From: Daniel Vetter <daniel.vetter@ffwll.ch>
To: Jason Gunthorpe <jgg@ziepe.ca>
Cc: "DRI Development" <dri-devel@lists.freedesktop.org>,
LKML <linux-kernel@vger.kernel.org>,
"Daniel Vetter" <daniel.vetter@intel.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"John Hubbard" <jhubbard@nvidia.com>,
"Jérôme Glisse" <jglisse@redhat.com>, "Jan Kara" <jack@suse.cz>,
"Dan Williams" <dan.j.williams@intel.com>,
"Linux MM" <linux-mm@kvack.org>,
"Linux ARM" <linux-arm-kernel@lists.infradead.org>,
"Pawel Osciak" <pawel@osciak.com>,
"Marek Szyprowski" <m.szyprowski@samsung.com>,
"Kyungmin Park" <kyungmin.park@samsung.com>,
"Tomasz Figa" <tfiga@chromium.org>,
"Inki Dae" <inki.dae@samsung.com>,
"Joonyoung Shim" <jy0922.shim@samsung.com>,
"Seung-Woo Kim" <sw0312.kim@samsung.com>,
linux-samsung-soc <linux-samsung-soc@vger.kernel.org>,
"open list:DMA BUFFER SHARING FRAMEWORK"
<linux-media@vger.kernel.org>,
"Oded Gabbay" <oded.gabbay@gmail.com>
Subject: Re: [PATCH 2/2] mm/frame-vec: use FOLL_LONGTERM
Date: Tue, 6 Oct 2020 08:23:23 +0200 [thread overview]
Message-ID: <CAKMK7uHt=kD=njZvMULy-k-bY4emn=u8__t7etQDq3_WUL7VAw@mail.gmail.com> (raw)
In-Reply-To: <20201005234104.GD5177@ziepe.ca>
On Tue, Oct 6, 2020 at 1:41 AM Jason Gunthorpe <jgg@ziepe.ca> wrote:
>
> On Tue, Oct 06, 2020 at 12:43:31AM +0200, Daniel Vetter wrote:
>
> > > iow I think I can outright delete the frame vector stuff.
> >
> > Ok this doesn't work, because dma_mmap always uses a remap_pfn_range,
> > which is a VM_IO | VM_PFNMAP vma and so even if it's cma backed and
> > not a carveout, we can't get the pages.
>
> If CMA memory has struct pages it probably should be mmap'd with
> different flags, and the lifecycle of the CMA memory needs to respect
> the struct page refcount?
I guess yes and no. The problem is if there's pagecache in the cma
region, pup(FOLL_LONGTERM) needs to first migrate those pages out of
the cma range. Because all normal page allocation in cma regions must
be migratable at all times. But when you use cma as the contig
allocator (mostly with dma_alloc_coherent) and then remap that for
userspace (e.g. dma_mmap_wc), then anyone doing pup or gup should not
try to migrate anything. Also in the past these contig ranges where
generally carveouts without any struct page, changing that would break
too much I guess.
> > Plus trying to move the cma pages out of cma for FOLL_LONGTERM would
> > be kinda bad when they've been allocated as a contig block by
> > dma_alloc_coherent :-)
>
> Isn't holding a long term reference to a CMA page one of those really
> scary use-after-free security issues I've been talking about?
>
> I know nothing about CMA, so can't say too much, sorry
Uh ... yes :-/
This is actually worse than the gpu case I had in mind, where at most
you can sneak access other gpu buffers. With cma you should be able to
get at arbitrary pagecache (well anything that's GFP_MOVEABLE really).
