From: Kees Cook <keescook@chromium.org>
To: David Laight <David.Laight@aculab.com>
Cc: Jason Ekstrand <jason@jlekstrand.net>,
Chris Wilson <chris@chris-wilson.co.uk>,
"intel-gfx@lists.freedesktop.org"
<intel-gfx@lists.freedesktop.org>,
"dri-devel@lists.freedesktop.org"
<dri-devel@lists.freedesktop.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] drm/i915: Use copy_from_user() in fence copying
Date: Fri, 8 Dec 2017 13:10:23 -0800 [thread overview]
Message-ID: <CAGXu5jLQnNg0m35467g6BW5Zdv3bm9bzzJzJyF8+4bbHF_SeVA@mail.gmail.com> (raw)
In-Reply-To: <e756f2e62e49443898484141036bccd5@AcuMS.aculab.com>
On Fri, Dec 8, 2017 at 2:17 AM, David Laight <David.Laight@aculab.com> wrote:
> From: Kees Cook
>> Sent: 06 December 2017 20:29
>>
>> There's no good reason to separate the access_ok() from the copy,
>> especially since the access_ok() size is hard-coded instead of using
>> sizeof(). Instead, just use copy_from_user() directly.
>
> Looks like an optimisation to save doing the access_ok() check
> for every 'fence'.
If it really makes a difference, okay, but access_ok() checks are fast. :P
> OTOH 'user copy hardening' probably makes a much larger performance
> degradation on this kind of code.
> (Might be ok here because &fence probably refers to something in the
> current stack frame.)
Well, the good news there is that it's using sizeof(fence), so no
hardening check is done (it's not a size that changes at runtime).
What I didn't like is that the access_ok() doesn't use sizeof(fence)
(it is currently correct: 2 u32s == sizeof(fence)) but that kind of
fragility keeps me up at night. ;)
So, fixing either would be fine, but if we're going to touch it, it
seems best to just do away with the __copy_*() usage instead.
-Kees
>
> David
>
>> Fixes: cf6e7bac6357 ("drm/i915: Add support for drm syncobjs")
>> Cc: Jason Ekstrand <jason@jlekstrand.net>
>> Cc: Chris Wilson <chris@chris-wilson.co.uk>
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>> ---
>> drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +---
>> 1 file changed, 1 insertion(+), 3 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
>> index 435ed95df144..1da703213b17 100644
>> --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
>> +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
>> @@ -2087,8 +2087,6 @@ get_fence_array(struct drm_i915_gem_execbuffer2 *args,
>> return ERR_PTR(-EINVAL);
>>
>> user = u64_to_user_ptr(args->cliprects_ptr);
>> - if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
>> - return ERR_PTR(-EFAULT);
>>
>> fences = kvmalloc_array(args->num_cliprects, sizeof(*fences),
>> __GFP_NOWARN | GFP_KERNEL);
>> @@ -2099,7 +2097,7 @@ get_fence_array(struct drm_i915_gem_execbuffer2 *args,
>> struct drm_i915_gem_exec_fence fence;
>> struct drm_syncobj *syncobj;
>>
>> - if (__copy_from_user(&fence, user++, sizeof(fence))) {
>> + if (copy_from_user(&fence, user++, sizeof(fence))) {
>> err = -EFAULT;
>> goto err;
>> }
>> --
>> 2.7.4
>>
>>
>> --
>> Kees Cook
>> Pixel Security
--
Kees Cook
Pixel Security
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: David Laight <David.Laight@aculab.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"intel-gfx@lists.freedesktop.org"
<intel-gfx@lists.freedesktop.org>,
"dri-devel@lists.freedesktop.org"
<dri-devel@lists.freedesktop.org>
Subject: Re: [PATCH] drm/i915: Use copy_from_user() in fence copying
Date: Fri, 8 Dec 2017 13:10:23 -0800 [thread overview]
Message-ID: <CAGXu5jLQnNg0m35467g6BW5Zdv3bm9bzzJzJyF8+4bbHF_SeVA@mail.gmail.com> (raw)
In-Reply-To: <e756f2e62e49443898484141036bccd5@AcuMS.aculab.com>
On Fri, Dec 8, 2017 at 2:17 AM, David Laight <David.Laight@aculab.com> wrote:
> From: Kees Cook
>> Sent: 06 December 2017 20:29
>>
>> There's no good reason to separate the access_ok() from the copy,
>> especially since the access_ok() size is hard-coded instead of using
>> sizeof(). Instead, just use copy_from_user() directly.
>
> Looks like an optimisation to save doing the access_ok() check
> for every 'fence'.
If it really makes a difference, okay, but access_ok() checks are fast. :P
> OTOH 'user copy hardening' probably makes a much larger performance
> degradation on this kind of code.
> (Might be ok here because &fence probably refers to something in the
> current stack frame.)
Well, the good news there is that it's using sizeof(fence), so no
hardening check is done (it's not a size that changes at runtime).
What I didn't like is that the access_ok() doesn't use sizeof(fence)
(it is currently correct: 2 u32s == sizeof(fence)) but that kind of
fragility keeps me up at night. ;)
So, fixing either would be fine, but if we're going to touch it, it
seems best to just do away with the __copy_*() usage instead.
-Kees
>
> David
>
>> Fixes: cf6e7bac6357 ("drm/i915: Add support for drm syncobjs")
>> Cc: Jason Ekstrand <jason@jlekstrand.net>
>> Cc: Chris Wilson <chris@chris-wilson.co.uk>
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>> ---
>> drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +---
>> 1 file changed, 1 insertion(+), 3 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
>> index 435ed95df144..1da703213b17 100644
>> --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
>> +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
>> @@ -2087,8 +2087,6 @@ get_fence_array(struct drm_i915_gem_execbuffer2 *args,
>> return ERR_PTR(-EINVAL);
>>
>> user = u64_to_user_ptr(args->cliprects_ptr);
>> - if (!access_ok(VERIFY_READ, user, nfences * 2 * sizeof(u32)))
>> - return ERR_PTR(-EFAULT);
>>
>> fences = kvmalloc_array(args->num_cliprects, sizeof(*fences),
>> __GFP_NOWARN | GFP_KERNEL);
>> @@ -2099,7 +2097,7 @@ get_fence_array(struct drm_i915_gem_execbuffer2 *args,
>> struct drm_i915_gem_exec_fence fence;
>> struct drm_syncobj *syncobj;
>>
>> - if (__copy_from_user(&fence, user++, sizeof(fence))) {
>> + if (copy_from_user(&fence, user++, sizeof(fence))) {
>> err = -EFAULT;
>> goto err;
>> }
>> --
>> 2.7.4
>>
>>
>> --
>> Kees Cook
>> Pixel Security
--
Kees Cook
Pixel Security
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
next prev parent reply other threads:[~2017-12-08 21:10 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-06 20:28 [PATCH] drm/i915: Use copy_from_user() in fence copying Kees Cook
2017-12-06 20:28 ` Kees Cook
2017-12-08 10:17 ` David Laight
2017-12-08 21:10 ` Kees Cook [this message]
2017-12-08 21:10 ` Kees Cook
2017-12-11 9:41 ` David Laight
2017-12-11 9:34 ` [Intel-gfx] " Joonas Lahtinen
2017-12-11 9:34 ` Joonas Lahtinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGXu5jLQnNg0m35467g6BW5Zdv3bm9bzzJzJyF8+4bbHF_SeVA@mail.gmail.com \
--to=keescook@chromium.org \
--cc=David.Laight@aculab.com \
--cc=chris@chris-wilson.co.uk \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=jason@jlekstrand.net \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.