From: Daniel Vetter <daniel.vetter@ffwll.ch>
To: Jason Gunthorpe <jgg@ziepe.ca>
Cc: "Mauro Carvalho Chehab" <mchehab+huawei@kernel.org>,
"DRI Development" <dri-devel@lists.freedesktop.org>,
LKML <linux-kernel@vger.kernel.org>,
"KVM list" <kvm@vger.kernel.org>, "Linux MM" <linux-mm@kvack.org>,
"Linux ARM" <linux-arm-kernel@lists.infradead.org>,
linux-samsung-soc <linux-samsung-soc@vger.kernel.org>,
"open list:DMA BUFFER SHARING FRAMEWORK"
<linux-media@vger.kernel.org>,
linux-s390 <linux-s390@vger.kernel.org>,
"Daniel Vetter" <daniel.vetter@intel.com>,
"Kees Cook" <keescook@chromium.org>,
"Dan Williams" <dan.j.williams@intel.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"John Hubbard" <jhubbard@nvidia.com>,
"Jérôme Glisse" <jglisse@redhat.com>, "Jan Kara" <jack@suse.cz>,
"Linus Torvalds" <torvalds@linux-foundation.org>
Subject: Re: [PATCH v2 09/17] mm: Add unsafe_follow_pfn
Date: Fri, 9 Oct 2020 19:52:05 +0200 [thread overview]
Message-ID: <CAKMK7uF-hrSwzFQkp6qEP88hM1Qg8TMQOunuRHh=f2+D8MaMRg@mail.gmail.com> (raw)
In-Reply-To: <20201009124850.GP5177@ziepe.ca>
On Fri, Oct 9, 2020 at 2:48 PM Jason Gunthorpe <jgg@ziepe.ca> wrote:
>
> On Fri, Oct 09, 2020 at 02:37:23PM +0200, Mauro Carvalho Chehab wrote:
>
> > I'm not a mm/ expert, but, from what I understood from Daniel's patch
> > description is that this is unsafe *only if* __GFP_MOVABLE is used.
>
> No, it is unconditionally unsafe. The CMA movable mappings are
> specific VMAs that will have bad issues here, but there are other
> types too.
>
> The only way to do something at a VMA level is to have a list of OK
> VMAs, eg because they were creatd via a special mmap helper from the
> media subsystem.
>
> > Well, no drivers inside the media subsystem uses such flag, although
> > they may rely on some infrastructure that could be using it behind
> > the bars.
>
> It doesn't matter, nothing prevents the user from calling media APIs
> on mmaps it gets from other subsystems.
I think a good first step would be to disable userptr of non struct
page backed storage going forward for any new hw support. Even on
existing drivers. dma-buf sharing has been around for long enough now
that this shouldn't be a problem. Unfortunately right now this doesn't
seem to exist, so the entire problem keeps getting perpetuated.
> > If this is the case, the proper fix seems to have a GFP_NOT_MOVABLE
> > flag that it would be denying the core mm code to set __GFP_MOVABLE.
>
> We can't tell from the VMA these kinds of details..
>
> It has to go the other direction, evey mmap that might be used as a
> userptr here has to be found and the VMA specially created to allow
> its use. At least that is a kernel only change, but will need people
> with the HW to do this work.
I think the only reasonable way to keep this working is:
- add a struct dma_buf *vma_tryget_dma_buf(struct vm_area_struct *vma);
- add dma-buf export support to fbdev and v4l
- roll this out everywhere we still need it.
Realistically this just isn't going to happen. And anything else just
reimplements half of dma-buf, which is kinda pointless (you need
minimally refcounting and some way to get at a promise of a permanent
sg list for dma. Plus probably the vmap for kernel cpu access.
> > Please let address the issue on this way, instead of broken an
> > userspace API that it is there since 1991.
>
> It has happened before :( It took 4 years for RDMA to undo the uAPI
> breakage caused by a security fix for something that was a 15 years
> old bug.
Yeah we have a bunch of these on the drm side too. Some of them are
really just "you have to upgrade userspace", and there's no real fix
for the security nightmare without that.
