lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 18 Sep 2021 11:38:42 +0300 From: Oded Gabbay <ogabbay@...nel.org> To: Jason Gunthorpe <jgg@...pe.ca>, Daniel Vetter <daniel.vetter@...ll.ch> Cc: "Linux-Kernel@...r. Kernel. Org" <linux-kernel@...r.kernel.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Christian König <christian.koenig@....com>, Gal Pressman <galpress@...zon.com>, Yossi Leybovich <sleybo@...zon.com>, Maling list - DRI developers <dri-devel@...ts.freedesktop.org>, linux-rdma <linux-rdma@...r.kernel.org>, Linux Media Mailing List <linux-media@...r.kernel.org>, Doug Ledford <dledford@...hat.com>, Dave Airlie <airlied@...il.com>, Alex Deucher <alexander.deucher@....com>, Leon Romanovsky <leonro@...dia.com>, Christoph Hellwig <hch@....de>, amd-gfx list <amd-gfx@...ts.freedesktop.org>, "moderated list:DMA BUFFER SHARING FRAMEWORK" <linaro-mm-sig@...ts.linaro.org> Subject: Re: [PATCH v6 0/2] Add p2p via dmabuf to habanalabs On Fri, Sep 17, 2021 at 3:30 PM Daniel Vetter <daniel@...ll.ch> wrote: > > On Thu, Sep 16, 2021 at 10:10:14AM -0300, Jason Gunthorpe wrote: > > On Thu, Sep 16, 2021 at 02:31:34PM +0200, Daniel Vetter wrote: > > > On Wed, Sep 15, 2021 at 10:45:36AM +0300, Oded Gabbay wrote: > > > > On Tue, Sep 14, 2021 at 7:12 PM Jason Gunthorpe <jgg@...pe.ca> wrote: > > > > > > > > > > On Tue, Sep 14, 2021 at 04:18:31PM +0200, Daniel Vetter wrote: > > > > > > On Sun, Sep 12, 2021 at 07:53:07PM +0300, Oded Gabbay wrote: > > > > > > > Hi, > > > > > > > Re-sending this patch-set following the release of our user-space TPC > > > > > > > compiler and runtime library. > > > > > > > > > > > > > > I would appreciate a review on this. > > > > > > > > > > > > I think the big open we have is the entire revoke discussions. Having the > > > > > > option to let dma-buf hang around which map to random local memory ranges, > > > > > > without clear ownership link and a way to kill it sounds bad to me. > > > > > > > > > > > > I think there's a few options: > > > > > > - We require revoke support. But I've heard rdma really doesn't like that, > > > > > > I guess because taking out an MR while holding the dma_resv_lock would > > > > > > be an inversion, so can't be done. Jason, can you recap what exactly the > > > > > > hold-up was again that makes this a no-go? > > > > > > > > > > RDMA HW can't do revoke. > > > > > > Like why? I'm assuming when the final open handle or whatever for that MR > > > is closed, you do clean up everything? Or does that MR still stick around > > > forever too? > > > > It is a combination of uAPI and HW specification. > > > > revoke here means you take a MR object and tell it to stop doing DMA > > without causing the MR object to be destructed. > > > > All the drivers can of course destruct the MR, but doing such a > > destruction without explicit synchronization with user space opens > > things up to a serious use-after potential that could be a security > > issue. > > > > When the open handle closes the userspace is synchronized with the > > kernel and we can destruct the HW objects safely. > > > > So, the special HW feature required is 'stop doing DMA but keep the > > object in an error state' which isn't really implemented, and doesn't > > extend very well to other object types beyond simple MRs. > > Yeah revoke without destroying the MR doesn't work, and it sounds like > revoke by destroying the MR just moves the can of worms around to another > place. > > > > 1. User A opens gaudi device, sets up dma-buf export > > > > > > 2. User A registers that with RDMA, or anything else that doesn't support > > > revoke. > > > > > > 3. User A closes gaudi device > > > > > > 4. User B opens gaudi device, assumes that it has full control over the > > > device and uploads some secrets, which happen to end up in the dma-buf > > > region user A set up > > > > I would expect this is blocked so long as the DMABUF exists - eg the > > DMABUF will hold a fget on the FD of #1 until the DMABUF is closed, so > > that #3 can't actually happen. > > > > > It's not mlocked memory, it's mlocked memory and I can exfiltrate > > > it. > > > > That's just bug, don't make buggy drivers :) > > Well yeah, but given that habanalabs hand rolled this I can't just check > for the usual things we have to enforce this in drm. And generally you can > just open chardevs arbitrarily, and multiple users fighting over each > another. The troubles only start when you have private state or memory > allocations of some kind attached to the struct file (instead of the > underlying device), or something else that requires device exclusivity. > There's no standard way to do that. > > Plus in many cases you really want revoke on top (can't get that here > unfortunately it seems), and the attempts to get towards a generic > revoke() just never went anywhere. So again it's all hand-rolled > per-subsystem. *insert lament about us not having done this through a > proper subsystem* > > Anyway it sounds like the code takes care of that. > -Daniel Daniel, Jason, Thanks for reviewing this code. Can I get an R-B / A-B from you for this patch-set ? Thanks, Oded
Powered by blists - more mailing lists