From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.4 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 43563C83000 for ; Wed, 29 Apr 2020 00:29:07 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 0189C20737 for ; Wed, 29 Apr 2020 00:29:06 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=ziepe.ca header.i=@ziepe.ca header.b="gBF0juzP" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0189C20737 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ziepe.ca Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 8EFB28E0005; Tue, 28 Apr 2020 20:29:06 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 8C6E48E0001; Tue, 28 Apr 2020 20:29:06 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7DCCE8E0005; Tue, 28 Apr 2020 20:29:06 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0127.hostedemail.com [216.40.44.127]) by kanga.kvack.org (Postfix) with ESMTP id 638E38E0001 for ; Tue, 28 Apr 2020 20:29:06 -0400 (EDT) Received: from smtpin06.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 1B20752C9 for ; Wed, 29 Apr 2020 00:29:06 +0000 (UTC) X-FDA: 76759007892.06.snake21_1534622a52a5b X-HE-Tag: snake21_1534622a52a5b X-Filterd-Recvd-Size: 6521 Received: from mail-qv1-f65.google.com (mail-qv1-f65.google.com [209.85.219.65]) by imf18.hostedemail.com (Postfix) with ESMTP for ; Wed, 29 Apr 2020 00:29:05 +0000 (UTC) Received: by mail-qv1-f65.google.com with SMTP id v38so327961qvf.6 for ; Tue, 28 Apr 2020 17:29:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ziepe.ca; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=sum6zvnI9uuuHONOiogQ9HloeE5QbhDG16IxplXpyKw=; b=gBF0juzP6lNNN9CsauhPBhO02OANPJ2mLHyQLraLJuxmTXzYX3a/IrHNLRunWWLgiG YQVRsmq/CQUxnSlv750R4HNOe+f4kPwaWyk0MtrKXzmwYnqUFpOJ5CXJFPShUc+SQm/P 4qBERO3b+TESmrHgaop2a4RXN2SQvRu7y9GSisP3W+GLS3SS3+L73GmaaALGOymT7K0K nIIR4A0TZGwRH9dThz9J/IhinJXc+OLdMJaRrWSTTSghWuweWS/w5EJSyzxLOzHuLQl0 5dL0b3ddwCB3mIe+/kUSVtBffiLucojHhM3/PGLUAMEKHbSw9EZAapDnMT57NkF8ZjD5 LVHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=sum6zvnI9uuuHONOiogQ9HloeE5QbhDG16IxplXpyKw=; b=Rz5Zvt7l8oEIqGA9kMpnuOduMpIORwhx5IDB+9qEh2bSU1MEXfkuTRfkxDmYA9Vpfz zJQOQJkSZ04mD++4bletqcnRxRw+xHPYFSTdnHqS8XOhtJo3Dv2NS40/eW8ipAktql7J 4Mpcu4RnZDrd1v2QST3y5fbRw3LQrTuJDmJbyKSaMK3Ewkj7PZ6DL2kZyHwRZpraqMRe bFmnBtif01hbEN2hGfyAenZYCzSaN1Y/S9ufaGYNQ5fshK1pdkDcRd+miW6Y4x0XIpUu V+PmqMrK8yXQWhbDu4oPllJEK3FU843RBj9vMRp58qqbd8DWMK/q0wS4qxg74pkU/YLp Mviw== X-Gm-Message-State: AGi0PuaMmNUQIlQvC0f5QSARhaq2lP5p4B7hITctBL90+SV79sO0z59I zCM0/EFNKfVEesIX1kyYGt4Ozw== X-Google-Smtp-Source: APiQypKpF7REJXdifsNrbjdxjECMvWqO7VD/BFBVFuZ0JXzB0iNDmPtTStSILhzusynqtgGAwoi6Fw== X-Received: by 2002:a0c:b651:: with SMTP id q17mr2047236qvf.135.1588120144906; Tue, 28 Apr 2020 17:29:04 -0700 (PDT) Received: from ziepe.ca (hlfxns017vw-142-68-57-212.dhcp-dynamic.fibreop.ns.bellaliant.net. [142.68.57.212]) by smtp.gmail.com with ESMTPSA id 134sm14193711qki.16.2020.04.28.17.29.03 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 28 Apr 2020 17:29:04 -0700 (PDT) Received: from jgg by mlx.ziepe.ca with local (Exim 4.90_1) (envelope-from ) id 1jTab1-0001tN-Gx; Tue, 28 Apr 2020 21:29:03 -0300 Date: Tue, 28 Apr 2020 21:29:03 -0300 From: Jason Gunthorpe To: Alex Williamson Cc: linux-doc@vger.kernel.org, John Hubbard , LKML , Andrew Morton , Al Viro , Christoph Hellwig , Dan Williams , Dave Chinner , Ira Weiny , Jan Kara , Jonathan Corbet , =?utf-8?B?SsOpcsO0bWU=?