-Daniel
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
next prev parent reply other threads:[~2020-10-09 17:52 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-09 7:59 [PATCH v2 00/17] follow_pfn and other iomap races Daniel Vetter
2020-10-09 7:59 ` [PATCH v2 01/17] drm/exynos: Stop using frame_vector helpers Daniel Vetter
2020-10-16 7:42 ` John Hubbard
2020-10-09 7:59 ` [PATCH v2 02/17] drm/exynos: Use FOLL_LONGTERM for g2d cmdlists Daniel Vetter
2020-10-09 7:59 ` [PATCH v2 03/17] misc/habana: Stop using frame_vector helpers Daniel Vetter
2020-10-10 20:26 ` Oded Gabbay
2020-10-10 21:32 ` Daniel Vetter
2020-10-10 21:41 ` Daniel Vetter
2020-10-10 21:47 ` Oded Gabbay
2020-10-16 7:45 ` John Hubbard
2020-10-09 7:59 ` [PATCH v2 04/17] misc/habana: Use FOLL_LONGTERM for userptr Daniel Vetter
2020-10-09 7:59 ` [PATCH v2 05/17] mm/frame-vector: Use FOLL_LONGTERM Daniel Vetter
2020-10-16 7:54 ` John Hubbard
2020-10-16 8:03 ` Daniel Vetter
2020-10-09 7:59 ` [PATCH v2 06/17] media: videobuf2: Move frame_vector into media subsystem Daniel Vetter
2020-10-09 10:14 ` Mauro Carvalho Chehab
2020-10-09 16:57 ` Daniel Vetter
2020-10-09 7:59 ` [PATCH v2 07/17] mm: Close race in generic_access_phys Daniel Vetter
2020-10-09 7:59 ` [PATCH v2 08/17] s390/pci: Remove races against pte updates Daniel Vetter
2020-10-12 14:03 ` Niklas Schnelle
2020-10-12 14:19 ` Daniel Vetter
2020-10-12 14:39 ` Niklas Schnelle
2020-10-21 7:55 ` Niklas Schnelle
2020-10-22 7:39 ` Daniel Vetter
2020-10-09 7:59 ` [PATCH v2 09/17] mm: Add unsafe_follow_pfn Daniel Vetter
2020-10-09 10:34 ` Mauro Carvalho Chehab
2020-10-09 12:21 ` Jason Gunthorpe
2020-10-09 12:37 ` Mauro Carvalho Chehab
2020-10-09 12:39 ` Mauro Carvalho Chehab
2020-10-09 12:48 ` Jason Gunthorpe
2020-10-09 17:52 ` Daniel Vetter [this message]
2020-10-09 18:01 ` Jason Gunthorpe
2020-10-09 19:31 ` Daniel Vetter
2020-10-10 9:21 ` Mauro Carvalho Chehab
2020-10-10 10:53 ` Daniel Vetter
2020-10-10 11:39 ` Mauro Carvalho Chehab
2020-10-10 11:56 ` Daniel Vetter
2020-10-10 17:22 ` Tomasz Figa
2020-10-10 21:35 ` Laurent Pinchart
2020-10-10 21:50 ` Daniel Vetter
2020-10-11 6:27 ` Mauro Carvalho Chehab
2020-10-11 6:36 ` Mauro Carvalho Chehab
2020-10-10 21:11 ` Laurent Pinchart
2020-10-12 10:46 ` Marek Szyprowski
2020-10-12 13:49 ` Daniel Vetter
2020-10-10 17:30 ` Tomasz Figa
2020-10-09 7:59 ` [PATCH v2 10/17] media/videbuf1|2: Mark follow_pfn usage as unsafe Daniel Vetter
2020-10-10 9:24 ` Mauro Carvalho Chehab
2020-10-09 7:59 ` [PATCH v2 11/17] vfio/type1: Mark follow_pfn " Daniel Vetter
2020-10-09 7:59 ` [PATCH v2 12/17] PCI: Obey iomem restrictions for procfs mmap Daniel Vetter
2020-10-09 7:59 ` [PATCH v2 13/17] /dev/mem: Only set filp->f_mapping Daniel Vetter
2020-10-09 7:59 ` [PATCH v2 14/17] resource: Move devmem revoke code to resource framework Daniel Vetter
2020-10-09 10:59 ` Greg Kroah-Hartman
2020-10-09 12:31 ` Jason Gunthorpe
2020-10-09 14:24 ` Daniel Vetter
2020-10-09 14:32 ` Jason Gunthorpe
2020-10-09 18:28 ` Dan Williams
2020-10-15 0:09 ` Jason Gunthorpe
2020-10-15 7:52 ` Daniel Vetter
2020-10-15 7:55 ` Daniel Vetter
2020-10-15 15:29 ` Daniel Vetter
2020-10-09 7:59 ` [PATCH v2 15/17] sysfs: Support zapping of binary attr mmaps Daniel Vetter
2020-10-09 10:58 ` Greg Kroah-Hartman
2020-10-09 7:59 ` [PATCH v2 16/17] PCI: Revoke mappings like devmem Daniel Vetter
2020-10-09 7:59 ` [PATCH v2 17/17] drm/i915: Properly request PCI BARs Daniel Vetter
2020-10-09 9:47 ` Ville Syrjälä
2020-10-09 10:01 ` Daniel Vetter
2020-10-09 10:41 ` Ville Syrjälä
2020-10-09 14:18 ` Daniel Vetter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKMK7uF-hrSwzFQkp6qEP88hM1Qg8TMQOunuRHh=f2+D8MaMRg@mail.gmail.com' \
--to=daniel.vetter@ffwll.ch \
--cc=akpm@linux-foundation.org \
--cc=dan.j.williams@intel.com \
--cc=daniel.vetter@intel.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=jack@suse.cz \
--cc=jgg@ziepe.ca \
--cc=jglisse@redhat.com \
--cc=jhubbard@nvidia.com \
--cc=keescook@chromium.org \
--cc=kvm@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-samsung-soc@vger.kernel.org \
--cc=mchehab+huawei@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).