[PATCH v3 12/16] PCI: Obey iomem restrictions for procfs mmap

Jason Gunthorpe jgg at ziepe.ca
Wed Oct 21 12:50:30 UTC 2020 

On Wed, Oct 21, 2020 at 10:56:51AM +0200, Daniel Vetter wrote:
> There's three ways to access PCI BARs from userspace: /dev/mem, sysfs
> files, and the old proc interface. Two check against
> iomem_is_exclusive, proc never did. And with CONFIG_IO_STRICT_DEVMEM,
> this starts to matter, since we don't want random userspace having
> access to PCI BARs while a driver is loaded and using it.
> 
> Fix this by adding the same iomem_is_exclusive() check we already have
> on the sysfs side in pci_mmap_resource().
> 
> References: 90a545e98126 ("restrict /dev/mem to idle io memory ranges")
> Signed-off-by: Daniel Vetter <daniel.vetter at intel.com>
> Cc: Jason Gunthorpe <jgg at ziepe.ca>
> Cc: Kees Cook <keescook at chromium.org>
> Cc: Dan Williams <dan.j.williams at intel.com>
> Cc: Andrew Morton <akpm at linux-foundation.org>
> Cc: John Hubbard <jhubbard at nvidia.com>
> Cc: Jérôme Glisse <jglisse at redhat.com>
> Cc: Jan Kara <jack at suse.cz>
> Cc: Dan Williams <dan.j.williams at intel.com>
> Cc: linux-mm at kvack.org
> Cc: linux-arm-kernel at lists.infradead.org
> Cc: linux-samsung-soc at vger.kernel.org
> Cc: linux-media at vger.kernel.org
> Cc: Bjorn Helgaas <bhelgaas at google.com>
> Cc: linux-pci at vger.kernel.org
> Signed-off-by: Daniel Vetter <daniel.vetter at ffwll.com>

Maybe not for fixing in this series, but this access to
IORESOURCE_BUSY doesn't have any locking.

The write side holds the resource_lock at least..

>  	ret = pci_mmap_page_range(dev, i, vma,
>  				  fpriv->mmap_state, write_combine);

At this point the vma isn't linked into the address space, so doesn't
this happen?

     CPU 0                                  CPU1
 mmap_region()
   vma = vm_area_alloc
   proc_bus_pci_mmap
    iomem_is_exclusive
    pci_mmap_page_range
                                            revoke_devmem
                                             unmap_mapping_range()
     // vma is not linked to the address space here,
     // unmap doesn't find it
  vma_link() 
  !!! The VMA gets mapped with the revoked PTEs

I couldn't find anything that prevents it at least, no mmap_sem on the
unmap side, just the i_mmap_lock

Not seeing how address space and pre-populating during mmap work
together? Did I miss locking someplace?

Not something to be fixed for this series, this is clearly an
improvement, but seems like another problem to tackle?

Jason

More information about the dri-devel mailing list