Handling of user address in vb2_dc_get_userptr()

Handling of user address in vb2_dc_get_userptr()

[Jan Kara]

  Hello,

  I'm auditing get_user_pages() users and when looking into
vb2_dc_get_userptr() I was wondering about the following: The address this
function works with is an arbitrary user-provided address. However the
function vb2_dc_get_user_pages() uses pfn_to_page() on the pfn obtained
from VM_IO | VM_PFNMAP vma. That isn't really safe for arbitrary vma of
this type (such vmas don't have to have struct page associated at all). I
expect this works because userspace always passes a pointer to either a
regular vma or VM_FIXMAP vma where struct page is associated with pfn. Am
I right? Or for on which vmas this code is supposed to work? Thanks in
advance for clarification.

								Honza

-- 
Jan Kara <jack@suse.cz>
SUSE Labs, CR

Re: Handling of user address in vb2_dc_get_userptr()

[Marek Szyprowski]

Hello,

On 2013-10-17 23:23, Jan Kara wrote:
>    I'm auditing get_user_pages() users and when looking into
> vb2_dc_get_userptr() I was wondering about the following: The address this
> function works with is an arbitrary user-provided address. However the
> function vb2_dc_get_user_pages() uses pfn_to_page() on the pfn obtained
> from VM_IO | VM_PFNMAP vma. That isn't really safe for arbitrary vma of
> this type (such vmas don't have to have struct page associated at all). I
> expect this works because userspace always passes a pointer to either a
> regular vma or VM_FIXMAP vma where struct page is associated with pfn. Am
> I right? Or for on which vmas this code is supposed to work? Thanks in
> advance for clarification.

This is known issue. It has been at least partially addresses by the 
following patch:
https://patchwork.linuxtv.org/patch/18978/

I hope that one day it can be addressed fully by changing the 
dma-mapping API in a way it will let drivers to map particular pfn into 
dma address space.

Best regards
-- 
Marek Szyprowski
Samsung R&D Institute Poland