Received: by 2002:a05:6520:4211:b029:f4:110d:56bc with SMTP id o17csp3134202lkv; Mon, 10 May 2021 08:24:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzDag04D5C6B9RzGWXBcGyWaJUMQgP5B1moE9O3fWDh6/dGG8sb4cgpzR256BYgfpLfbCmI X-Received: by 2002:a92:c7a1:: with SMTP id f1mr21703055ilk.33.1620660287285; Mon, 10 May 2021 08:24:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620660287; cv=none; d=google.com; s=arc-20160816; b=xSTICx2k1eVQ2DyHscOyqo82BCZG94EwfjIHg6+PeJlXpbWNXh4ldHXLX9LYszsJPR nIWsTW012MnXXzyYNeBrDwB99evSUH/NXxa96wK48HpIfP9IqG/C2uNqm9Nysm1gVURD IAGNXrvllY+PXRYWp3Hk8c0GtHG/8U8AkqRFErP3butDEtj0XvR0mtwVNJ1/cqRilC3L kP0zToe/N1V0qbvxPLd/g2qcr7SVG7syGLiF4z406wJXZ+GprsrRqIrCnmpFi8gDdTpg M6lQOFKSaUc3y4f4pHeZhFMcWGrUdJxwuIj0ilq6+1UzWyVODskXSPIA4HxQhzgI4Yx3 rxTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=AS9nf1QYyUIyVs6RoQO80MpiosKSnnivAT6Yx1y7KWk=; b=Xoufi2r89qtqpmGjl7IUkv93ifUE2H9Q8pPOg1/sND6+5195pgOrz7X8MwvsqgMneV Kf9MmR7VJLdP/WktqC798FOBtBRP6QoPYLMWzpDAxQKngTyLqHFbgm5YcRMiOy7ObdcG vvYTwywDx1FRpG5ntNPXgxpcLuH4a9cqFQJsvss3ozZ5u6HndoZMP4QXp9QdJzaCDw5j aedp8vlBMFNz4aHs5qqmBbXN9C117H3jh28o3DVkGAao+IHZHP8+umuwNSAI53EI0bsf YP2SdqxUf3iSphGT6e6TKInqtgHpiEUh6S5HZGUBx4uPZtf4XN/ec2R0sz01x+7AYIIc piPg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ffwll.ch header.s=google header.b="hmsr1/zR"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e196si16848138jac.30.2021.05.10.08.24.34; Mon, 10 May 2021 08:24:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ffwll.ch header.s=google header.b="hmsr1/zR"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236541AbhEJPXk (ORCPT + 99 others); Mon, 10 May 2021 11:23:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46698 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234967AbhEJPXX (ORCPT ); Mon, 10 May 2021 11:23:23 -0400 Received: from mail-oi1-x231.google.com (mail-oi1-x231.google.com [IPv6:2607:f8b0:4864:20::231]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 03AB0C046854 for ; Mon, 10 May 2021 07:55:51 -0700 (PDT) Received: by mail-oi1-x231.google.com with SMTP id z3so14804005oib.5 for ; Mon, 10 May 2021 07:55:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AS9nf1QYyUIyVs6RoQO80MpiosKSnnivAT6Yx1y7KWk=; b=hmsr1/zRUNvK9mnHaZO5y60A+AHPfdNmIzBpb36meUCTFqPyF8BCSJoWzz+dwjMUBf sOjdtYrpYb+U2KZI8AgQCSNXM2B/sYEWnAXVW22VgufrTpS6Oub6U+k8pKNHLR9od9pY 2JvWfGFLyMOvQgqNRMzpvCJTe8mmXm86mDSsk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AS9nf1QYyUIyVs6RoQO80MpiosKSnnivAT6Yx1y7KWk=; b=irBF/uD0wkt+qPFt86gmBSHIjRuL4BYDdH+bZphvLLeZ2T3xtxXNZ7fWSolDkXTfKH u7mvy9ebaP1yHfTnVzPUcGopLIMvHpgh5pso6QRWV8vPsmf0dulyzzDXMAA2RIZxNHuO K/2dX/TPqLC2EFbUt8710bLOQ0uX05JU3EEbDDFmYS75ogElw4IeBv2DAKYFuj5/g0jR 5M3q2dcErM5nGA9tXWXhzH4phoWME8JKgJQufK82CSlO1IBi+AqhGgt7kGvCac9Q30Iq kCxpjRSIrHjgxB8HXP5BtASoDsyAtdZG9iYVHqWL+5VE4ALr52IOHzkW2BgHnLHk379f ttsQ== X-Gm-Message-State: AOAM532SRM6B/sS6pEPrHzIiySJDIN0M7BFQPZWEF2RDLdTXTyZcAmgH QBYe07+J7EDeXyfNVoNzC0nJ7Gh3fc+s5y18p3H0Pw== X-Received: by 2002:aca:df87:: with SMTP id w129mr18413978oig.128.1620658550366; Mon, 10 May 2021 07:55:50 -0700 (PDT) MIME-Version: 1.0 References: <20210510135031.GF2047089@ziepe.ca> In-Reply-To: <20210510135031.GF2047089@ziepe.ca> From: Daniel Vetter Date: Mon, 10 May 2021 16:55:39 +0200 Message-ID: Subject: Re: [PULL] topic/iomem-mmap-vs-gup To: Jason Gunthorpe Cc: Linus Torvalds , Tomasz Figa , Marek Szyprowski , Mauro Carvalho Chehab , DRI Development , LKML , Linux-MM , Linux ARM , Linux Media Mailing List , linux-samsung-soc Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 10, 2021 at 3:50 PM Jason Gunthorpe wrote: > > On Sat, May 08, 2021 at 09:46:41AM -0700, Linus Torvalds wrote: > > > I think follow_pfn() is ok for the actual "this is not a 'struct page' > > backed area", and disabling that case is wrong even going forward. > > Every place we've audited using follow_pfn() has been shown to have > some use-after-free bugs like Daniel describes, and a failure to check > permissions bug too. > > All the other follow_pfn() users were moved to follow_pte() to fix the > permissions check and this shifts the use-after-free bug away from > being inside an MM API and into the caller mis-using the API by, say, > extracting and using the PFN outside the pte lock. > > eg look at how VFIO wrongly uses follow_pte(): > > static int follow_fault_pfn() > ret = follow_pte(vma->vm_mm, vaddr, &ptep, &ptl); > *pfn = pte_pfn(*ptep); > pte_unmap_unlock(ptep, ptl); > > // no protection that pte_pfn() is still valid! > use_pfn(*pfn) > > v4l is the only user that still has the missing permissions check > security bug too - so there is no outcome that should keep > follow_pfn() in the tree. > > At worst v4l should change to follow_pte() and use it wrongly like > VFIO. At best we should delete all the v4l stuff. yeah vfio is still broken for the case I care about. I think there's also some questions open still about whether kvm really uses mmu_notifier in all cases correctly, but iirc the one exception was s390, which didn't have pci mmap and that's how it gets away with that specific problem. > Daniel I suppose we missed this relation to follow_pte(), so I agree > that keeping a unsafe_follow_pfn() around is not good. tbh I never really got the additional issue with the missing write checks. That users of follow_pfn (or well follow_pte + immediate lock dropping like vfio) don't subscribe to the pte updates in general is the bug I'm seeing. That v4l also glosses over the read/write access stuff is kinda just the icing on the cake :-) It's pretty well broken even if it would check that. -Daniel -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch