Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2689550pxj; Mon, 10 May 2021 08:35:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxyIa6eLvW9s9u9ua6jmitvj6FmZEjGcXu389ZY05xWyMe/cTsrGBQNmfULrTKy/qeROoiw X-Received: by 2002:a17:906:26d3:: with SMTP id u19mr26927489ejc.128.1620660943468; Mon, 10 May 2021 08:35:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620660943; cv=none; d=google.com; s=arc-20160816; b=D9NN2ZjKTRpabYlOS+r5Q9HuFuRRnRk3iMbEjL8F1ZKpjRek6oXiPxDWq2mr2gFrS2 fzczs9+86I/1C3nA8L7Xh57wUij3HcOpCP4RQZbK3f7aj/QtS+ciD2ZmPcTh7qavaehk 3em+7KOjOEM7pncC1o3g3ha29B6TDZ2To0Jxd1No3ykEtlSh02NYNbS5lN0MeQzZWPTc BoOZf0xBQQ/leAwl812Xtx2VFoWUIxpqVPyvPA/KMfvIlxzc58UEhaaQpAwio7+11uTb HwbITTb+4jCuH06xvoKJ0eS6cvUBi5h+xXo2rQiZvky+svd6DQNKcO0bzZN4dzOdvZja r9Gg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=Kbo2+rSch+wM5JArQf3gDIi84RZdBPSju4RgHGRm0v8=; b=kh3t5VCUo2S39SWquJtv/5S8BzcRPoIEcnQJCMDGq3oHzuUrO3oPi5HNzaDjBW4cuq 8kEiebrZHlzwjDrxgZGXVmI8uVjtqcHE4WKUyv+UUIiQbXq4JtY4fbjrKfPmw7ko0pEa g2ZPkCp9KiLJYaY0tFCGcFwqQLB792uydNRG0QKsxYBJb5LFmioh9ZldTF6Ee+7yN0bM t3sFunumtSlzLrEYrMN/IYDm353tpDhnaxluc0dfDadcmwii1GgrOwVVHZsrnrCAVUAV Zc3e9c1b9Fu9izDbXd1SEqfCQLareW7Q6Lg5fjTMCn7XbVn+DyEv2sByNonpHuBL9aBO 6iVA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ziepe.ca header.s=google header.b=jInoHJDR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t12si6949424eje.621.2021.05.10.08.35.19; Mon, 10 May 2021 08:35:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ziepe.ca header.s=google header.b=jInoHJDR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232904AbhEJPfU (ORCPT + 99 others); Mon, 10 May 2021 11:35:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49876 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231401AbhEJPfT (ORCPT ); Mon, 10 May 2021 11:35:19 -0400 Received: from mail-qv1-xf32.google.com (mail-qv1-xf32.google.com [IPv6:2607:f8b0:4864:20::f32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8DCF5C061574 for ; Mon, 10 May 2021 08:34:14 -0700 (PDT) Received: by mail-qv1-xf32.google.com with SMTP id q6so8540822qvb.2 for ; Mon, 10 May 2021 08:34:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ziepe.ca; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=Kbo2+rSch+wM5JArQf3gDIi84RZdBPSju4RgHGRm0v8=; b=jInoHJDR26ARTH6tGpwVeeJogGk+P6na2ViO2DUIC+bGbMTDUi+8QZzkitdl3HzqhO qhzxVKEpk3y84tIr+YEon8WcnwbvCYIcrIg25Aj/b7Aw/UGidjezNDFr5jegnVEzomGc 4efhSEvakB8sIdWnv6WdpTzrvm1E0Gx8lRr9GLBLLiIA4Ukwc+AzQ9ZD3NCYX5hM1Sd/ ccEc+Vt5pnW3H8LiiDb5+QVBE1suwmzlBV6rdcmBxTtb5gWnK/b/QGiuyH818XA3RJ/w eI2Btdv2pxaao9VxPBbC4GWZvh6jQaHr7aGphsI2afnyj+BjF4p6gyMYvMUkwP1w7Elb RnQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=Kbo2+rSch+wM5JArQf3gDIi84RZdBPSju4RgHGRm0v8=; b=eSCoVQAF4o9seYEbLfBT7VtPhcpIEUct2AP51pLhlSy9xtmh3hjZ0wRHsSQgf8gtaI jqLai5DDSvWYk5PIgqlmFrEtxDuctrFSFn7Vctr+ihO6VSpFXJAyFtk3OhL0ZDXoIdkV i0efrzpkzClp0U8LfLhp4KzB7fK5croUkBd0pMtxH84pwVMDAO2/2U5Bn39nnIt9/Z6K WAEsjKOOj6UF+zqRjf8xlHElTC05A7q+SlG8wfZC9eBDUjrQKbvIZgjNSlc2rh6PwEiL 3TTmN/s7g5EbHDvRtlAJDQwgFGRMfTDFmGqBtZSdovLmi6FJeJDLIZwqk5oucCRwk+6J CKlA== X-Gm-Message-State: AOAM5339v/MHoLjVCRCzZTjZCo2QWk23tLNNyTcQ/YrlEoBCaTDC0V2n SOHtVo0jMvwJeLABc1x64TyR4w== X-Received: by 2002:a05:6214:9aa:: with SMTP id du10mr24525830qvb.37.1620660853797; Mon, 10 May 2021 08:34:13 -0700 (PDT) Received: from ziepe.ca (hlfxns017vw-47-55-113-94.dhcp-dynamic.fibreop.ns.bellaliant.net. [47.55.113.94]) by smtp.gmail.com with ESMTPSA id t128sm11479176qkh.50.2021.05.10.08.34.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 May 2021 08:34:13 -0700 (PDT) Received: from jgg by mlx with local (Exim 4.94) (envelope-from ) id 1lg7vA-004b0w-PZ; Mon, 10 May 2021 12:34:12 -0300 Date: Mon, 10 May 2021 12:34:12 -0300 From: Jason Gunthorpe To: Daniel Vetter Cc: Linus Torvalds , Tomasz Figa , Marek Szyprowski , Mauro Carvalho Chehab , DRI Development , LKML , Linux-MM , Linux ARM , Linux Media Mailing List , linux-samsung-soc Subject: Re: [PULL] topic/iomem-mmap-vs-gup Message-ID: <20210510153412.GG2047089@ziepe.ca> References: <20210510135031.GF2047089@ziepe.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 10, 2021 at 04:55:39PM +0200, Daniel Vetter wrote: > yeah vfio is still broken for the case I care about. I think there's > also some questions open still about whether kvm really uses > mmu_notifier in all cases correctly, IIRC kvm doesn't either. > > Daniel I suppose we missed this relation to follow_pte(), so I agree > > that keeping a unsafe_follow_pfn() around is not good. > > tbh I never really got the additional issue with the missing write > checks. That users of follow_pfn (or well follow_pte + immediate lock > dropping like vfio) don't subscribe to the pte updates in general is > the bug I'm seeing. That v4l also glosses over the read/write access > stuff is kinda just the icing on the cake :-) It's pretty well broken > even if it would check that. It is just severity. Exploiting the use after free bug is somewhat harder, exploiting the 'you can write to non-page write protected memory' bug is not so hard. Jason