* Re: [PATCH 2/2] mm/frame-vec: use FOLL_LONGTERM
@ 2020-10-05 17:38 Jason Gunthorpe
2020-10-05 17:47 ` Jason Gunthorpe
2020-10-05 17:53 ` Jan Kara
0 siblings, 2 replies; 8+ messages in thread
From: Jason Gunthorpe @ 2020-10-05 17:38 UTC (permalink / raw)
To: andrew Morton, Daniel Vetter, linux-mm
Cc: Hans Verkuil, Jan Kara, Mauro Carvalho Chehab, Mel Gorman, stable,
Vlastimil Babka, John Hubbard, DRI Development, LKML,
Dan Williams, Linux ARM, linux-samsung-soc, linux-media
When get_vaddr_frames() does its hacky follow_pfn() loop it should never
be allowed to extract a struct page from a normal VMA. This could allow a
serious use-after-free problem on any kernel memory.
Restrict this to only work on VMA's with one of VM_IO | VM_PFNMAP
set. This limits the use-after-free problem to only IO memory, which while
still serious, is an improvement.
Cc: stable@vger.kernel.org
Fixes: 8025e5ddf9c1 ("[media] mm: Provide new get_vaddr_frames() helper")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
---
mm/frame_vector.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/mm/frame_vector.c b/mm/frame_vector.c
index 10f82d5643b6de..26cb20544b6c37 100644
--- a/mm/frame_vector.c
+++ b/mm/frame_vector.c
@@ -99,6 +99,10 @@ int get_vaddr_frames(unsigned long start, unsigned int nr_frames,
if (ret >= nr_frames || start < vma->vm_end)
break;
vma = find_vma_intersection(mm, start, start + 1);
+ if (!(vma->vm_flags & (VM_IO | VM_PFNMAP))) {
+ ret = -EINVAL;
+ goto out;
+ }
} while (vma && vma->vm_flags & (VM_IO | VM_PFNMAP));
out:
if (locked)
--
2.28.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [PATCH 2/2] mm/frame-vec: use FOLL_LONGTERM 2020-10-05 17:38 [PATCH 2/2] mm/frame-vec: use FOLL_LONGTERM Jason Gunthorpe @ 2020-10-05 17:47 ` Jason Gunthorpe 2020-10-06 3:36 ` Andrew Morton 2020-10-05 17:53 ` Jan Kara 1 sibling, 1 reply; 8+ messages in thread From: Jason Gunthorpe @ 2020-10-05 17:47 UTC (permalink / raw) To: andrew Morton, Daniel Vetter, linux-mm Cc: Hans Verkuil, Jan Kara, Mauro Carvalho Chehab, Mel Gorman, stable, Vlastimil Babka, John Hubbard, DRI Development, LKML, Dan Williams, Linux ARM, linux-samsung-soc, linux-media On Mon, Oct 05, 2020 at 02:38:54PM -0300, Jason Gunthorpe wrote: > When get_vaddr_frames() does its hacky follow_pfn() loop it should never > be allowed to extract a struct page from a normal VMA. This could allow a > serious use-after-free problem on any kernel memory. > > Restrict this to only work on VMA's with one of VM_IO | VM_PFNMAP > set. This limits the use-after-free problem to only IO memory, which while > still serious, is an improvement. > > Cc: stable@vger.kernel.org > Fixes: 8025e5ddf9c1 ("[media] mm: Provide new get_vaddr_frames() helper") > Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> > --- > mm/frame_vector.c | 4 ++++ > 1 file changed, 4 insertions(+) woops, this subject got badly corrupted when I was editing the CC list, it was supposed to be: [PATCH] mm/gpu: frame_vector: require all VMAs to be VM_PFNMAP Andrew please let me know if you need a resend Sorry, Jason ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] mm/frame-vec: use FOLL_LONGTERM 2020-10-05 17:47 ` Jason Gunthorpe @ 2020-10-06 3:36 ` Andrew Morton 2020-10-06 11:57 ` Jason Gunthorpe 0 siblings, 1 reply; 8+ messages in thread From: Andrew Morton @ 2020-10-06 3:36 UTC (permalink / raw) To: Jason Gunthorpe Cc: Daniel Vetter, linux-mm, Hans Verkuil, Jan Kara, Mauro Carvalho Chehab, Mel Gorman, stable, Vlastimil Babka, John Hubbard, DRI Development, LKML, Dan Williams, Linux ARM, linux-samsung-soc, linux-media On Mon, 5 Oct 2020 14:47:47 -0300 Jason Gunthorpe <jgg@nvidia.com> wrote: > Andrew please let me know if you need a resend Andrew is rather confused. Can we please identify the minimal patch(es) which are needed for 5.9 and -stable? ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] mm/frame-vec: use FOLL_LONGTERM 2020-10-06 3:36 ` Andrew Morton @ 2020-10-06 11:57 ` Jason Gunthorpe 0 siblings, 0 replies; 8+ messages in thread From: Jason Gunthorpe @ 2020-10-06 11:57 UTC (permalink / raw) To: Andrew Morton Cc: Daniel Vetter, linux-mm, Hans Verkuil, Jan Kara, Mauro Carvalho Chehab, Mel Gorman, stable, Vlastimil Babka, John Hubbard, DRI Development, LKML, Dan Williams, Linux ARM, linux-samsung-soc, linux-media On Mon, Oct 05, 2020 at 08:36:00PM -0700, Andrew Morton wrote: > On Mon, 5 Oct 2020 14:47:47 -0300 Jason Gunthorpe <jgg@nvidia.com> wrote: > > > Andrew please let me know if you need a resend > > Andrew is rather confused. > > Can we please identify the minimal patch(es) which are needed for 5.9 > and -stable? Please ignore this one, it was sent in haste Sorry, Jason ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] mm/frame-vec: use FOLL_LONGTERM 2020-10-05 17:38 [PATCH 2/2] mm/frame-vec: use FOLL_LONGTERM Jason Gunthorpe 2020-10-05 17:47 ` Jason Gunthorpe @ 2020-10-05 17:53 ` Jan Kara 2020-10-05 17:57 ` Jason Gunthorpe 1 sibling, 1 reply; 8+ messages in thread From: Jan Kara @ 2020-10-05 17:53 UTC (permalink / raw) To: Jason Gunthorpe Cc: andrew Morton, Daniel Vetter, linux-mm, Hans Verkuil, Jan Kara, Mauro Carvalho Chehab, Mel Gorman, stable, Vlastimil Babka, John Hubbard, DRI Development, LKML, Dan Williams, Linux ARM, linux-samsung-soc, linux-media On Mon 05-10-20 14:38:54, Jason Gunthorpe wrote: > When get_vaddr_frames() does its hacky follow_pfn() loop it should never > be allowed to extract a struct page from a normal VMA. This could allow a > serious use-after-free problem on any kernel memory. > > Restrict this to only work on VMA's with one of VM_IO | VM_PFNMAP > set. This limits the use-after-free problem to only IO memory, which while > still serious, is an improvement. > > Cc: stable@vger.kernel.org > Fixes: 8025e5ddf9c1 ("[media] mm: Provide new get_vaddr_frames() helper") > Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> > --- > mm/frame_vector.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/mm/frame_vector.c b/mm/frame_vector.c > index 10f82d5643b6de..26cb20544b6c37 100644 > --- a/mm/frame_vector.c > +++ b/mm/frame_vector.c > @@ -99,6 +99,10 @@ int get_vaddr_frames(unsigned long start, unsigned int nr_frames, > if (ret >= nr_frames || start < vma->vm_end) > break; > vma = find_vma_intersection(mm, start, start + 1); > + if (!(vma->vm_flags & (VM_IO | VM_PFNMAP))) { > + ret = -EINVAL; > + goto out; > + } > } while (vma && vma->vm_flags & (VM_IO | VM_PFNMAP)); Hum, I fail to see how this helps. If vma has no VM_IO or VM_PFNMAP flag, we'd exit the loop (to out: label) anyway due to the loop termination condition and why not return the frames we already have? Furthermore find_vma_intersection() can return NULL which would oops in your check then. What am I missing? Honza > out: > if (locked) > -- > 2.28.0 > -- Jan Kara <jack@suse.com> SUSE Labs, CR ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] mm/frame-vec: use FOLL_LONGTERM 2020-10-05 17:53 ` Jan Kara @ 2020-10-05 17:57 ` Jason Gunthorpe 2020-10-05 18:16 ` Daniel Vetter 2020-10-06 11:56 ` Daniel Vetter 0 siblings, 2 replies; 8+ messages in thread From: Jason Gunthorpe @ 2020-10-05 17:57 UTC (permalink / raw) To: Jan Kara Cc: andrew Morton, Daniel Vetter, linux-mm, Hans Verkuil, Mauro Carvalho Chehab, Mel Gorman, stable, Vlastimil Babka, John Hubbard, DRI Development, LKML, Dan Williams, Linux ARM, linux-samsung-soc, linux-media On Mon, Oct 