From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=eTPs=GL=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 57327C433E9
	for <linux-mm@archiver.kernel.org>; Fri,  8 Jan 2021 18:31:42 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id BF02323A81
	for <linux-mm@archiver.kernel.org>; Fri,  8 Jan 2021 18:31:41 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BF02323A81
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 4B9808D0194; Fri,  8 Jan 2021 13:31:41 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 442318D0156; Fri,  8 Jan 2021 13:31:41 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 3314E8D0194; Fri,  8 Jan 2021 13:31:41 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0237.hostedemail.com [216.40.44.237])
	by kanga.kvack.org (Postfix) with ESMTP id 1A9FD8D0156
	for <linux-mm@kvack.org>; Fri,  8 Jan 2021 13:31:41 -0500 (EST)
Received: from smtpin02.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id D688D8245578
	for <linux-mm@kvack.org>; Fri,  8 Jan 2021 18:31:40 +0000 (UTC)
X-FDA: 77683451160.02.use75_4d10f80274f5
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin02.hostedemail.com (Postfix) with ESMTP id B7B4010097AA0
	for <linux-mm@kvack.org>; Fri,  8 Jan 2021 18:31:40 +0000 (UTC)
X-HE-Tag: use75_4d10f80274f5
X-Filterd-Recvd-Size: 4332
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf08.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Fri,  8 Jan 2021 18:31:39 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id 7BBD223A81
	for <linux-mm@kvack.org>; Fri,  8 Jan 2021 18:31:38 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1610130698;
	bh=t+ayXSPKPyt+buzVfjSA06cJ/7ar6PMvS75DQsGw0Kg=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=s0FkXM7O59c8DI4sRLKC0K73c/LR241Uv+fX/1eIDJw7A2dqncdnYqtBbCIC1pKw3
	 Sw+E4pHHuZ3zCstBYJzUv0uLLREzImZgdu46vUdvThKuVvNlVFYT/EowIbUy+smd1s
	 4aUaVJtwxphcsyrEWK2y79I2Q2kf7xzEFSt5DkhZP7NNt7SGCRiVbDhoeGUf5EI9o3
	 bnh7OqVxhqzDmtf3MuVMPLueZeSDKBHENAer8bFyQQ+XYCuwXT6S2gDtfnYDIsAjxB
	 xpqrLmleOAFqNBFJd8TTJZpRCrr3t0gvFKrPRG918gCPH1spHfPJcKcuca8Ez2c/X6
	 G2ZX5BlWmTfIw==
Received: by mail-ed1-f42.google.com with SMTP id y24so12115872edt.10
        for <linux-mm@kvack.org>; Fri, 08 Jan 2021 10:31:38 -0800 (PST)
X-Gm-Message-State: AOAM531NfGStfv5yuWdbbaVI86fhh51pIIWl+l9cDrLByjp7iSZqY+L4
	NVVpd2CTXCQKBTb/9qV0zLhoioCPEVEULJI8/faxWg==
X-Google-Smtp-Source: ABdhPJz9p5UU5fsa22GkI9tG2fSeZaCa/MH69wJBv3nUMa0ykh2+krPOCp9di9vj/dazafpbjhF5Ev3kroo7noGINQ8=
X-Received: by 2002:aa7:c3cd:: with SMTP id l13mr6093359edr.97.1610130696959;
 Fri, 08 Jan 2021 10:31:36 -0800 (PST)
MIME-Version: 1.0
References: <B1B85771-B211-4FCC-AEEF-BDFD37332C25@vmware.com>
 <20210107200402.31095-1-aarcange@redhat.com> <20210107202525.GD504133@ziepe.ca>
 <X/eA/f1r5GXvcRWH@redhat.com> <20210108133649.GE504133@ziepe.ca>
 <X/iPtCktcQHwuK5T@redhat.com> <20210108181945.GF504133@ziepe.ca>
In-Reply-To: <20210108181945.GF504133@ziepe.ca>
From: Andy Lutomirski <luto@kernel.org>
Date: Fri, 8 Jan 2021 10:31:24 -0800
X-Gmail-Original-Message-ID: <CALCETrVWGZ5MkN6S+o_h5isOHKVpjwSz-jyXSsp9VJjVOYOyyg@mail.gmail.com>
Message-ID: <CALCETrVWGZ5MkN6S+o_h5isOHKVpjwSz-jyXSsp9VJjVOYOyyg@mail.gmail.com>
Subject: Re: [PATCH 0/2] page_count can't be used to decide when wp_page_copy
To: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Andrea Arcangeli <aarcange@redhat.com>, Linux-MM <linux-mm@kvack.org>, 
	LKML <linux-kernel@vger.kernel.org>, Yu Zhao <yuzhao@google.com>, 
	Andy Lutomirski <luto@kernel.org>, Peter Xu <peterx@redhat.com>, Pavel Emelyanov <xemul@openvz.org>, 
	Mike Kravetz <mike.kravetz@oracle.com>, Mike Rapoport <rppt@linux.vnet.ibm.com>, 
	Minchan Kim <minchan@kernel.org>, Will Deacon <will@kernel.org>, 
	Peter Zijlstra <peterz@infradead.org>, Linus Torvalds <torvalds@linux-foundation.org>, 
	Hugh Dickins <hughd@google.com>, "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>, 
	Matthew Wilcox <willy@infradead.org>, Oleg Nesterov <oleg@redhat.com>, Jann Horn <jannh@google.com>, 
	Kees Cook <keescook@chromium.org>, John Hubbard <jhubbard@nvidia.com>, 
	Leon Romanovsky <leonro@nvidia.com>, Jan Kara <jack@suse.cz>, Kirill Tkhai <ktkhai@virtuozzo.com>
Content-Type: text/plain; charset="UTF-8"
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Fri, Jan 8, 2021 at 10:19 AM Jason Gunthorpe <jgg@ziepe.ca> wrote:
>
> On Fri, Jan 08, 2021 at 12:00:36PM -0500, Andrea Arcangeli wrote:
> > > The majority cannot be converted to notifiers because they are DMA
> > > based. Every one of those is an ABI for something, and does not expect
> > > extra privilege to function. It would be a major breaking change to
> > > have pin_user_pages require some cap.
> >
> > ... what makes them safe is to be transient GUP pin and not long
> > term.
> >
> > Please note the "long term" in the underlined line.
>
> Many of them are long term, though only 50 or so have been marked
> specifically with FOLL_LONGTERM. I don't see how we can make such a
> major ABI break.
>
> Looking at it, vmsplice() is simply wrong. A long term page pin must
> use pin_user_pages(), and either FOLL_LONGTERM|FOLL_WRITE (write mode)
> FOLL_LONGTERM|FOLL_FORCE|FOLL_WRITE (read mode)

Can we just remove vmsplice() support?  We could make it do a normal
copy, thereby getting rid of a fair amount of nastiness and potential
attacks.  Even ignoring issues relating to the length of time that the
vmsplice reference is alive, we also have whatever problems could be
caused by a malicious or misguided user vmsplice()ing some memory and
then modifying it.

--Andy