On Fri, Apr 28, 2023 at 05:23:29PM +0200, David Hildenbrand wrote: > > > > > > Security is the primary case where we have historically closed uAPI > > > items. > > > > As this patch > > > > 1) Does not tackle GUP-fast > > 2) Does not take care of !FOLL_LONGTERM > > > > I am not convinced by the security argument in regard to this patch. > > > > > > If we want to sells this as a security thing, we have to block it > > *completely* and then CC stable. > > Regarding GUP-fast, to fix the issue there as well, I guess we could do > something similar as I did in gup_must_unshare(): > > If we're in GUP-fast (no VMA), and want to pin a !anon page writable, > fallback to ordinary GUP. IOW, if we don't know, better be safe. How do we determine it's non-anon in the first place? The check is on the VMA. We could do it by following page tables down to folio and checking folio->mapping for PAGE_MAPPING_ANON I suppose? > > Of course, this would prevent hugetlb/shmem from getting pinned writable > during gup-fast. Unless we're able to whitelist them somehow in there. We could degrade those to non-fast assuming not FOLL_FAST_ONLY. But it'd be a pity. > > > For FOLL_LONGTERM it might fairly uncontroversial. For everything else I'm > not sure if there could be undesired side-effects. Yeah this is why I pared the patch down to this alone :) there are definitely concerns and issues with other cases, notably ptrace + friends but obviously not only. FOLL_LONGTERM is just the most egregious case. > > -- > Thanks, > > David / dhildenb >
