| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 4 May 2020 12:26:43 -0600
From: Alex Williamson <alex.williamson@...hat.com>
To: Jason Gunthorpe <jgg@...pe.ca>
Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
cohuck@...hat.com, peterx@...hat.com
Subject: Re: [PATCH 3/3] vfio-pci: Invalidate mmaps and block MMIO access on
disabled memory
On Fri, 1 May 2020 20:48:49 -0300
Jason Gunthorpe <jgg@...pe.ca> wrote:
> On Fri, May 01, 2020 at 03:39:30PM -0600, Alex Williamson wrote:
>
> > static int vfio_pci_add_vma(struct vfio_pci_device *vdev,
> > struct vm_area_struct *vma)
> > {
> > @@ -1346,15 +1450,49 @@ static vm_fault_t vfio_pci_mmap_fault(struct vm_fault *vmf)
> > {
> > struct vm_area_struct *vma = vmf->vma;
> > struct vfio_pci_device *vdev = vma->vm_private_data;
> > + vm_fault_t ret = VM_FAULT_NOPAGE;
> >
> > - if (vfio_pci_add_vma(vdev, vma))
> > - return VM_FAULT_OOM;
> > + /*
> > + * Zap callers hold memory_lock and acquire mmap_sem, we hold
> > + * mmap_sem and need to acquire memory_lock to avoid races with
> > + * memory bit settings. Release mmap_sem, wait, and retry, or fail.
> > + */
> > + if (unlikely(!down_read_trylock(&vdev->memory_lock))) {
> > + if (vmf->flags & FAULT_FLAG_ALLOW_RETRY) {
> > + if (vmf->flags & FAULT_FLAG_RETRY_NOWAIT)
> > + return VM_FAULT_RETRY;
> > +
> > + up_read(&vma->vm_mm->mmap_sem);
> > +
> > + if (vmf->flags & FAULT_FLAG_KILLABLE) {
> > + if (!down_read_killable(&vdev->memory_lock))
> > + up_read(&vdev->memory_lock);
> > + } else {
> > + down_read(&vdev->memory_lock);
> > + up_read(&vdev->memory_lock);
> > + }
> > + return VM_FAULT_RETRY;
> > + }
> > + return VM_FAULT_SIGBUS;
> > + }
>
> So, why have the wait? It isn't reliable - if this gets faulted from a
> call site that can't handle retry then it will SIGBUS anyhow?
Do such call sites exist? My assumption was that half of the branch
was unlikely to ever occur.
> The weird use of a rwsem as a completion suggest that perhaps using
> wait_event might improve things:
>
> disable:
> // Clean out the vma list with zap, then:
>
> down_read(mm->mmap_sem)
I assume this is simplifying the dance we do in zapping to first take
vma_lock in order to walk vma_list, to find a vma from which we can
acquire the mm, drop vma_lock, get mmap_sem, then re-get vma_lock
below. Also accounting that vma_list might be empty and we might need
to drop and re-acquire vma_lock to get to another mm, so we really
probably want to set pause_faults at the start rather than at the end.
> mutex_lock(vma_lock);
> list_for_each_entry_safe()
> // zap and remove all vmas
>
> pause_faults = true;
> mutex_write(vma_lock);
>
> fault:
> // Already have down_read(mmap_sem)
> mutex_lock(vma_lock);
> while (pause_faults) {
> mutex_unlock(vma_lock)
> wait_event(..., !pause_faults)
> mutex_lock(vma_lock)
> }
Nit, we need to test the memory enable bit setting somewhere under this
lock since it seems to be the only thing protecting it now.
> list_add()
> remap_pfn()
> mutex_unlock(vma_lock)
The read and write file ops would need similar mechanisms.
> enable:
> pause_faults = false
> wake_event()
Hmm, vma_lock was dropped above and not re-acquired here. I'm not sure
if it was an oversight that pause_faults was not tested in the disable
path, but this combination appears to lead to concurrent writers and
serialized readers??
So yeah, this might resolve a theoretical sigbus if we can't retry to
get the memory_lock ordering correct, but we also lose the concurrency
that memory_lock provided us.
>
> The only requirement here is that while inside the write side of
> memory_lock you cannot touch user pages (ie no copy_from_user/etc)
I'm lost at this statement, I can only figure the above works if we
remove memory_lock. Are you referring to a different lock? Thanks,
Alex
Powered by blists - more mailing lists