lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 9 Jan 2024 17:03:56 +0000
From: Oleksandr Tyshchenko <Oleksandr_Tyshchenko@...m.com>
To: Daniel Vetter <daniel@...ll.ch>
CC: "xen-devel@...ts.xenproject.org" <xen-devel@...ts.xenproject.org>,
        Oleksandr Tyshchenko <olekstysh@...il.com>,
        "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>,
        Christian König
	<christian.koenig@....com>,
        Juergen Gross <jgross@...e.com>,
        Stefano
 Stabellini <sstabellini@...nel.org>
Subject: Re: [PATCH v2] xen/gntdev: Fix the abuse of underlying struct page in
 DMA-buf import



On 08.01.24 14:05, Daniel Vetter wrote:

Hello Daniel


> On Sun, 7 Jan 2024 at 11:35, Oleksandr Tyshchenko <olekstysh@...il.com> wrote:
>>
>> From: Oleksandr Tyshchenko <oleksandr_tyshchenko@...m.com>
>>
>> DO NOT access the underlying struct page of an sg table exported
>> by DMA-buf in dmabuf_imp_to_refs(), this is not allowed.
>> Please see drivers/dma-buf/dma-buf.c:mangle_sg_table() for details.
>>
>> Fortunately, here (for special Xen device) we can avoid using
>> pages and calculate gfns directly from dma addresses provided by
>> the sg table.
>>
>> Suggested-by: Daniel Vetter <daniel@...ll.ch>
>> Signed-off-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@...m.com>
>> Acked-by: Christian König <christian.koenig@....com>
>> Reviewed-by: Stefano Stabellini <sstabellini@...nel.org>
>> ---
>> Please note, I didn't manage to test the patch against the latest master branch
>> on real HW (patch was only build tested there). Patch was tested on Arm64
>> guests using Linux v5.10.41 from vendor's BSP, this is the environment where
>> running this use-case is possible and to which I have an access (Xen PV display
>> with zero-copy and backend domain as a buffer provider - be-alloc=1, so dma-buf
>> import part was involved). A little bit old, but the dma-buf import code
>> in gntdev-dmabuf.c hasn't been changed much since that time, all context
>> remains allmost the same according to my code inspection.
>>
>>    v2:
>>     - add R-b and A-b
>>     - fix build warning noticed by kernel test robot by initializing
>>       "ret" in case of error
>>       https://urldefense.com/v3/__https://lore.kernel.org/oe-kbuild-all/202401062122.it6zvLG0-lkp@intel.com/__;!!GF_29dbcQIUBPA!38-mwT9HCtOeZC3m4I-m9n0hragYMHfmWcHKgDxEpGs9mg35M0bpPWWORK8aichxHtO36GZ_JnCWTLdJXdZYBmCv$ [lore[.]kernel[.]org]
>> ---
>> ---
>>   drivers/xen/gntdev-dmabuf.c | 44 ++++++++++++++++---------------------
>>   1 file changed, 19 insertions(+), 25 deletions(-)
>>
>> diff --git a/drivers/xen/gntdev-dmabuf.c b/drivers/xen/gntdev-dmabuf.c
>> index 4440e626b797..272c0ab01ef5 100644
>> --- a/drivers/xen/gntdev-dmabuf.c
>> +++ b/drivers/xen/gntdev-dmabuf.c
>> @@ -11,6 +11,7 @@
>>   #include <linux/kernel.h>
>>   #include <linux/errno.h>
>>   #include <linux/dma-buf.h>
>> +#include <linux/dma-direct.h>
>>   #include <linux/slab.h>
>>   #include <linux/types.h>
>>   #include <linux/uaccess.h>
>> @@ -50,7 +51,7 @@ struct gntdev_dmabuf {
>>
>>          /* Number of pages this buffer has. */
>>          int nr_pages;
>> -       /* Pages of this buffer. */
>> +       /* Pages of this buffer (only for dma-buf export). */
>>          struct page **pages;
>>   };
>>
