| Message ID | 20201119144146.1045202-1-daniel.vetter@ffwll.ch |
|---|---|
| Headers | show |
| Series | follow_pfn and other iomap races | expand |
On 19/11/20 15:41, Daniel Vetter wrote: > Both Christoph Hellwig and Jason Gunthorpe suggested that usage of > follow_pfn by modules should be locked down more. To do so callers > need to be able to pass the mmu_notifier subscription corresponding > to the mm_struct to follow_pfn(). > > This patch does the rote work of doing that in the kvm subsystem. In > most places this is solved by passing struct kvm * down the call > stacks as an additional parameter, since that contains the > mmu_notifier. > > Compile tested on all affected arch. It's a bit of a pity, it's making an API more complex (the point of gfn_to_pfn_memslot vs gfn_to_pfn is exactly that you don't need a "struct kvm*" and it's clear that you've already done the lookup into that struct kvm. But it's not a big deal, and the rationale at least makes sense. So, Acked-by: Paolo Bonzini <pbonzini@redhat.com> Paolo
On Fri, Nov 20, 2020 at 4:33 PM Paolo Bonzini <pbonzini@redhat.com> wrote: > > On 19/11/20 15:41, Daniel Vetter wrote: > > Both Christoph Hellwig and Jason Gunthorpe suggested that usage of > > follow_pfn by modules should be locked down more. To do so callers > > need to be able to pass the mmu_notifier subscription corresponding > > to the mm_struct to follow_pfn(). > > > > This patch does the rote work of doing that in the kvm subsystem. In > > most places this is solved by passing struct kvm * down the call > > stacks as an additional parameter, since that contains the > > mmu_notifier. > > > > Compile tested on all affected arch. > > It's a bit of a pity, it's making an API more complex (the point of > gfn_to_pfn_memslot vs gfn_to_pfn is exactly that you don't need a > "struct kvm*" and it's clear that you've already done the lookup into > that struct kvm. Yeah I noticed that, I think pushing the lookups down should work, but that's a fairly large-scale change. I didn't want to do that for the RFC since it would distract from the actual change/goal. -Daniel > But it's not a big deal, and the rationale at least makes sense. So, > > Acked-by: Paolo Bonzini <pbonzini@redhat.com> > > Paolo
On 20/11/20 16:44, Daniel Vetter wrote: >> It's a bit of a pity, it's making an API more complex (the point of >> gfn_to_pfn_memslot vs gfn_to_pfn is exactly that you don't need a >> "struct kvm*" and it's clear that you've already done the lookup into >> that struct kvm. > > Yeah I noticed that, I think pushing the lookups down should work, but > that's a fairly large-scale change. I didn't want to do that for the > RFC since it would distract from the actual change/goal. > -Daniel Pushing the lookups down would be worse code and possibly introduce TOC/TOU races, so better avoid that. Your patch is fine. :) Paolo
On Thu, Nov 19, 2020 at 03:41:29PM +0100, Daniel Vetter wrote: > I feel like this is ready for some wider soaking. Since the remaining bits > are all kinda connnected probably simplest if it all goes through -mm. Did you figure out a sumbission plan for this stuff? > Daniel Vetter (17): > drm/exynos: Stop using frame_vector helpers > drm/exynos: Use FOLL_LONGTERM for g2d cmdlists > misc/habana: Stop using frame_vector helpers > misc/habana: Use FOLL_LONGTERM for userptr > mm/frame-vector: Use FOLL_LONGTERM > media: videobuf2: Move frame_vector into media subsystem At the very least it would be good to get those in right away. > mm: Add unsafe_follow_pfn > media/videbuf1|2: Mark follow_pfn usage as unsafe > vfio/type1: Mark follow_pfn as unsafe I'm surprised nobody from VFIO has remarked on this, I think thety won't like it > mm: Close race in generic_access_phys > PCI: Obey iomem restrictions for procfs mmap > /dev/mem: Only set filp->f_mapping > resource: Move devmem revoke code to resource framework > sysfs: Support zapping of binary attr mmaps > PCI: Revoke mappings like devmem This sequence seems fairly stand alone, and in good shape as well My advice is to put the done things on a branch and get Stephen to put them in linux-next. You can send a PR to Lins. There is very little mm stuff in here, and cross subsystem stuff works better in git land, IMHO. Jason
Hi all Another update of my patch series to clamp down a bunch of races and gaps around follow_pfn and other access to iomem mmaps. Previous version: v1: https://lore.kernel.org/dri-devel/20201007164426.1812530-1-daniel.vetter@ffwll.ch/ v2: https://lore.kernel.org/dri-devel/20201009075934.3509076-1-daniel.vetter@ffwll.ch v3: https://lore.kernel.org/dri-devel/20201021085655.1192025-1-daniel.vetter@ffwll.ch/ v4: https://lore.kernel.org/dri-devel/20201026105818.2585306-1-daniel.vetter@ffwll.ch/ v5: https://lore.kernel.org/dri-devel/20201030100815.2269-1-daniel.vetter@ffwll.ch/ And the discussion that sparked this journey: https://lore.kernel.org/dri-devel/20201007164426.1812530-1-daniel.vetter@ffwll.ch/ Unfortunately took way longer to update than I hoped, I got sidetracked with a few things. Changes in v6: - Tested v4l userptr as Tomasz suggested. No boom observed - Added RFC for locking down follow_pfn, per discussion with Christoph and Jason. - Explain why pup_fast is safe in relevant patches, there was a bit a confusion when discussing v5. - Fix up the resource patch, with CONFIG_IO_STRICT_DEVMEM it crashed on boot due to an unintended change (reported by John) Changes in v5: - Tomasz found some issues in the media patches - Polish suggested by Christoph for the unsafe_follow_pfn patch Changes in v4: - Drop the s390 patch, that was very stand-alone and now queued up to land through s390 trees. - Comment polish per Dan's review. Changes in v3: - Bunch of polish all over, no functional changes aside from one barrier in the resource code, for consistency. - A few more r-b tags. Changes in v2: - tons of small polish&fixes all over, thanks to all the reviewers who spotted issues - I managed to test at least the generic_access_phys and pci mmap revoke stuff with a few gdb sessions using our i915 debug tools (hence now also the drm/i915 patch to properly request all the pci bar regions) - reworked approach for the pci mmap revoke: Infrastructure moved into kernel/resource.c, address_space mapping is now set up at open time for everyone (which required some sysfs changes). Does indeed look a lot cleaner and a lot less invasive than I feared at first. I feel like this is ready for some wider soaking. Since the remaining bits are all kinda connnected probably simplest if it all goes through -mm. Cheers, Daniel Daniel Vetter (17): drm/exynos: Stop using frame_vector helpers drm/exynos: Use FOLL_LONGTERM for g2d cmdlists misc/habana: Stop using frame_vector helpers misc/habana: Use FOLL_LONGTERM for userptr mm/frame-vector: Use FOLL_LONGTERM media: videobuf2: Move frame_vector into media subsystem mm: Close race in generic_access_phys mm: Add unsafe_follow_pfn media/videbuf1|2: Mark follow_pfn usage as unsafe vfio/type1: Mark follow_pfn as unsafe PCI: Obey iomem restrictions for procfs mmap /dev/mem: Only set filp->f_mapping resource: Move devmem revoke code to resource framework sysfs: Support zapping of binary attr mmaps PCI: Revoke mappings like devmem RFC: kvm: pass kvm argument to follow_pfn callsites RFC: mm: add mmu_notifier argument to follow_pfn arch/powerpc/kvm/book3s_64_mmu_hv.c | 2 +- arch/powerpc/kvm/book3s_64_mmu_radix.c | 2 +- arch/powerpc/kvm/e500_mmu_host.c | 2 +- arch/x86/kvm/mmu/mmu.c | 8 +- drivers/char/mem.c | 86 +------------ drivers/gpu/drm/exynos/Kconfig | 1 - drivers/gpu/drm/exynos/exynos_drm_g2d.c | 48 ++++---- drivers/media/common/videobuf2/Kconfig | 1 - drivers/media/common/videobuf2/Makefile | 1 + .../media/common/videobuf2}/frame_vector.c | 57 +++------ .../media/common/videobuf2/videobuf2-memops.c | 3 +- drivers/media/platform/omap/Kconfig | 1 - drivers/media/v4l2-core/videobuf-dma-contig.c | 2 +- drivers/misc/habanalabs/Kconfig | 1 - drivers/misc/habanalabs/common/habanalabs.h | 6 +- drivers/misc/habanalabs/common/memory.c | 50 +++----- drivers/pci/pci-sysfs.c | 4 + drivers/pci/proc.c | 6 + drivers/vfio/vfio_iommu_type1.c | 4 +- fs/sysfs/file.c | 11 ++ include/linux/ioport.h | 6 +- include/linux/kvm_host.h | 9 +- include/linux/mm.h | 50 +------- include/linux/sysfs.h | 2 + include/media/frame_vector.h | 47 +++++++ include/media/videobuf2-core.h | 1 + kernel/resource.c | 98 ++++++++++++++- mm/Kconfig | 3 - mm/Makefile | 1 - mm/memory.c | 115 +++++++++++++++--- mm/nommu.c | 48 +++++++- security/Kconfig | 13 ++ virt/kvm/kvm_main.c | 56 +++++---- 33 files changed, 447 insertions(+), 298 deletions(-) rename {mm => drivers/media/common/videobuf2}/frame_vector.c (84%) create mode 100644 include/media/frame_vector.h