05, 2020 at 07:53:08PM +0200, Jan Kara wrote: > On Mon 05-10-20 14:38:54, Jason Gunthorpe wrote: > > When get_vaddr_frames() does its hacky follow_pfn() loop it should never > > be allowed to extract a struct page from a normal VMA. This could allow a > > serious use-after-free problem on any kernel memory. > > > > Restrict this to only work on VMA's with one of VM_IO | VM_PFNMAP > > set. This limits the use-after-free problem to only IO memory, which while > > still serious, is an improvement. > > > > Cc: stable@vger.kernel.org > > Fixes: 8025e5ddf9c1 ("[media] mm: Provide new get_vaddr_frames() helper") > > Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> > > mm/frame_vector.c | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/mm/frame_vector.c b/mm/frame_vector.c > > index 10f82d5643b6de..26cb20544b6c37 100644 > > +++ b/mm/frame_vector.c > > @@ -99,6 +99,10 @@ int get_vaddr_frames(unsigned long start, unsigned int nr_frames, > > if (ret >= nr_frames || start < vma->vm_end) > > break; > > vma = find_vma_intersection(mm, start, start + 1); > > + if (!(vma->vm_flags & (VM_IO | VM_PFNMAP))) { > > + ret = -EINVAL; > > + goto out; > > + } > > } while (vma && vma->vm_flags & (VM_IO | VM_PFNMAP)); > > Hum, I fail to see how this helps. If vma has no VM_IO or VM_PFNMAP flag, > we'd exit the loop (to out: label) anyway due to the loop termination > condition and why not return the frames we already have? Furthermore > find_vma_intersection() can return NULL which would oops in your check > then. What am I missing? Oh, nothing, you are right. It just didn't read naturally because hitting the wrong kind of VMA should be an error condition :\ Sorry again, Jason ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] mm/frame-vec: use FOLL_LONGTERM 2020-10-05 17:57 ` Jason Gunthorpe @ 2020-10-05 18:16 ` Daniel Vetter 2020-10-06 11:56 ` Daniel Vetter 1 sibling, 0 replies; 8+ messages in thread From: Daniel Vetter @ 2020-10-05 18:16 UTC (permalink / raw) To: Jason Gunthorpe Cc: Jan Kara, andrew Morton, Linux MM, Hans Verkuil, Mauro Carvalho Chehab, Mel Gorman, stable, Vlastimil Babka, John Hubbard, DRI Development, LKML, Dan Williams, Linux ARM, linux-samsung-soc, open list:DMA BUFFER SHARING FRAMEWORK On Mon, Oct 5, 2020 at 7:58 PM Jason Gunthorpe <jgg@nvidia.com> wrote: > > On Mon, Oct 05, 2020 at 07:53:08PM +0200, Jan Kara wrote: > > On Mon 05-10-20 14:38:54, Jason Gunthorpe wrote: > > > When get_vaddr_frames() does its hacky follow_pfn() loop it should never > > > be allowed to extract a struct page from a normal VMA. This could allow a > > > serious use-after-free problem on any kernel memory. > > > > > > Restrict this to only work on VMA's with one of VM_IO | VM_PFNMAP > > > set. This limits the use-after-free problem to only IO memory, which while > > > still serious, is an improvement. > > > > > > Cc: stable@vger.kernel.org > > > Fixes: 8025e5ddf9c1 ("[media] mm: Provide new get_vaddr_frames() helper") > > > Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> > > > mm/frame_vector.c | 4 ++++ > > > 1 file changed, 4 insertions(+) > > > > > > diff --git a/mm/frame_vector.c b/mm/frame_vector.c > > > index 10f82d5643b6de..26cb20544b6c37 100644 > > > +++ b/mm/frame_vector.c > > > @@ -99,6 +99,10 @@ int get_vaddr_frames(unsigned long start, unsigned int nr_frames, > > > if (ret >= nr_frames || start < vma->vm_end) > > > break; > > > vma = find_vma_intersection(mm, start, start + 1); > > > + if (!