Nice :-(
-Daniel
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
WARNING: multiple messages have this Message-ID (diff)
From: Daniel Vetter <daniel.vetter@ffwll.ch>
To: Jason Gunthorpe <jgg@ziepe.ca>
Cc: "Oded Gabbay" <oded.gabbay@gmail.com>,
"Inki Dae" <inki.dae@samsung.com>,
linux-samsung-soc <linux-samsung-soc@vger.kernel.org>,
"Jan Kara" <jack@suse.cz>,
"Joonyoung Shim" <jy0922.shim@samsung.com>,
"Pawel Osciak" <pawel@osciak.com>,
"John Hubbard" <jhubbard@nvidia.com>,
"Seung-Woo Kim" <sw0312.kim@samsung.com>,
LKML <linux-kernel@vger.kernel.org>,
"DRI Development" <dri-devel@lists.freedesktop.org>,
"Tomasz Figa" <tfiga@chromium.org>,
"Kyungmin Park" <kyungmin.park@samsung.com>,
"Linux MM" <linux-mm@kvack.org>,
"Jérôme Glisse" <jglisse@redhat.com>,
"Daniel Vetter" <daniel.vetter@intel.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"open list:DMA BUFFER SHARING FRAMEWORK"
<linux-media@vger.kernel.org>,
"Dan Williams" <dan.j.williams@intel.com>,
"Linux ARM" <linux-arm-kernel@lists.infradead.org>,
"Marek Szyprowski" <m.szyprowski@samsung.com>
Subject: Re: [PATCH 2/2] mm/frame-vec: use FOLL_LONGTERM
Date: Tue, 6 Oct 2020 08:23:23 +0200 [thread overview]
Message-ID: <CAKMK7uHt=kD=njZvMULy-k-bY4emn=u8__t7etQDq3_WUL7VAw@mail.gmail.com> (raw)
In-Reply-To: <20201005234104.GD5177@ziepe.ca>
On Tue, Oct 6, 2020 at 1:41 AM Jason Gunthorpe <jgg@ziepe.ca> wrote:
>
> On Tue, Oct 06, 2020 at 12:43:31AM +0200, Daniel Vetter wrote:
>
> > > iow I think I can outright delete the frame vector stuff.
> >
> > Ok this doesn't work, because dma_mmap always uses a remap_pfn_range,
> > which is a VM_IO | VM_PFNMAP vma and so even if it's cma backed and
> > not a carveout, we can't get the pages.
>
> If CMA memory has struct pages it probably should be mmap'd with
> different flags, and the lifecycle of the CMA memory needs to respect
> the struct page refcount?
I guess yes and no. The problem is if there's pagecache in the cma
region, pup(FOLL_LONGTERM) needs to first migrate those pages out of
the cma range. Because all normal page allocation in cma regions must
be migratable at all times. But when you use cma as the contig
allocator (mostly with dma_alloc_coherent) and then remap that for
userspace (e.g. dma_mmap_wc), then anyone doing pup or gup should not
try to migrate anything. Also in the past these contig ranges where
generally carveouts without any struct page, changing that would break
too much I guess.
> > Plus trying to move the cma pages out of cma for FOLL_LONGTERM would
> > be kinda bad when they've been allocated as a contig block by
> > dma_alloc_coherent :-)
>
> Isn't holding a long term reference to a CMA page one of those really
> scary use-after-free security issues I've been talking about?
>
> I know nothing about CMA, so can't say too much, sorry
Uh ... yes :-/
This is actually worse than the gpu case I had in mind, where at most
you can sneak access other gpu buffers. With cma you should be able to
get at arbitrary pagecache (well anything that's GFP_MOVEABLE really).
Nice :-(
-Daniel
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Daniel Vetter <daniel.vetter@ffwll.ch>
To: Jason Gunthorpe <jgg@ziepe.ca>
Cc: linux-samsung-soc <linux-samsung-soc@vger.kernel.org>,
"Jan Kara" <jack@suse.cz>,
"Joonyoung Shim" <jy0922.shim@samsung.com>,
"Pawel Osciak" <pawel@osciak.com>,
"John Hubbard" <jhubbard@nvidia.com>,
"Seung-Woo Kim" <sw0312.kim@samsung.com>,
LKML <linux-kernel@vger.kernel.org>,
"DRI Development" <dri-devel@lists.freedesktop.org>,
"Tomasz Figa" <tfiga@chromium.org>,
"Kyungmin Park" <kyungmin.park@samsung.com>,
"Linux MM" <linux-mm@kvack.org>,
"Jérôme Glisse" <jglisse@redhat.com>,
"Daniel Vetter" <daniel.vetter@intel.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"open list:DMA BUFFER SHARING FRAMEWORK"
<linux-media@vger.kernel.org>,
"Dan Williams" <dan.j.williams@intel.com>,
"Linux ARM" <linux-arm-kernel@lists.infradead.org>,
"Marek Szyprowski" <m.szyprowski@samsung.com>
Subject: Re: [PATCH 2/2] mm/frame-vec: use FOLL_LONGTERM
Date: Tue, 6 Oct 2020 08:23:23 +0200 [thread overview]
Message-ID: <CAKMK7uHt=kD=njZvMULy-k-bY4emn=u8__t7etQDq3_WUL7VAw@mail.gmail.com> (raw)
In-Reply-To: <20201005234104.GD5177@ziepe.ca>
On Tue, Oct 6, 2020 at 1:41 AM Jason Gunthorpe <jgg@ziepe.ca> wrote:
>
> On Tue, Oct 06, 2020 at 12:43:31AM +0200, Daniel Vetter wrote:
>
> > > iow I think I can outright delete the frame vector stuff.
> >
> > Ok this doesn't work, because dma_mmap always uses a remap_pfn_range,
> > which is a VM_IO | VM_PFNMAP vma and so even if it's cma backed and
> > not a carveout, we can't get the pages.
>
> If CMA memory has struct pages it probably should be mmap'd with
> different flags, and the lifecycle of the CMA memory needs to respect
> the struct page refcount?
I guess yes and no. The problem is if there's pagecache in the cma
region, pup(FOLL_LONGTERM) needs to first migrate those pages out of
the cma range. Because all normal page allocation in cma regions must
be migratable at all times. But when you use cma as the contig
allocator (mostly with dma_alloc_coherent) and then remap that for
userspace (e.g. dma_mmap_wc), then anyone doing pup or gup should not
try to migrate anything. Also in the past these contig ranges where
generally carveouts without any struct page, changing that would break
too much I guess.
> > Plus trying to move the cma pages out of cma for FOLL_LONGTERM would
> > be kinda bad when they've been allocated as a contig block by
> > dma_alloc_coherent :-)
>
> Isn't holding a long term reference to a CMA page one of those really
> scary use-after-free security issues I've been talking about?
>
> I know nothing about CMA, so can't say too much, sorry
Uh ... yes :-/
This is actually worse than the gpu case I had in mind, where at most
you can sneak access other gpu buffers. With cma you should be able to
get at arbitrary pagecache (well anything that's GFP_MOVEABLE really).
Nice :-(
-Daniel
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2020-10-06 6:23 UTC|newest]
Thread overview: 156+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-02 17:53 [PATCH 1/2] mm/frame-vec: Drop gup_flags from get_vaddr_frames() Daniel Vetter
2020-10-02 17:53 ` Daniel Vetter
2020-10-02 17:53 ` Daniel Vetter
2020-10-02 17:53 ` [PATCH 2/2] mm/frame-vec: use FOLL_LONGTERM Daniel Vetter
2020-10-02 17:53 ` Daniel Vetter
2020-10-02 17:53 ` Daniel Vetter
2020-10-02 18:06 ` Jason Gunthorpe
2020-10-02 18:06 ` Jason Gunthorpe
2020-10-02 18:06 ` Jason Gunthorpe
2020-10-02 18:16 ` Daniel Vetter
2020-10-02 18:16 ` Daniel Vetter
2020-10-02 18:16 ` Daniel Vetter
2020-10-02 23:31 ` Jason Gunthorpe
2020-10-02 23:31 ` Jason Gunthorpe
2020-10-02 23:31 ` Jason Gunthorpe
2020-10-03 8:34 ` Oded Gabbay
2020-10-03 8:34 ` Oded Gabbay
2020-10-03 8:34 ` Oded Gabbay
2020-10-03 9:40 ` Daniel Vetter
2020-10-03 9:40 ` Daniel Vetter
2020-10-03 9:40 ` Daniel Vetter
2020-10-04 12:50 ` Jason Gunthorpe
2020-10-04 12:50 ` Jason Gunthorpe
2020-10-04 12:50 ` Jason Gunthorpe
2020-10-04 16:09 ` Daniel Vetter
2020-10-04 16:09 ` Daniel Vetter
2020-10-04 16:09 ` Daniel Vetter
2020-10-05 17:28 ` Jason Gunthorpe
2020-10-05 17:28 ` Jason Gunthorpe
2020-10-05 17:28 ` Jason Gunthorpe
2020-10-05 18:16 ` Daniel Vetter
2020-10-05 18:16 ` Daniel Vetter
2020-10-05 18:16 ` Daniel Vetter
2020-10-05 18:37 ` Jason Gunthorpe
2020-10-05 18:37 ` Jason Gunthorpe
2020-10-05 18:37 ` Jason Gunthorpe
2020-10-05 18:54 ` Daniel Vetter
2020-10-05 18:54 ` Daniel Vetter
2020-10-05 18:54 ` Daniel Vetter
2020-10-05 22:43 ` Daniel Vetter
2020-10-05 22:43 ` Daniel Vetter
2020-10-05 22:43 ` Daniel Vetter
2020-10-05 23:41 ` Jason Gunthorpe
2020-10-05 23:41 ` Jason Gunthorpe
2020-10-05 23:41 ` Jason Gunthorpe
2020-10-06 6:23 ` Daniel Vetter [this message]
2020-10-06 6:23 ` Daniel Vetter
2020-10-06 6:23 ` Daniel Vetter
2020-10-06 12:26 ` Jason Gunthorpe
2020-10-06 12:26 ` Jason Gunthorpe
2020-10-06 12:26 ` Jason Gunthorpe
2020-10-06 13:08 ` Daniel Vetter
2020-10-06 13:08 ` Daniel Vetter
2020-10-06 13:08 ` Daniel Vetter
2020-10-07 10:47 ` Marek Szyprowski
2020-10-07 10:47 ` Marek Szyprowski
2020-10-07 10:47 ` Marek Szyprowski
2020-10-07 12:01 ` Daniel Vetter
2020-10-07 12:01 ` Daniel Vetter
2020-10-07 12:01 ` Daniel Vetter
2020-10-07 12:33 ` Marek Szyprowski
2020-10-07 12:33 ` Marek Szyprowski
2020-10-07 12:33 ` Marek Szyprowski
2020-10-07 12:44 ` Jason Gunthorpe
2020-10-07 12:44 ` Jason Gunthorpe
2020-10-07 12:44 ` Jason Gunthorpe
2020-10-07 12:47 ` Tomasz Figa
2020-10-07 12:47 ` Tomasz Figa
2020-10-07 12:47 ` Tomasz Figa
2020-10-07 12:58 ` Daniel Vetter
2020-10-07 12:58 ` Daniel Vetter
2020-10-07 12:58 ` Daniel Vetter
2020-10-07 13:06 ` Jason Gunthorpe
2020-10-07 13:06 ` Jason Gunthorpe
2020-10-07 13:06 ` Jason Gunthorpe
2020-10-07 13:34 ` Tomasz Figa
2020-10-07 13:34 ` Tomasz Figa
2020-10-07 13:34 ` Tomasz Figa
2020-10-07 13:42 ` Jason Gunthorpe
2020-10-07 13:42 ` Jason Gunthorpe
2020-10-07 13:42 ` Jason Gunthorpe
2020-10-07 14:08 ` Daniel Vetter
2020-10-07 14:08 ` Daniel Vetter
2020-10-07 14:08 ` Daniel Vetter
2020-10-07 14:11 ` Tomasz Figa
2020-10-07 14:11 ` Tomasz Figa
2020-10-07 14:11 ` Tomasz Figa
2020-10-07 14:22 ` Daniel Vetter
2020-10-07 14:22 ` Daniel Vetter
2020-10-07 14:22 ` Daniel Vetter
2020-10-07 15:05 ` Tomasz Figa
2020-10-07 15:05 ` Tomasz Figa
2020-10-07 15:05 ` Tomasz Figa
2020-10-07 14:58 ` Jason Gunthorpe
2020-10-07 14:58 ` Jason Gunthorpe
2020-10-07 14:58 ` Jason Gunthorpe
2020-10-07 13:06 ` Tomasz Figa
2020-10-07 13:06 ` Tomasz Figa
2020-10-07 13:06 ` Tomasz Figa
2020-10-07 13:14 ` Jason Gunthorpe
2020-10-07 13:14 ` Jason Gunthorpe
2020-10-07 13:14 ` Jason Gunthorpe
