[PATCH v1] dmaengine: idxd: Fix allowing write() from different address spaces

DMA Engine development
 help / color / mirror / Atom feed

* [PATCH v1] dmaengine: idxd: Fix allowing write() from different address spaces
@ 2025-04-16  2:52 Vinicius Costa Gomes
  2025-04-16 14:52 ` Dave Jiang
  2025-04-16 15:10 ` Nathan Lynch
  0 siblings, 2 replies; 4+ messages in thread
From: Vinicius Costa Gomes @ 2025-04-16  2:52 UTC (permalink / raw)
  To: Vinicius Costa Gomes, Dave Jiang, Vinod Koul, Arjan van de Ven,
	Nikhil Rao, dmaengine, linux-kernel

Check if the process submitting the descriptor belongs to the same
address space as the one that opened the file, reject otherwise.

Fixes: 6827738dc684 ("dmaengine: idxd: add a write() method for applications to submit work")
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
---
 drivers/dma/idxd/cdev.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c
index ff94ee892339..373c622fcddc 100644
--- a/drivers/dma/idxd/cdev.c
+++ b/drivers/dma/idxd/cdev.c
@@ -473,6 +473,9 @@ static ssize_t idxd_cdev_write(struct file *filp, const char __user *buf, size_t
 	ssize_t written = 0;
 	int i;
 
+	if (current->mm != ctx->mm)
+		return -EPERM;
+
 	for (i = 0; i < len/sizeof(struct dsa_hw_desc); i++) {
 		int rc = idxd_submit_user_descriptor(ctx, udesc + i);
 
-- 
2.49.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH v1] dmaengine: idxd: Fix allowing write() from different address spaces
  2025-04-16  2:52 [PATCH v1] dmaengine: idxd: Fix allowing write() from different address spaces Vinicius Costa Gomes
@ 2025-04-16 14:52 ` Dave Jiang
  2025-04-16 15:10 ` Nathan Lynch
  1 sibling, 0 replies; 4+ messages in thread
From: Dave Jiang @ 2025-04-16 14:52 UTC (permalink / raw)
  To: Vinicius Costa Gomes, Vinod Koul, Arjan van de Ven, dmaengine,
	linux-kernel



On 4/15/25 7:52 PM, Vinicius Costa Gomes wrote:
> Check if the process submitting the descriptor belongs to the same
> address space as the one that opened the file, reject otherwise.
> 
> Fixes: 6827738dc684 ("dmaengine: idxd: add a write() method for applications to submit work")
> Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>

Reviewed-by: Dave Jiang <dave.jiang@intel.com>

> ---
>  drivers/dma/idxd/cdev.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c
> index ff94ee892339..373c622fcddc 100644
> --- a/drivers/dma/idxd/cdev.c
> +++ b/drivers/dma/idxd/cdev.c
> @@ -473,6 +473,9 @@ static ssize_t idxd_cdev_write(struct file *filp, const char __user *buf, size_t
>  	ssize_t written = 0;
>  	int i;
>  
> +	if (current->mm != ctx->mm)
> +		return -EPERM;
> +
>  	for (i = 0; i < len/sizeof(struct dsa_hw_desc); i++) {
>  		int rc = idxd_submit_user_descriptor(ctx, udesc + i);
>  


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v1] dmaengine: idxd: Fix allowing write() from different address spaces
  2025-04-16  2:52 [PATCH v1] dmaengine: idxd: Fix allowing write() from different address spaces Vinicius Costa Gomes
  2025-04-16 14:52 ` Dave Jiang
@ 2025-04-16 15:10 ` Nathan Lynch
  2025-04-21 15:57   ` Dave Jiang
  1 sibling, 1 reply; 4+ messages in thread
From: Nathan Lynch @ 2025-04-16 15:10 UTC (permalink / raw)
  To: Vinicius Costa Gomes, Dave Jiang, Vinod Koul, Arjan van de Ven,
	Nikhil Rao, dmaengine, linux-kernel

Vinicius Costa Gomes <vinicius.gomes@intel.com> writes:
> Check if the process submitting the descriptor belongs to the same
> address space as the one that opened the file, reject otherwise.

I assume this can happen after a fork.

Do idxd_cdev_mmap() and idxd_cdev_poll() need similar protection?

>
> Fixes: 6827738dc684 ("dmaengine: idxd: add a write() method for applications to submit work")
> Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
> ---
>  drivers/dma/idxd/cdev.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c
> index ff94ee892339..373c622fcddc 100644
> --- a/drivers/dma/idxd/cdev.c
> +++ b/drivers/dma/idxd/cdev.c
> @@ -473,6 +473,9 @@ static ssize_t idxd_cdev_write(struct file *filp, const char __user *buf, size_t
>  	ssize_t written = 0;
>  	int i;
>  
> +	if (current->mm != ctx->mm)
> +		return -EPERM;
> +
>  	for (i = 0; i < len/sizeof(struct dsa_hw_desc); i++) {
>  		int rc = idxd_submit_user_descriptor(ctx, udesc + i);
>  
> -- 
> 2.49.0

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v1] dmaengine: idxd: Fix allowing write() from different address spaces
  2025-04-16 15:10 ` Nathan Lynch
@ 2025-04-21 15:57   ` Dave Jiang
  0 siblings, 0 replies; 4+ messages in thread
From: Dave Jiang @ 2025-04-21 15:57 UTC (permalink / raw)
  To: Nathan Lynch, Vinicius Costa Gomes, Vinod Koul, Arjan van de Ven,
	Nikhil Rao, dmaengine, linux-kernel



On 4/16/25 8:10 AM, Nathan Lynch wrote:
> Vinicius Costa Gomes <vinicius.gomes@intel.com> writes:
>> Check if the process submitting the descriptor belongs to the same
>> address space as the one that opened the file, reject otherwise.
> 
> I assume this can happen after a fork.
> 
> Do idxd_cdev_mmap() and idxd_cdev_poll() need similar protection?

Seems reasonable. Vinicius is on sabbatical. I'll respin his code and add the suggested checks. Thanks Nathan.

DJ

> 
>>
>> Fixes: 6827738dc684 ("dmaengine: idxd: add a write() method for applications to submit work")
>> Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
>> ---
>>  drivers/dma/idxd/cdev.c | 3 +++
>>  1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c
>> index ff94ee892339..373c622fcddc 100644
>> --- a/drivers/dma/idxd/cdev.c
>> +++ b/drivers/dma/idxd/cdev.c
>> @@ -473,6 +473,9 @@ static ssize_t idxd_cdev_write(struct file *filp, const char __user *buf, size_t
>>  	ssize_t written = 0;
>>  	int i;
>>  
>> +	if (current->mm != ctx->mm)
>> +		return -EPERM;
>> +
>>  	for (i = 0; i < len/sizeof(struct dsa_hw_desc); i++) {
>>  		int rc = idxd_submit_user_descriptor(ctx, udesc + i);
>>  
>> -- 
>> 2.49.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-04-21 15:57 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-16  2:52 [PATCH v1] dmaengine: idxd: Fix allowing write() from different address spaces Vinicius Costa Gomes
2025-04-16 14:52 ` Dave Jiang
2025-04-16 15:10 ` Nathan Lynch
2025-04-21 15:57   ` Dave Jiang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox