lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 29 Apr 2020 10:55:52 -0700
From:   Dave Hansen <dave.hansen@...el.com>
To:     Christian Borntraeger <borntraeger@...ibm.com>,
        Claudio Imbrenda <imbrenda@...ux.ibm.com>,
        akpm@...ux-foundation.org, jack@...e.cz, kirill@...temov.name
Cc:     david@...hat.com, aarcange@...hat.com, linux-mm@...ck.org,
        frankja@...ux.ibm.com, sfr@...b.auug.org.au, jhubbard@...dia.com,
        linux-kernel@...r.kernel.org, linux-s390@...r.kernel.org,
        peterz@...radead.org, sean.j.christopherson@...el.com
Subject: Re: [PATCH v1 1/1] fs/splice: add missing callback for inaccessible
 pages

On 4/29/20 10:31 AM, Christian Borntraeger wrote:
> On 29.04.20 18:07, Dave Hansen wrote:
>> On 4/28/20 3:50 PM, Claudio Imbrenda wrote:
>>> If a page is inaccesible and it is used for things like sendfile, then
>>> the content of the page is not always touched, and can be passed
>>> directly to a driver, causing issues.
>>>
>>> This patch fixes the issue by adding a call to arch_make_page_accessible
>>> in page_cache_pipe_buf_confirm; this fixes the issue.
>> I spent about 5 minutes putting together a patch:
>>
>> 	https://sr71.net/~dave/intel/accessible.patch
>>
>> It adds a page flag ("daccess") which starts out set.  It clears the
>> flag it when the page is added to the page cache or mapped as anonymous.
> And that of course does not work. Pages are not made unaccessible at a random
> point in time. We do check for several page flags and page count before doing
> so and we also do this while with paqe_ref_freeze to avoid several races.
> I guess you just hit one of those.

Actually, that's the problem.  You've gone through all these careful
checks and made the page inaccessible.  *After* that process, how do you
keep the page from being hit by an I/O device before it's made
accessible again?  My patch just assumes that *all* pages have gone
through that process and passed those checks.

I'm pretty sure if I lifted all the checks in
arch/s390/kernel/uv.c::make_secure_pte() and duplicated them at the
sites where I'm doing ClearPageAccessible(), they'd happily pass.

Freezing page refs is a transient thing you do *during* the conversion,
but it doesn't stop future access to the page.  That's what these
incomplete hooks are trying to do.

Anyway, I look forward to seeing the patch for the FOLL_PIN issue I
pointed out, and I hope to see another copy of the fs/splice changes
with a proper changelog and the maintainer on cc.  It's starting to get
late in the rc's.

Powered by blists - more mailing lists