2020-10-05 15:03 ` Jan Kara
2020-10-05 15:03 ` Jan Kara
2020-10-05 15:03 ` Jan Kara
2020-10-02 22:39 ` John Hubbard
2020-10-02 22:39 ` John Hubbard
2020-10-02 22:39 ` John Hubbard
2020-10-03 9:45 ` Daniel Vetter
2020-10-03 9:45 ` Daniel Vetter
2020-10-03 9:45 ` Daniel Vetter
2020-10-03 22:52 ` John Hubbard
2020-10-03 22:52 ` John Hubbard
2020-10-03 22:52 ` John Hubbard
2020-10-03 23:24 ` Jason Gunthorpe
2020-10-03 23:24 ` Jason Gunthorpe
2020-10-03 23:24 ` Jason Gunthorpe
2020-10-04 11:20 ` Daniel Vetter
2020-10-04 11:20 ` Daniel Vetter
2020-10-04 11:20 ` Daniel Vetter
2020-10-05 17:35 ` Jason Gunthorpe
2020-10-05 17:35 ` Jason Gunthorpe
2020-10-05 17:35 ` Jason Gunthorpe
2020-10-02 18:22 ` [PATCH 1/2] mm/frame-vec: Drop gup_flags from get_vaddr_frames() Tomasz Figa
2020-10-02 18:22 ` Tomasz Figa
2020-10-02 18:22 ` Tomasz Figa
2020-10-02 18:22 ` Tomasz Figa
2020-10-02 19:21 ` Oded Gabbay
2020-10-02 19:21 ` Oded Gabbay
2020-10-02 19:21 ` Oded Gabbay
2020-10-02 19:21 ` Oded Gabbay
2020-10-05 17:38 [PATCH 2/2] mm/frame-vec: use FOLL_LONGTERM Jason Gunthorpe
2020-10-05 17:38 ` Jason Gunthorpe
2020-10-05 17:47 ` Jason Gunthorpe
2020-10-05 17:47 ` Jason Gunthorpe
2020-10-05 17:47 ` Jason Gunthorpe
2020-10-06 3:36 ` Andrew Morton
2020-10-06 3:36 ` Andrew Morton
2020-10-06 3:36 ` Andrew Morton
2020-10-06 11:57 ` Jason Gunthorpe
2020-10-06 11:57 ` Jason Gunthorpe
2020-10-06 11:57 ` Jason Gunthorpe
2020-10-05 17:53 ` Jan Kara
2020-10-05 17:53 ` Jan Kara
2020-10-05 17:53 ` Jan Kara
2020-10-05 17:57 ` Jason Gunthorpe
2020-10-05 17:57 ` Jason Gunthorpe
2020-10-05 17:57 ` Jason Gunthorpe
2020-10-05 18:16 ` Daniel Vetter
2020-10-05 18:16 ` Daniel Vetter
2020-10-05 18:16 ` Daniel Vetter
2020-10-05 18:16 ` Daniel Vetter
2020-10-06 11:56 ` Daniel Vetter
2020-10-06 11:56 ` Daniel Vetter
2020-10-06 11:56 ` Daniel Vetter
2020-10-06 11:56 ` Daniel Vetter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKMK7uHt=kD=njZvMULy-k-bY4emn=u8__t7etQDq3_WUL7VAw@mail.gmail.com' \
--to=daniel.vetter@ffwll.ch \
--cc=akpm@linux-foundation.org \
--cc=dan.j.williams@intel.com \
--cc=daniel.vetter@intel.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=inki.dae@samsung.com \
--cc=jack@suse.cz \
--cc=jgg@ziepe.ca \
--cc=jglisse@redhat.com \
--cc=jhubbard@nvidia.com \
--cc=jy0922.shim@samsung.com \
--cc=kyungmin.park@samsung.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-samsung-soc@vger.kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=oded.gabbay@gmail.com \
--cc=pawel@osciak.com \
--cc=sw0312.kim@samsung.com \
--cc=tfiga@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.