From mboxrd@z Thu Jan 1 00:00:00 1970 From: Al Viro Subject: Re: Use of copy_from_user in msm_gem_submit.c while holding a spin_lock Date: Wed, 17 Aug 2016 20:15:34 +0100 Message-ID: <20160817191534.GF2356@ZenIV.linux.org.uk> References: <57B44D2E.2030301@oracle.com> <20160817170827.GC2356@ZenIV.linux.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Content-Disposition: inline In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: freedreno-bounces-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org Sender: "Freedreno" To: Rob Clark Cc: David Airlie , linux-arm-msm , Linux Kernel Mailing List , "dri-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org" , Julia Lawall , Vaishali Thakkar , freedreno-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org List-Id: linux-arm-msm@vger.kernel.org T24gV2VkLCBBdWcgMTcsIDIwMTYgYXQgMDI6NDk6MzJQTSAtMDQwMCwgUm9iIENsYXJrIHdyb3Rl OgoKPiBJJ20gbm90IHNheWluZyB0aGF0IEkgc2hvdWxkbid0IGZpeCBpdCAoYWx0aG91Z2ggbm90 IHF1aXRlIHN1cmUgaG93Cj4geWV0Li4gdGFraW5nL2Ryb3BwaW5nIHRoZSBzcGlubG9jayBpbnNp ZGUgdGhlIGxvb3AgaXMgbm90IGEgZ29vZAo+IG9wdGlvbiBmcm9tIGEgcGVyZm9ybWFuY2Ugc3Rh bmRwb2ludCkuICBXaGF0IEkgYW0gc2F5aW5nIGlzIHRoYXQgdGhpcwo+IGlzIG5vdCBzb21ldGhp bmcgdGhhdCBjYW4gaGFwcGVuIGFjY2lkZW50YWxseSAoYXMgaXQgY291bGQgaW4gdGhlIGNhc2UK PiBvZiBzd2FwKS4gIEJ1dCBJIGFncmVlIHRoYXQgSSBzaG91bGQgZml4IGl0IHNvbWVob3cgdG8g YXZvaWQgaXNzdWVzCj4gd2l0aCBhbiBpbnRlbnRpb25hbGx5IGV2aWwgdXNlcnNwYWNlLgoKSSB3 b3VsZG4ndCBjb3VudCBvbiB0aGF0IG5vdCBoYXBwZW5pbmcgYnkgYWNjaWRlbnQuICBXaXRoIHpl cm8gY2hhbmdlcwppbiBtZXNhIGl0c2VsZiAtIGl0IGNhbiBiZSBhcyBzaW1wbGUgYXMgY2hhbmdl IG9mIGFsbG9jYXRvciBpbiB0aGUKYm93ZWxzIG9mIGxpYmMgb3IgdGhyb3dpbmcgbGliZG1hbGxv YyBpbnRvIHRoZSBsaW5rIGZsYWdzLCBldGMuICBBbmQgbW9zdApvZiB0aGUgdGltZSBpdCB3b3Vs ZCd2ZSB3b3JrZWQganVzdCBmaW5lLCBidXQgdGhlIHNhbWUgY2FsbCBpbiBhIHNpdHVhdGlvbgp3 aGVuIG1vc3Qgb2YgdGhlIG1lbW9yeSBpcyBvY2N1cGllZCBieSBkaXJ0eSBwYWdlY2FjaGUgcGFn ZXMgY2FuIGVuZCB1cApoYXZpbmcgdG8gd2FpdCBmb3Igd3JpdGViYWNrLgoKPiBJZiB0aGVyZSBp cyBhIGNvcHlfZnJvbV91c2VyKCkgdmFyaWFudCB0aGF0IHdpbGwgcmV0dXJuIGFuIGVycm9yCj4g aW5zdGVhZCBvZiBibG9ja2luZywgSSB0aGluayB0aGF0IGlzIHJlYWxseSB3aGF0IEkgd2FudCBz byBJIGNhbgo+IGltcGxlbWVudCBhIHNsb3ctcGF0aCB0aGF0IGRyb3BzIHRoZSBzcGluLWxvY2sg dGVtcG9yYXJpbHkuCgoqc2hydWcqCgpwYWdlZmF1bHRfZGlzYWJsZSgpL3BhZ2VmYXVsdF9lbmFi bGUoKSBhcmUgdGhlcmUgZm9yIHB1cnBvc2UsIHNvJ3MKX19jb3B5X2Zyb21fdXNlcl9pbmF0b21p YygpLi4uICBKdXN0IHJlbWVtYmVyIHRoYXQgX19jb3B5X2Zyb21fdXNlcl9pbmF0b21pYygpCmRv ZXMgbm90IGNoZWNrIGlmIHRoZSBhZGRyZXNzZXMgYXJlIHVzZXJsYW5kIG9uZXMgKGkuZS4gdGhl IGNhbGxlciBuZWVkcwp0byBjaGVjayBhY2Nlc3Nfb2soKSBpdHNlbGYpIGFuZCBpdCBpcyAqTk9U KiBndWFyYW50ZWVkIHRvIHplcm8gd2hhdCBpdApoYWRuJ3QgY29waWVkIG92ZXIuICBDdXJyZW50 bHkgaXQgZG9lcyB6ZXJvIHRhaWwgb24gc29tZSwgYnV0IG5vdCBhbGwKYXJjaGl0ZWN0dXJlczsg Y29tZSBuZXh0IGN5Y2xlIGl0IGFuZCBpdCB3aWxsIG5vdCBkbyB0aGF0IHplcm9pbmcgb24gYW55 Cm9mIHRob3NlLgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f XwpGcmVlZHJlbm8gbWFpbGluZyBsaXN0CkZyZWVkcmVub0BsaXN0cy5mcmVlZGVza3RvcC5vcmcK aHR0cHM6Ly9saXN0cy5mcmVlZGVza3RvcC5vcmcvbWFpbG1hbi9saXN0aW5mby9mcmVlZHJlbm8K From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752973AbcHQTRr (ORCPT ); Wed, 17 Aug 2016 15:17:47 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:35446 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752545AbcHQTRq (ORCPT ); Wed, 17 Aug 2016 15:17:46 -0400 Date: Wed, 17 Aug 2016 20:15:34 +0100 From: Al Viro To: Rob Clark Cc: Vaishali Thakkar , David Airlie , linux-arm-msm , "dri-devel@lists.freedesktop.org" , freedreno@lists.freedesktop.org, Linux Kernel Mailing List , Julia Lawall Subject: Re: Use of copy_from_user in msm_gem_submit.c while holding a spin_lock Message-ID: <20160817191534.GF2356@ZenIV.linux.org.uk> References: <57B44D2E.2030301@oracle.com> <20160817170827.GC2356@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Aug 17, 2016 at 02:49:32PM -0400, Rob Clark wrote: > I'm not saying that I shouldn't fix it (although not quite sure how > yet.. taking/dropping the spinlock inside the loop is not a good > option from a performance standpoint). What I am saying is that this > is not something that can happen accidentally (as it could in the case > of swap). But I agree that I should fix it somehow to avoid issues > with an intentionally evil userspace. I wouldn't count on that not happening by accident. With zero changes in mesa itself - it can be as simple as change of allocator in the bowels of libc or throwing libdmalloc into the link flags, etc. And most of the time it would've worked just fine, but the same call in a situation when most of the memory is occupied by dirty pagecache pages can end up having to wait for writeback. > If there is a copy_from_user() variant that will return an error > instead of blocking, I think that is really what I want so I can > implement a slow-path that drops the spin-lock temporarily. *shrug* pagefault_disable()/pagefault_enable() are there for purpose, so's __copy_from_user_inatomic()... Just remember that __copy_from_user_inatomic() does not check if the addresses are userland ones (i.e. the caller needs to check access_ok() itself) and it is *NOT* guaranteed to zero what it hadn't copied over. Currently it does zero tail on some, but not all architectures; come next cycle it and it will not do that zeroing on any of those.