From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sasha Levin Subject: [PATCH AUTOSEL 4.19 088/167] drm/i915: Sanity check mmap length against object size Date: Tue, 3 Sep 2019 12:24:00 -0400 Message-ID: <20190903162519.7136-88-sashal@kernel.org> References: <20190903162519.7136-1-sashal@kernel.org> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <20190903162519.7136-1-sashal@kernel.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Sasha Levin , intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org List-Id: dri-devel@lists.freedesktop.org RnJvbTogQ2hyaXMgV2lsc29uIDxjaHJpc0BjaHJpcy13aWxzb24uY28udWs+CgpbIFVwc3RyZWFt IGNvbW1pdCAwMDBjNGY5MGUzZjAxOTRlZWYyMThmZjJjNmE4ZmQ4Y2ExZGU0MzEzIF0KCldlIGFz c3VtZWQgdGhhdCB2bV9tbWFwKCkgd291bGQgcmVqZWN0IGFuIGF0dGVtcHQgdG8gbW1hcCBwYXN0 IHRoZSBlbmQgb2YKdGhlIGZpbHAgKG91ciBvYmplY3QpLCBidXQgd2Ugd2VyZSB3cm9uZy4KCkFw cGxpY2F0aW9ucyB0aGF0IHRyaWVkIHRvIHVzZSB0aGUgbW1hcCBiZXlvbmQgdGhlIGVuZCBvZiB0 aGUgb2JqZWN0CndvdWxkIGJlIGdyZWV0ZWQgYnkgYSBTSUdCVVMuIEFmdGVyIHRoaXMgcGF0Y2gs IHRob3NlIGFwcGxpY2F0aW9ucyB3aWxsCmJlIHRvbGQgYWJvdXQgdGhlIGVycm9yIG9uIGNyZWF0 aW5nIHRoZSBtbWFwLCByYXRoZXIgdGhhbiBhdCBhIHJhbmRvbQptb21lbnQgb24gbGF0ZXIgYWNj ZXNzLgoKUmVwb3J0ZWQtYnk6IEFudG9uaW8gQXJnZW56aWFubyA8YW50b25pby5hcmdlbnppYW5v QGludGVsLmNvbT4KVGVzdGNhc2U6IGlndC9nZW1fbW1hcC9iYWQtc2l6ZQpTaWduZWQtb2ZmLWJ5 OiBDaHJpcyBXaWxzb24gPGNocmlzQGNocmlzLXdpbHNvbi5jby51az4KQ2M6IEFudG9uaW8gQXJn ZW56aWFubyA8YW50b25pby5hcmdlbnppYW5vQGludGVsLmNvbT4KQ2M6IEpvb25hcyBMYWh0aW5l biA8am9vbmFzLmxhaHRpbmVuQGxpbnV4LmludGVsLmNvbT4KQ2M6IFR2cnRrbyBVcnN1bGluIDx0 dnJ0a28udXJzdWxpbkBpbnRlbC5jb20+CkNjOiBzdGFibGVAdmdlci5rZXJuZWwub3JnClJldmll d2VkLWJ5OiBUdnJ0a28gVXJzdWxpbiA8dHZydGtvLnVyc3VsaW5AaW50ZWwuY29tPgpSZXZpZXdl ZC1ieTogSm9vbmFzIExhaHRpbmVuIDxqb29uYXMubGFodGluZW5AbGludXguaW50ZWwuY29tPgpM aW5rOiBodHRwczovL3BhdGNod29yay5mcmVlZGVza3RvcC5vcmcvcGF0Y2gvbXNnaWQvMjAxOTAz MTQwNzU4MjkuMTY4MzgtMS1jaHJpc0BjaHJpcy13aWxzb24uY28udWsKKGNoZXJyeSBwaWNrZWQg ZnJvbSBjb21taXQgNzk0YTExY2I2NzIwMWFkMWJiNjFhZjUxMGJiODQ2MDI4MGZlYjNmMykKU2ln bmVkLW9mZi1ieTogUm9kcmlnbyBWaXZpIDxyb2RyaWdvLnZpdmlAaW50ZWwuY29tPgpTaWduZWQt b2ZmLWJ5OiBTYXNoYSBMZXZpbiA8c2FzaGFsQGtlcm5lbC5vcmc+Ci0tLQogZHJpdmVycy9ncHUv ZHJtL2k5MTUvaTkxNV9nZW0uYyB8IDE1ICsrKysrKysrKy0tLS0tLQogMSBmaWxlIGNoYW5nZWQs IDkgaW5zZXJ0aW9ucygrKSwgNiBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9kcml2ZXJzL2dw dS9kcm0vaTkxNS9pOTE1X2dlbS5jIGIvZHJpdmVycy9ncHUvZHJtL2k5MTUvaTkxNV9nZW0uYwpp bmRleCA5NjM0ZDNhZGI4ZDAxLi45MzcyODc3MTAwNDIwIDEwMDY0NAotLS0gYS9kcml2ZXJzL2dw dS9kcm0vaTkxNS9pOTE1X2dlbS5jCisrKyBiL2RyaXZlcnMvZ3B1L2RybS9pOTE1L2k5MTVfZ2Vt