= Glisse , "Kirill A . Shutemov" , Michal Hocko , Mike Kravetz , Shuah Khan , Vlastimil Babka , Matthew Wilcox , linux-fsdevel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-rdma@vger.kernel.org, linux-mm@kvack.org, "Kirill A . Shutemov" Subject: Re: [regression?] Re: [PATCH v6 06/12] mm/gup: track FOLL_PIN pages Message-ID: <20200429002903.GZ26002@ziepe.ca> References: <20200211001536.1027652-7-jhubbard@nvidia.com> <20200424121846.5ee2685f@w520.home> <5b901542-d949-8d7e-89c7-f8d5ee20f6e9@nvidia.com> <20200424141548.5afdd2bb@w520.home> <665ffb48-d498-90f4-f945-997a922fc370@nvidia.com> <20200428105455.30343fb4@w520.home> <20200428174957.GV26002@ziepe.ca> <20200428130752.75c153bd@w520.home> <20200428192251.GW26002@ziepe.ca> <20200428141223.5b1653db@w520.home> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200428141223.5b1653db@w520.home> User-Agent: Mutt/1.9.4 (2018-02-28) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Apr 28, 2020 at 02:12:23PM -0600, Alex Williamson wrote: > > > Maybe I was just getting lucky before this commit. For a > > > VM_PFNMAP, vaddr_get_pfn() only needs pin_user_pages_remote() to return > > > error and the vma information that we setup in vfio_pci_mmap(). > > > > I've written on this before, vfio should not be passing pages to the > > iommu that it cannot pin eg it should not touch VM_PFNMAP vma's in the > > first place. > > > > It is a use-after-free security issue the way it is.. > > Where is the user after free? Here I'm trying to map device mmio space > through the iommu, which we need to enable p2p when the user owns > multiple devices. Yes, I gathered what the intent was.. > The device is owned by the user, bound to vfio-pci, and can't be > unbound while the user has it open. The iommu mappings are torn > down on release. I guess I don't understand the problem. For PFNMAP VMAs the lifecycle rule is basically that the PFN inside the VMA can only be used inside the mmap_sem that read it. Ie you cannot take a PFN outside the mmap_sem and continue to use it. This is because the owner of the VMA owns the lifetime of that PFN, and under the write side of the mmap_sem it can zap the PFN, or close the VMA. Afterwards the VMA owner knows that there are no active reference to the PFN in the system and can reclaim the PFN ie the PFNMAP has no per-page pin counter. All lifetime revolves around the mmap_sem and the vma. What vfio does is take the PFN out of the mmap_sem and program it into the iommu. So when the VMA owner decides the PFN has no references, it actually doesn't: vfio continues to access it beyond its permitted lifetime. HW like mlx5 and GPUs have BAR pages which have security properties. Once the PFN is returned to the driver the security context of the PFN can be reset and re-assigned to another process. Using VFIO a hostile user space can retain access to the BAR page and upon its reassignment access a security context they were not permitted to access. This is why GUP does not return PFNMAP pages and vfio should not carry a reference outside the mmap_sem. It breaks all the lifetime rules. Jason