lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20160818083127.GX6232@phenom.ffwll.local>
Date:	Thu, 18 Aug 2016 10:31:27 +0200
From:	Daniel Vetter <daniel@...ll.ch>
To:	Al Viro <viro@...IV.linux.org.uk>
Cc:	Rob Clark <robdclark@...il.com>,
	linux-arm-msm <linux-arm-msm@...r.kernel.org>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	"dri-devel@...ts.freedesktop.org" <dri-devel@...ts.freedesktop.org>,
	Julia Lawall <julia.lawall@...6.fr>,
	Vaishali Thakkar <vaishali.thakkar@...cle.com>,
	freedreno@...ts.freedesktop.org
Subject: Re: Use of copy_from_user in msm_gem_submit.c while holding a
 spin_lock

On Wed, Aug 17, 2016 at 08:31:20PM +0100, Al Viro wrote:
> On Wed, Aug 17, 2016 at 03:24:38PM -0400, Rob Clark wrote:
> 
> > hmm, looks like, at least on arm (not sure about arm64),
> > 
> > #define __copy_from_user_inatomic __copy_from_user
> > 
> > ie. copy_from_user() minus the access_ok() and memset in the
> > !access_ok() path.. but maybe what I want is just the
> > pagefault_disable() if that disables copy_from_user() being able to
> > block..
> 
> On a bunch of platforms copy_from_user() starts with might_sleep(); again,
> that'll spread to all of the pretty soon.
> 
> Right now those primitives are very badly out of sync; this will change,
> but let's not add more PITA sources.

That sounds great, as part of discussing this on irc with Rob I too
noticed that the the *copy*user* funcs are all rather out of sync. On
i915.ko we go full evil mode and pass (faulting) i915 buffer objects in as
targets for all these copy*user operations. And for added evilness we have
debugfs interfaces to force-unmap/evict these bo, which is used to make
sure that the fault handling in slow-paths (after dropping locks and
reacquiring them) also works - some of i915 code has slow-slow path
fallbacks ;-)

Oh and we have a debugfs knob to disable the prefaulting we do, since
without those the race is way too small.
-Daniel
-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