>> @@ -484,7 +485,7 @@ static int dmabuf_exp_from_refs(struct gntdev_priv *priv, int flags,
>>   /* DMA buffer import support. */
>>
>>   static int
>> -dmabuf_imp_grant_foreign_access(struct page **pages, u32 *refs,
>> +dmabuf_imp_grant_foreign_access(unsigned long *gfns, u32 *refs,
>>                                  int count, int domid)
>>   {
>>          grant_ref_t priv_gref_head;
>> @@ -507,7 +508,7 @@ dmabuf_imp_grant_foreign_access(struct page **pages, u32 *refs,
>>                  }
>>
>>                  gnttab_grant_foreign_access_ref(cur_ref, domid,
>> -                                               xen_page_to_gfn(pages[i]), 0);
>> +                                               gfns[i], 0);
>>                  refs[i] = cur_ref;
>>          }
>>
>> @@ -529,7 +530,6 @@ static void dmabuf_imp_end_foreign_access(u32 *refs, int count)
>>
>>   static void dmabuf_imp_free_storage(struct gntdev_dmabuf *gntdev_dmabuf)
>>   {
>> -       kfree(gntdev_dmabuf->pages);
>>          kfree(gntdev_dmabuf->u.imp.refs);
>>          kfree(gntdev_dmabuf);
>>   }
>> @@ -549,12 +549,6 @@ static struct gntdev_dmabuf *dmabuf_imp_alloc_storage(int count)
>>          if (!gntdev_dmabuf->u.imp.refs)
>>                  goto fail;
>>
>> -       gntdev_dmabuf->pages = kcalloc(count,
>> -                                      sizeof(gntdev_dmabuf->pages[0]),
>> -                                      GFP_KERNEL);
>> -       if (!gntdev_dmabuf->pages)
>> -               goto fail;
>> -
>>          gntdev_dmabuf->nr_pages = count;
>>
>>          for (i = 0; i < count; i++)
>> @@ -576,7 +570,8 @@ dmabuf_imp_to_refs(struct gntdev_dmabuf_priv *priv, struct device *dev,
>>          struct dma_buf *dma_buf;
>>          struct dma_buf_attachment *attach;
>>          struct sg_table *sgt;
>> -       struct sg_page_iter sg_iter;
>> +       struct sg_dma_page_iter sg_iter;
>> +       unsigned long *gfns;
>>          int i;
>>
>>          dma_buf = dma_buf_get(fd);
>> @@ -624,26 +619,25 @@ dmabuf_imp_to_refs(struct gntdev_dmabuf_priv *priv, struct device *dev,
>>
>>          gntdev_dmabuf->u.imp.sgt = sgt;
>>
>> -       /* Now convert sgt to array of pages and check for page validity. */
>> +       gfns = kcalloc(count, sizeof(*gfns), GFP_KERNEL);
>> +       if (!gfns) {
>> +               ret = ERR_PTR(-ENOMEM);
>> +               goto fail_unmap;
>> +       }
>> +
>> +       /* Now convert sgt to array of gfns without accessing underlying pages. */
>>          i = 0;
>> -       for_each_sgtable_page(sgt, &sg_iter, 0) {
>> -               struct page *page = sg_page_iter_page(&sg_iter);
>> -               /*
>> -                * Check if page is valid: this can happen if we are given
>> -                * a page from VRAM or other resources which are not backed
>> -                * by a struct page.
>> -                */
>> -               if (!pfn_valid(page_to_pfn(page))) {
>> -                       ret = ERR_PTR(-EINVAL);
>> -                       goto fail_unmap;
>> -               }
>> +       for_each_sgtable_dma_page(sgt, &sg_iter, 0) {
> 
> Maybe add a comment here to explain why this is done and why it's ok?


Makes sense, will do for v3.


> Either way:
> 
> Acked-by: Daniel Vetter <daniel@...ll.ch>


Thanks!


[snip]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