From: Jason Gunthorpe <jgg@nvidia.com>
To: Bernard Metzler <BMT@zurich.ibm.com>
Cc: "linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>,
"leonro@nvidia.com" <leonro@nvidia.com>,
"David.Laight@aculab.com" <David.Laight@aculab.com>
Subject: Re: Re: [PATCH] RDMA/siw: Fix missing permission check in user buffer registration
Date: Tue, 3 Jan 2023 09:07:49 -0400 [thread overview]
Message-ID: <Y7QopYj1p4eeLo5N@nvidia.com> (raw)
In-Reply-To: <SA0PR15MB3919266C672961F49B28C7A499EA9@SA0PR15MB3919.namprd15.prod.outlook.com>
On Tue, Dec 20, 2022 at 01:52:43PM +0000, Bernard Metzler wrote:
>
>
> > -----Original Message-----
> > From: Jason Gunthorpe <jgg@nvidia.com>
> > Sent: Friday, 16 December 2022 21:13
> > To: Bernard Metzler <BMT@zurich.ibm.com>
> > Cc: linux-rdma@vger.kernel.org; leonro@nvidia.com;
> > David.Laight@aculab.com
> > Subject: [EXTERNAL] Re: [PATCH] RDMA/siw: Fix missing permission check
> > in user buffer registration
> >
> > On Fri, Dec 16, 2022 at 08:11:32PM +0000, Bernard Metzler wrote:
> > >
> > >
> > > > -----Original Message-----
> > > > From: Jason Gunthorpe <jgg@nvidia.com>
> > > > Sent: Friday, 16 December 2022 19:35
> > > > To: Bernard Metzler <BMT@zurich.ibm.com>
> > > > Cc: linux-rdma@vger.kernel.org; leonro@nvidia.com;
> > David.Laight@aculab.com
> > > > Subject: [EXTERNAL] Re: [PATCH] RDMA/siw: Fix missing permission
> > check in
> > > > user buffer registration
> > > >
> > > > On Fri, Dec 16, 2022 at 07:32:09PM +0100, Bernard Metzler wrote:
> > > > > User communication buffer registration lacks check of access
> > > > > rights for provided address range. Using pin_user_pages_fast()
> > > > > instead of pin_user_pages() during user page pinning implicitely
> > > > > introduces the necessary check. It furthermore tries to avoid
> > > > > grabbing the mmap_read_lock.
> > > >
> > > > Huh? What access check?
> > > >
> > >
> > > if (unlikely(!access_ok((void __user *)start, len)))
> > > return -EFAULT;
> > >
> > > siw needs to call access_ok() during user buffer registration.
> >
> > No, it doesn't
> >
> > Either pin_user_pages or pin_user_pages_fast() are equivalent.
> >
> > You do have a bad bug here if this isn't holding the mmap lock though
> >
>
> No, that lock is held. I was triggered by David's arguing about
> protection. I went down the path of pin_user_pages() and did
> not find a singe point where access rights to the buffer being
> registered are enforced. pin_user_pages_fast() do have it though.
> So I proposed a change in siw to use that function.
It checks it when it reads the PTEs
Jason
next prev parent reply other threads:[~2023-01-03 13:09 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-16 18:32 [PATCH] RDMA/siw: Fix missing permission check in user buffer registration Bernard Metzler
2022-12-16 18:34 ` Jason Gunthorpe
2022-12-16 20:11 ` Bernard Metzler
2022-12-16 20:12 ` Jason Gunthorpe
2022-12-20 13:52 ` Bernard Metzler
2023-01-03 13:07 ` Jason Gunthorpe [this message]
2023-01-03 14:11 ` Bernard Metzler
2023-01-03 14:15 ` Jason Gunthorpe
2023-01-03 16:19 ` Bernard Metzler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y7QopYj1p4eeLo5N@nvidia.com \
--to=jgg@nvidia.com \
--cc=BMT@zurich.ibm.com \
--cc=David.Laight@aculab.com \
--cc=leonro@nvidia.com \
--cc=linux-rdma@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).