Dubious usage of VM_SHARED in atomisp_fops.c

Dubious usage of VM_SHARED in atomisp_fops.c

[David Hildenbrand]

Hi,

going over all VM_SHARED and VM_MAYSHARE user in the kernel, I stumbled 
over the following dubious code in 
drivers/staging/media/atomisp/pci/atomisp_fops.c:


if (!(vma->vm_flags & (VM_WRITE | VM_READ)))
	return -EACCES;

...

if (!(vma->vm_flags & VM_SHARED)) {
	/* Map private buffer.
	 * Set VM_SHARED to the flags since we need
	 * to map the buffer page by page.
	 * Without VM_SHARED, remap_pfn_range() treats
	 * this kind of mapping as invalid.
	 */
	vma->vm_flags |= VM_SHARED;
	ret = hmm_mmap(vma, vma->vm_pgoff << PAGE_SHIFT);
	...
}


We're converting a writable MAP_PRIVATE mapping ("COW mapping") into a 
writable MAP_SHARED mapping, to hack around the is_cow_mapping() check 
in remap_pfn_range_notrack().

We're not even setting VM_MAYSHARE and turn the mapping silently into 
something with completely different semantics.


That code has to go.


One approach would be to reject such mappings (no idea if user space 
relies on private mappings), the other one would be to remove this 
driver. Judging that the driver already was marked broken in 2020 
(ad85094b293e ("Revert "media: staging: atomisp: Remove driver"")), 
maybe it's time for the driver to go.

Thoughts?

-- 
Thanks,

David / dhildenb

Re: Dubious usage of VM_SHARED in atomisp_fops.c

[Hans de Goede]

Hi David,

On 12/14/22 11:22, David Hildenbrand wrote:
> Hi,
> 
> going over all VM_SHARED and VM_MAYSHARE user in the kernel, I stumbled over the following dubious code in drivers/staging/media/atomisp/pci/atomisp_fops.c:
> 
> 
> if (!(vma->vm_flags & (VM_WRITE | VM_READ)))
>     return -EACCES;
> 
> ...
> 
> if (!(vma->vm_flags & VM_SHARED)) {
>     /* Map private buffer.
>      * Set VM_SHARED to the flags since we need
>      * to map the buffer page by page.
>      * Without VM_SHARED, remap_pfn_range() treats
>      * this kind of mapping as invalid.
>      */
>     vma->vm_flags |= VM_SHARED;
>     ret = hmm_mmap(vma, vma->vm_pgoff << PAGE_SHIFT);
>     ...
> }
> 
> 
> We're converting a writable MAP_PRIVATE mapping ("COW mapping") into a writable MAP_SHARED mapping, to hack around the is_cow_mapping() check in remap_pfn_range_notrack().
> 
> We're not even setting VM_MAYSHARE and turn the mapping silently into something with completely different semantics.
> 
> 
> That code has to go.
> 
> 
> One approach would be to reject such mappings (no idea if user space relies on private mappings), the other one would be to remove this driver. Judging that the driver already was marked broken in 2020 (ad85094b293e ("Revert "media: staging: atomisp: Remove driver"")), maybe it's time for the driver to go.

There is still quite a lot of hw out there (and being used
with Linux) which has camera sensors connected to the atomisp2.

Recently a community member finally managed to actually make
the driver work and I have been working on cleaning it up since.

For 6.2 I set of patches converting the driver to the videobuf2
framework will land and as part of that all the problematic code
you point to above has been removed.

If you grep for VM_SHARED under drivers/staging/media/atomisp
in linux-next you will find no hits :)

Regards,

Hans

Re: Dubious usage of VM_SHARED in atomisp_fops.c

[David Hildenbrand]

On 14.12.22 12:07, Hans de Goede wrote:
> Hi David,
> 
> On 12/14/22 11:22, David Hildenbrand wrote:
>> Hi,
>>
>> going over all VM_SHARED and VM_MAYSHARE user in the kernel, I stumbled over the following dubious code in drivers/staging/media/atomisp/pci/atomisp_fops.c:
>>
>>
>> if (!(vma->vm_flags & (VM_WRITE | VM_READ)))
>>      return -EACCES;
>>
>> ...
>>
>> if (!(vma->vm_flags & VM_SHARED)) {
>>      /* Map private buffer.
>>       * Set VM_SHARED to the flags since we need
>>       * to map the buffer page by page.
>>       * Without VM_SHARED, remap_pfn_range() treats
>>       * this kind of mapping as invalid.
>>       */
>>      vma->vm_flags |= VM_SHARED;
>>      ret = hmm_mmap(vma, vma->vm_pgoff << PAGE_SHIFT);
>>      ...
>> }
>>
>>
>> We're converting a writable MAP_PRIVATE mapping ("COW mapping") into a writable MAP_SHARED mapping, to hack around the is_cow_mapping() check in remap_pfn_range_notrack().
>>
>> We're not even setting VM_MAYSHARE and turn the mapping silently into something with completely different semantics.
>>
>>
>> That code has to go.
>>
>>
>> One approach would be to reject such mappings (no idea if user space relies on private mappings), the other one would be to remove this driver. Judging that the driver already was marked broken in 2020 (ad85094b293e ("Revert "media: staging: atomisp: Remove driver"")), maybe it's time for the driver to go.
> 
> There is still quite a lot of hw out there (and being used
> with Linux) which has camera sensors connected to the atomisp2.
> 
> Recently a community member finally managed to actually make
> the driver work and I have been working on cleaning it up since.
> 
> For 6.2 I set of patches converting the driver to the videobuf2
> framework will land and as part of that all the problematic code
> you point to above has been removed.
> 
> If you grep for VM_SHARED under drivers/staging/media/atomisp
> in linux-next you will find no hits :)

Hurray, thanks Hans :)

-- 
Thanks,

David / dhildenb

Re: Dubious usage of VM_SHARED in atomisp_fops.c

[Andy Shevchenko]

On Wed, Dec 14, 2022 at 11:22:39AM +0100, David Hildenbrand wrote:

...

> the other one would be to remove this driver. Judging
> that the driver already was marked broken in 2020 (ad85094b293e ("Revert
> "media: staging: atomisp: Remove driver"")), maybe it's time for the driver
> to go.

Not an option at all. As Hans explained.

-- 
With Best Regards,
Andy Shevchenko