(vma->vm_flags & (VM_IO | VM_PFNMAP))) { > > > + ret = -EINVAL; > > > + goto out; > > > + } > > > } while (vma && vma->vm_flags & (VM_IO | VM_PFNMAP)); > > > > Hum, I fail to see how this helps. If vma has no VM_IO or VM_PFNMAP flag, > > we'd exit the loop (to out: label) anyway due to the loop termination > > condition and why not return the frames we already have? Furthermore > > find_vma_intersection() can return NULL which would oops in your check > > then. What am I missing? > > Oh, nothing, you are right. It just didn't read naturally because > hitting the wrong kind of VMA should be an error condition :\ Afaik these mmio maps should all be VM_DONTEXPAND (or at least the ones in drivers/gpu are all), so not sure why we need the loop here. But maybe there's some drivers that don't set that, or have other funny things going on with userspace piecing the mmap together, and I'm not going to audit them all :-) -Daniel -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] mm/frame-vec: use FOLL_LONGTERM 2020-10-05 17:57 ` Jason Gunthorpe 2020-10-05 18:16 ` Daniel Vetter @ 2020-10-06 11:56 ` Daniel Vetter 1 sibling, 0 replies; 8+ messages in thread From: Daniel Vetter @ 2020-10-06 11:56 UTC (permalink / raw) To: Jason Gunthorpe Cc: Jan Kara, andrew Morton, Linux MM, Hans Verkuil, Mauro Carvalho Chehab, Mel Gorman, stable, Vlastimil Babka, John Hubbard, DRI Development, LKML, Dan Williams, Linux ARM, linux-samsung-soc, open list:DMA BUFFER SHARING FRAMEWORK On Mon, Oct 5, 2020 at 7:58 PM Jason Gunthorpe <jgg@nvidia.com> wrote: > > On Mon, Oct 05, 2020 at 07:53:08PM +0200, Jan Kara wrote: > > On Mon 05-10-20 14:38:54, Jason Gunthorpe wrote: > > > When get_vaddr_frames() does its hacky follow_pfn() loop it should never > > > be allowed to extract a struct page from a normal VMA. This could allow a > > > serious use-after-free problem on any kernel memory. > > > > > > Restrict this to only work on VMA's with one of VM_IO | VM_PFNMAP > > > set. This limits the use-after-free problem to only IO memory, which while > > > still serious, is an improvement. > > > > > > Cc: stable@vger.kernel.org > > > Fixes: 8025e5ddf9c1 ("[media] mm: Provide new get_vaddr_frames() helper") > > > Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> > > > mm/frame_vector.c | 4 ++++ > > > 1 file changed, 4 insertions(+) > > > > > > diff --git a/mm/frame_vector.c b/mm/frame_vector.c > > > index 10f82d5643b6de..26cb20544b6c37 100644 > > > +++ b/mm/frame_vector.c > > > @@ -99,6 +99,10 @@ int get_vaddr_frames(unsigned long start, unsigned int nr_frames, > > > if (ret >= nr_frames || start < vma->vm_end) > > > break; > > > vma = find_vma_intersection(mm, start, start + 1); > > > + if (!(vma->vm_flags & (VM_IO | VM_PFNMAP))) { > > > + ret = -EINVAL; > > > + goto out; > > > + } > > > } while (vma && vma->vm_flags & (VM_IO | VM_PFNMAP)); > > > > Hum, I fail to see how this helps. If vma has no VM_IO or VM_PFNMAP flag, > > we'd exit the loop (to out: label) anyway due to the loop termination > > condition and why not return the frames we already have? Furthermore > > find_vma_intersection() can return NULL which would oops in your check > > then. What am I missing? > > Oh, nothing, you are right. It just didn't read naturally because > hitting the wrong kind of VMA should be an error condition :\ Also follow_pfn checks for this same conditionat already too, so this isn't really stopping anything bad from happening. -Daniel -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-10-06 11:57 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-10-05 17:38 [PATCH 2/2] mm/frame-vec: use FOLL_LONGTERM Jason Gunthorpe 2020-10-05 17:47 ` Jason Gunthorpe 2020-10-06 3:36 ` Andrew Morton 2020-10-06 11:57 ` Jason Gunthorpe 2020-10-05 17:53 ` Jan Kara 2020-10-05 17:57 ` Jason Gunthorpe 2020-10-05 18:16 ` Daniel Vetter 2020-10-06 11:56 ` Daniel Vetter
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox