| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Sep 2013 21:48:22 +0200 From: Daniel Vetter <daniel.vetter@...ll.ch> To: Thomas Hellstrom <thellstrom@...are.com> Cc: Maarten Lankhorst <maarten.lankhorst@...onical.com>, Peter Zijlstra <peterz@...radead.org>, Dave Airlie <airlied@...ux.ie>, intel-gfx <intel-gfx@...ts.freedesktop.org>, dri-devel <dri-devel@...ts.freedesktop.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Ingo Molnar <mingo@...nel.org>, Thomas Gleixner <tglx@...utronix.de> Subject: Re: [BUG] completely bonkers use of set_need_resched + VM_FAULT_NOPAGE On Thu, Sep 12, 2013 at 6:44 PM, Thomas Hellstrom <thellstrom@...are.com> wrote: > > I think a possible fix would be if fault() were allowed to return an error > and drop the mmap_sem() before returning. > > Otherwise we need to track down all copy_to_user / copy_from_user which > happen with bo::reserve held. For maximal evilness submit the relocation list (or whatever data execbuf slurps in with copy_from_user while holding bo::reserve) of a bo in the execbuf list. At least that's the testcase we have for drm/i915. Then make sure that the execbuf wants the bo somewhere it can't be mmaped from userspace, so needs to be moved both in the fault handler and then back for the execbuf to continue ;-) -Daniel -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists