• Dan Williams's avatar
    /dev/mem: Revoke mappings when a driver claims the region · 3234ac66
    Dan Williams authored
    Close the hole of holding a mapping over kernel driver takeover event of
    a given address range.
    
    Commit 90a545e9 ("restrict /dev/mem to idle io memory ranges")
    introduced CONFIG_IO_STRICT_DEVMEM with the goal of protecting the
    kernel against scenarios where a /dev/mem user tramples memory that a
    kernel driver owns. However, this protection only prevents *new* read(),
    write() and mmap() requests. Established mappings prior to the driver
    calling request_mem_region() are left alone.
    
    Especially with persistent memory, and the core kernel metadata that is
    stored there, there are plentiful scenarios for a /dev/mem user to
    violate the expectations of the driver and cause amplified damage.
    
    Teach request_mem_region() to find and shoot down active /dev/mem
    mappings that it believes it has successfully claimed for the exclusive
    use of the driver. Effectively a driver call to request_mem_region()
    becomes a hole-punch on the /dev/mem device.
    
    The typical usage of unmap_mapping_range() is part of
    truncate_pagecache() to punch a hole in a file, but in this case the
    implementation is only doing the "first half" of a hole punch. Namely it
    is just evacuating current established mappings of the "hole", and it
    relies on the fact that /dev/mem establishes mappings in terms of
    absolute physical address offsets. Once existing mmap users are
    invalidated they can attempt to re-establish the mapping, or attempt to
    continue issuing read(2) / write(2) to the invalidated extent, but they
    will then be subject to the CONFIG_IO_STRICT_DEVMEM checking that can
    block those subsequent accesses.
    
    Cc: Arnd Bergmann <arnd@arndb.de>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Matthew Wilcox <willy@infradead.org>
    Cc: Russell King <linux@arm.linux.org.uk>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Fixes: 90a545e9 ("restrict /dev/mem to idle io memory ranges")
    Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
    Reviewed-by: default avatarKees Cook <keescook@chromium.org>
    Link: https://lore.kernel.org/r/159009507306.847224.8502634072429766747.stgit@dwillia2-desk3.amr.corp.intel.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    3234ac66
resource.c 42.9 KB