LmMKQEAgLTE4NzQsOCArMTg3NCwxMyBAQCBpOTE1X2dlbV9tbWFwX2lvY3RsKHN0cnVjdCBkcm1f ZGV2aWNlICpkZXYsIHZvaWQgKmRhdGEsCiAJICogcGFnZXMgZnJvbS4KIAkgKi8KIAlpZiAoIW9i ai0+YmFzZS5maWxwKSB7Ci0JCWk5MTVfZ2VtX29iamVjdF9wdXQob2JqKTsKLQkJcmV0dXJuIC1F TlhJTzsKKwkJYWRkciA9IC1FTlhJTzsKKwkJZ290byBlcnI7CisJfQorCisJaWYgKHJhbmdlX292 ZXJmbG93cyhhcmdzLT5vZmZzZXQsIGFyZ3MtPnNpemUsICh1NjQpb2JqLT5iYXNlLnNpemUpKSB7 CisJCWFkZHIgPSAtRUlOVkFMOworCQlnb3RvIGVycjsKIAl9CiAKIAlhZGRyID0gdm1fbW1hcChv YmotPmJhc2UuZmlscCwgMCwgYXJncy0+c2l6ZSwKQEAgLTE4ODksOCArMTg5NCw4IEBAIGk5MTVf Z2VtX21tYXBfaW9jdGwoc3RydWN0IGRybV9kZXZpY2UgKmRldiwgdm9pZCAqZGF0YSwKIAkJc3Ry dWN0IHZtX2FyZWFfc3RydWN0ICp2bWE7CiAKIAkJaWYgKGRvd25fd3JpdGVfa2lsbGFibGUoJm1t LT5tbWFwX3NlbSkpIHsKLQkJCWk5MTVfZ2VtX29iamVjdF9wdXQob2JqKTsKLQkJCXJldHVybiAt RUlOVFI7CisJCQlhZGRyID0gLUVJTlRSOworCQkJZ290byBlcnI7CiAJCX0KIAkJdm1hID0gZmlu ZF92bWEobW0sIGFkZHIpOwogCQlpZiAodm1hICYmIF9fdm1hX21hdGNoZXModm1hLCBvYmotPmJh c2UuZmlscCwgYWRkciwgYXJncy0+c2l6ZSkpCkBAIC0xOTA4LDEyICsxOTEzLDEwIEBAIGk5MTVf Z2VtX21tYXBfaW9jdGwoc3RydWN0IGRybV9kZXZpY2UgKmRldiwgdm9pZCAqZGF0YSwKIAlpOTE1 X2dlbV9vYmplY3RfcHV0KG9iaik7CiAKIAlhcmdzLT5hZGRyX3B0ciA9ICh1aW50NjRfdCkgYWRk cjsKLQogCXJldHVybiAwOwogCiBlcnI6CiAJaTkxNV9nZW1fb2JqZWN0X3B1dChvYmopOwotCiAJ cmV0dXJuIGFkZHI7CiB9CiAKLS0gCjIuMjAuMQoKX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX18KSW50ZWwtZ2Z4IG1haWxpbmcgbGlzdApJbnRlbC1nZnhAbGlz dHMuZnJlZWRlc2t0b3Aub3JnCmh0dHBzOi8vbGlzdHMuZnJlZWRlc2t0b3Aub3JnL21haWxtYW4v bGlzdGluZm8vaW50ZWwtZ2Z4 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 079C3C3A5A2 for ; Tue, 3 Sep 2019 16:34:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id CFDA323697 for ; Tue, 3 Sep 2019 16:34:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1567528478; bh=f21eev754077QISDuWAvVBzwWnDaFeAJ0E93al3vANs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=eCCH/l5Nf3kDmccyyHl1zd6dmjNL5NUTVyOucvFoNww0zky/MwmNhhB0ksSET6ejU mjtZGUhQ+nQnH7iFQPxeTaeRHEOlJnMDF6fS+VNkk9ZEm0+2vgwDWvOBxEpaAGlgtm SYhDkGNzRu5I+bNtMwftNYvJZCblg2cc73s91ERs= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731020AbfICQ2C (ORCPT ); Tue, 3 Sep 2019 12:28:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:49540 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730190AbfICQ14 (ORCPT ); Tue, 3 Sep 2019 12:27:56 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3807E215EA; Tue, 3 Sep 2019 16:27:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1567528075; bh=f21eev754077QISDuWAvVBzwWnDaFeAJ0E93al3vANs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zojX9ZH0xnYZ5SDBNLLQzHJNR2IsYgaEEQkKgrKXQvZsmyeXbArkcbmkJPBoEu43e dNL3fNnKOj64ooBJjp9WrbwUaLlQ3yUJMsWzwZtJbfzTN5v1yY7tgOK3KpU+wB1PyH XJfI85WlRWRV6Ou9Js2vBs2XSAd4MpWrbsDgfUU8= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Chris Wilson , Antonio Argenziano , Joonas Lahtinen , Tvrtko Ursulin , Rodrigo Vivi , Sasha Levin , intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org Subject: [PATCH AUTOSEL 4.19 088/167] drm/i915: Sanity check mmap length against object size Date: Tue, 3 Sep 2019 12:24:00 -0400 Message-Id: <20190903162519.7136-88-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190903162519.7136-1-sashal@kernel.org> References: <20190903162519.7136-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Chris Wilson [ Upstream commit 000c4f90e3f0194eef218ff2c6a8fd8ca1de4313 ] We assumed that vm_mmap() would reject an attempt to mmap past the end of the filp (our object), but we were wrong. Applications that tried to use the mmap beyond the end of the object would be greeted by a SIGBUS. After this patch, those applications will be told about the error on creating the mmap, rather than at a random moment on later access. Reported-by: Antonio Argenziano Testcase: igt/gem_mmap/bad-size Signed-off-by: Chris Wilson Cc: Antonio Argenziano Cc: Joonas Lahtinen Cc: Tvrtko Ursulin Cc: stable@vger.kernel.org Reviewed-by: Tvrtko Ursulin Reviewed-by: Joonas Lahtinen Link: https://patchwork.freedesktop.org/patch/msgid/20190314075829.16838-1-chris@chris-wilson.co.uk (cherry picked from commit 794a11cb67201ad1bb61af510bb8460280feb3f3) Signed-off-by: Rodrigo Vivi Signed-off-by: Sasha Levin --- drivers/gpu/drm/i915/i915_gem.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index 9634d3adb8d01..9372877100420 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -1874,8 +1874,13 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, * pages from. */ if (!obj->base.filp) { - i915_gem_object_put(obj); - return -ENXIO; + addr = -ENXIO; + goto err; + } + + if (range_overflows(args->offset, args->size, (u64)obj->base.size)) { + addr = -EINVAL; + goto err; } addr = vm_mmap(obj->base.filp, 0, args->size, @@ -1889,8 +1894,8 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, struct vm_area_struct *vma; if (down_write_killable(&mm->mmap_sem)) { - i915_gem_object_put(obj); - return -EINTR; + addr = -EINTR; + goto err; } vma = find_vma(mm, addr); if (vma && __vma_matches(vma, obj->base.filp, addr, args->size)) @@ -1908,12 +1913,10 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, i915_gem_object_put(obj); args->addr_ptr = (uint64_t) addr; - return 0; err: i915_gem_object_put(obj); - return addr; } -- 2.20.1