZAA/Ywi2wnST8RvZfOXC1jXTR/nDU/u1OUAIwV5METsf0kVOPHrk PIuKStNqOQCBo7BK5+duLO5e2wBIi32E+Rgu2kNOG2SYryYXUN5IAmaJPspud5x7d6Vf 5XGHOc/1cpdW83EDoXATbw25gMJUpTl30B68jCIFcCNIzm8fMivAz/aG2nH3kKyIFqz2 KzIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=+2U891pcT5PFaAL7+dZJNGYBFLIb+qctBvykRURXgBY=; b=L7TOpkwg1ftjsTub9tzAHcr64oLOM2hMPPQKJUZif64aLqxttdTqs0yTAwerk70RCe x8B3BZqQn2h8dOaww8VGPydzNZJ8D5lfUYcmVk05LXgckll19Dh+bT6L6Ik4Rfu4gyN8 FEc2DjgZR0qx/Yoniyro4HOpT+4LcrMYBntvDiQN0oX0ck2q03WZQfqkgUCChyOY6Mu8 5uAx3mMu4nvoq4/y+UrC/SXv/L3EoOl15uk6RkJ1YNKFwSlI1O+Ktbp4VQt2+stoppyv cWmAalIktMI3Pbf4ukyv29cqSzMX5QtjI/A0jYm8z01HtMnMC0rCqtDQAr/9hWCw41GX M6bA== X-Gm-Message-State: AOAM532KDBjZkfI7G49M3XQ43vaZQtFaTmme1EmDnD3Krn9TttCjSK4i 94NYAoQIVl13i1Bv4SGR7JqFDQ== X-Received: by 2002:a05:620a:4543:: with SMTP id u3mr22610464qkp.118.1620654633736; Mon, 10 May 2021 06:50:33 -0700 (PDT) Received: from ziepe.ca (hlfxns017vw-47-55-113-94.dhcp-dynamic.fibreop.ns.bellaliant.net. [47.55.113.94]) by smtp.gmail.com with ESMTPSA id e7sm11644631qth.27.2021.05.10.06.50.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 May 2021 06:50:32 -0700 (PDT) Received: from jgg by mlx with local (Exim 4.94) (envelope-from ) id 1lg6Ip-004ZFk-QY; Mon, 10 May 2021 10:50:31 -0300 Date: Mon, 10 May 2021 10:50:31 -0300 From: Jason Gunthorpe To: Linus Torvalds Cc: Daniel Vetter , Tomasz Figa , Marek Szyprowski , Mauro Carvalho Chehab , DRI Development , LKML , Linux-MM , Linux ARM , Linux Media Mailing List , linux-samsung-soc@vger.kernel.org Subject: Re: [PULL] topic/iomem-mmap-vs-gup Message-ID: <20210510135031.GF2047089@ziepe.ca> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, May 08, 2021 at 09:46:41AM -0700, Linus Torvalds wrote: > I think follow_pfn() is ok for the actual "this is not a 'struct page' > backed area", and disabling that case is wrong even going forward. Every place we've audited using follow_pfn() has been shown to have some use-after-free bugs like Daniel describes, and a failure to check permissions bug too. All the other follow_pfn() users were moved to follow_pte() to fix the permissions check and this shifts the use-after-free bug away from being inside an MM API and into the caller mis-using the API by, say, extracting and using the PFN outside the pte lock. eg look at how VFIO wrongly uses follow_pte(): static int follow_fault_pfn() ret = follow_pte(vma->vm_mm, vaddr, &ptep, &ptl); *pfn = pte_pfn(*ptep); pte_unmap_unlock(ptep, ptl); // no protection that pte_pfn() is still valid! use_pfn(*pfn) v4l is the only user that still has the missing permissions check security bug too - so there is no outcome that should keep follow_pfn() in the tree. At worst v4l should change to follow_pte() and use it wrongly like VFIO. At best we should delete all the v4l stuff. Daniel I suppose we missed this relation to follow_pte(), so I agree that keeping a unsafe_follow_pfn() around is not good. Regards, Jason