Re: [PATCH 1/2] drm/etnaviv: Use FOLL_FORCE for userptr

From: Lucas Stach <l.stach@pengutronix.de>
To: Daniel Vetter <daniel@ffwll.ch>,
	DRI Development <dri-devel@lists.freedesktop.org>
Cc: John Hubbard <jhubbard@nvidia.com>,
	Daniel Vetter <daniel.vetter@ffwll.ch>,
	etnaviv@lists.freedesktop.org, stable@vger.kernel.org,
	Russell King <linux+etnaviv@armlinux.org.uk>,
	Daniel Vetter <daniel.vetter@intel.com>
Subject: Re: [PATCH 1/2] drm/etnaviv: Use FOLL_FORCE for userptr
Date: Fri, 19 Mar 2021 20:13:06 +0100	[thread overview]
Message-ID: <693cbfa87ac025d84e1cd8d95c5bd68ec68a943b.camel@pengutronix.de> (raw)
In-Reply-To: <YFT3B9fRldXI470m@phenom.ffwll.local>

Am Freitag, dem 19.03.2021 um 20:09 +0100 schrieb Daniel Vetter:
> On Mon, Mar 01, 2021 at 10:52:53AM +0100, Daniel Vetter wrote:
> > Nothing checks userptr.ro except this call to pup_fast, which means
> > there's nothing actually preventing userspace from writing to this.
> > Which means you can just read-only mmap any file you want, userptr it
> > and then write to it with the gpu. Not good.
> > 
> > The right way to handle this is FOLL_WRITE | FOLL_FORCE, which will
> > break any COW mappings and update tracking for MAY_WRITE mappings so
> > there's no exploit and the vm isn't confused about what's going on.
> > For any legit use case there's no difference from what userspace can
> > observe and do.
> > 
> > Cc: stable@vger.kernel.org
> > Cc: John Hubbard <jhubbard@nvidia.com>
> > Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> > Cc: Lucas Stach <l.stach@pengutronix.de>
> > Cc: Russell King <linux+etnaviv@armlinux.org.uk>
> > Cc: Christian Gmeiner <christian.gmeiner@gmail.com>
> > Cc: etnaviv@lists.freedesktop.org
> 
> Can I please have an ack on this so I can apply it? It's stuck.

Reviewed-by: Lucas Stach <l.stach@pengutronix.de>

> Thanks, Daniel
> 
> > ---
> >  drivers/gpu/drm/etnaviv/etnaviv_gem.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gem.c b/drivers/gpu/drm/etnaviv/etnaviv_gem.c
> > index 6d38c5c17f23..a9e696d05b33 100644
> > --- a/drivers/gpu/drm/etnaviv/etnaviv_gem.c
> > +++ b/drivers/gpu/drm/etnaviv/etnaviv_gem.c
> > @@ -689,7 +689,7 @@ static int etnaviv_gem_userptr_get_pages(struct etnaviv_gem_object *etnaviv_obj)
> >  		struct page **pages = pvec + pinned;
> >  
> > 
> > 
> > 
> >  		ret = pin_user_pages_fast(ptr, num_pages,
> > -					  !userptr->ro ? FOLL_WRITE : 0, pages);
> > +					  FOLL_WRITE | FOLL_FORCE, pages);
> >  		if (ret < 0) {
> >  			unpin_user_pages(pvec, pinned);
> >  			kvfree(pvec);
> > -- 
> > 2.30.0
> > 
> 


_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel