lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 30 Apr 2020 22:04:43 +0200
From:   Christian Borntraeger <borntraeger@...ibm.com>
To:     Claudio Imbrenda <imbrenda@...ux.ibm.com>, viro@...iv.linux.org.uk
Cc:     david@...hat.com, akpm@...ux-foundation.org, aarcange@...hat.com,
        linux-mm@...ck.org, frankja@...ux.ibm.com, sfr@...b.auug.org.au,
        jhubbard@...dia.com, linux-kernel@...r.kernel.org,
        linux-s390@...r.kernel.org, jack@...e.cz, kirill@...temov.name,
        dave.hansen@...el.com, peterz@...radead.org,
        sean.j.christopherson@...el.com, Ulrich.Weigand@...ibm.com
Subject: Re: [PATCH v2 1/1] fs/splice: add missing callback for inaccessible
 pages



On 30.04.20 16:38, Claudio Imbrenda wrote:
> Inaccessible pages are pages that should not be accessed by any device,
> and belong to a protected VM. If any such pages are passed to a
> device, there will be I/O errors, which will not always be recoverable,
> depending on the architecture and on the specific device.
> 
> CPU accesses to inaccessible pages are less problematic, since they are
> always recoverable.
> 
> Page cache and direct I/O were fixed in a previous patch, in which a
> architecture hook is provided to make the page accessible by I/O
> devices.
> 
> One possible remaining path to sneak a protected page directly to a
> device is sendfile and similar syscalls. Those syscalls take a page
> directly from the page cache and give them directly to the device with
> zero-copy. This bypasses both existing hooks in gup and in writeback.
> 
> This patch fixes the issue by adding a call to arch_make_page_accessible
> in page_cache_pipe_buf_confirm, thus fixing the issue.
> 
> Notice that we only need to make sure the source is accessible, since
> zero-copy only works in one direction, and CPU accesses to inaccessible
> pages are not a problem. Pagecache-to-pagecache is also not a problem
> since that is done by the CPU.
> 
> The hook has no overhead for architectures that do not need to deal
> with inaccessible pages.
> 
> Fixes: f28d43636d6f ("mm/gup/writeback: add callbacks for inaccessible pages")

You should add a Reported-by Dave Hansen, I guess.

Acked-by: Christian Borntraeger <borntraeger@...ibm.com>



> Signed-off-by: Claudio Imbrenda <imbrenda@...ux.ibm.com>
> ---
>  fs/splice.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/fs/splice.c b/fs/splice.c
> index 4735defc46ee..f026e0ce9acd 100644
> --- a/fs/splice.c
> +++ b/fs/splice.c
> @@ -106,6 +106,9 @@ static int page_cache_pipe_buf_confirm(struct pipe_inode_info *pipe,
>  	struct page *page = buf->page;
>  	int err;
>  
> +	if (arch_make_page_accessible(page))
> +		return -EIO;
> +
>  	if (!PageUptodate(page)) {
>  		lock_page(page);
>  
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