lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20190923142814.GB2369@hirez.programming.kicks-ass.net>
Date:   Mon, 23 Sep 2019 16:28:14 +0200
From:   Peter Zijlstra <peterz@...radead.org>
To:     Josh Poimboeuf <jpoimboe@...hat.com>
Cc:     Randy Dunlap <rdunlap@...radead.org>,
        Mark Brown <broonie@...nel.org>,
        Linux Next Mailing List <linux-next@...r.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        chris@...is-wilson.co.uk
Subject: Re: linux-next: Tree for Sep 18 (objtool)

On Mon, Sep 23, 2019 at 09:16:57AM -0500, Josh Poimboeuf wrote:
> On Mon, Sep 23, 2019 at 03:33:52PM +0200, Peter Zijlstra wrote:
> > On Mon, Sep 23, 2019 at 07:49:01AM -0500, Josh Poimboeuf wrote:
> > > On Mon, Sep 23, 2019 at 11:20:24AM +0200, Peter Zijlstra wrote:
> > > > On Wed, Sep 18, 2019 at 09:04:21PM -0700, Randy Dunlap wrote:
> > > > > On 9/18/19 3:10 PM, Mark Brown wrote:
> > > > > > Hi all,
> > > > > > 
> > > > > > Changes since 20190917:
> > > > > > 
> > > > > 
> > > > > on x86_64:
> > > > > 
> > > > > drivers/gpu/drm/i915/gem/i915_gem_execbuffer.o: warning: objtool: i915_gem_execbuffer2_ioctl()+0x2fb: call to gen8_canonical_addr() with UACCESS enabled
> > > > 
> > > > I'm thinking that comes from:
> > > > 
> > > > 				offset = gen8_canonical_addr(offset & ~UPDATE);
> > > > 				if (unlikely(__put_user(offset, &urelocs[r-stack].presumed_offset))) {
> > > > 
> > > > however, per commit 6ae865615fc4 (and 2a418cf3f5f1) the compiler really
> > > > should not be sticking gen8_canonical_addr() after __uaccess_begin().
> > > > 
> > > > /me puzzled...
> > > 
> > > I think you're looking at the wrong code.  It has user_access_begin/end
> > > around it:
> > > 
> > > 		if (!user_access_begin(user_exec_list, count * sizeof(*user_exec_list)))
> > > 			goto end;
> > > 
> > > 		for (i = 0; i < args->buffer_count; i++) {
> > > 			if (!(exec2_list[i].offset & UPDATE))
> > > 				continue;
> > > 
> > > 			exec2_list[i].offset =
> > > 				gen8_canonical_addr(exec2_list[i].offset & PIN_OFFSET_MASK);
> > > 			unsafe_put_user(exec2_list[i].offset,
> > > 					&user_exec_list[i].offset,
> > > 					end_user);
> > > 		}
> > > end_user:
> > > 		user_access_end();
> > > 
> > 
> > Oh, Duh... Yeah, so the alternative to your solution is to do 2 loops.
> > Not sure which would be better.
> 
> I like your idea better, makes the fix more localized and shrinks the
> uaccess window.  Something like so (not even compile tested):

At which point we should probably also Cc Chris who caused all this
with commit:

  2889caa92321 ("drm/i915: Eliminate lots of iterations over the execobjects array")

> diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
> index b5f6937369ea..406af374f728 100644
> --- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
> +++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
> @@ -2847,6 +2847,11 @@ i915_gem_execbuffer2_ioctl(struct drm_device *dev, void *data,
>  			u64_to_user_ptr(args->buffers_ptr);
>  		unsigned int i;
>  
> +		for (i = 0; i < args->buffer_count; i++) {
> +			exec2_list[i].offset =
> +				gen8_canonical_addr(exec2_list[i].offset & PIN_OFFSET_MASK);
> +		}
> +
>  		/* Copy the new buffer offsets back to the user's exec list. */
>  		/*
>  		 * Note: count * sizeof(*user_exec_list) does not overflow,
> @@ -2862,8 +2867,6 @@ i915_gem_execbuffer2_ioctl(struct drm_device *dev, void *data,
>  			if (!(exec2_list[i].offset & UPDATE))
>  				continue;
>  
> -			exec2_list[i].offset =
> -				gen8_canonical_addr(exec2_list[i].offset & PIN_OFFSET_MASK);
>  			unsafe_put_user(exec2_list[i].offset,
>  					&user_exec_list[i].offset,
>  					end_user);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