[PATCH] accel/qaic: Add overflow check to remap_pfn

dri-devel Archive on lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] accel/qaic: Add overflow check to remap_pfn_range during mmap
@ 2026-04-23 20:44 Zack McKevitt
  2026-04-24  5:39 ` Karol Wachowski
  0 siblings, 1 reply; 2+ messages in thread
From: Zack McKevitt @ 2026-04-23 20:44 UTC (permalink / raw)
  To: youssef.abdulrahman, jeff.hugo, carl.vanderlip, troy.hanson
  Cc: ogabbay, lizhi.hou, karol.wachowski, linux-arm-msm, dri-devel,
	Zack McKevitt, Lukas Maar

The call to remap_pfn_range in qaic_gem_object_mmap is susceptible to
(re)mapping beyond the VMA if the BO is too large. This can cause use
after free issues when munmap() unmaps only the VMA region and not the
additional mappings. To prevent this, check the remaining size of the
VMA before remapping and truncate the remapped length if sg->length is
too large.

Reported-by: Lukas Maar <lukas.maar@tugraz.at>
Fixes: ff13be830333 ("accel/qaic: Add datapath")
Signed-off-by: Zack McKevitt <zachary.mckevitt@oss.qualcomm.com>
---
 drivers/accel/qaic/qaic_data.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c
index 95300c2f7d8a..8a6948f11346 100644
--- a/drivers/accel/qaic/qaic_data.c
+++ b/drivers/accel/qaic/qaic_data.c
@@ -606,8 +606,11 @@ static const struct vm_operations_struct drm_vm_ops = {
 static int qaic_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct *vma)
 {
 	struct qaic_bo *bo = to_qaic_bo(obj);
+	unsigned long remap_start;
 	unsigned long offset = 0;
+	unsigned long remap_end;
 	struct scatterlist *sg;
+	unsigned long length;
 	int ret = 0;
 
 	if (drm_gem_is_imported(obj))
@@ -615,11 +618,24 @@ static int qaic_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struc
 
 	for (sg = bo->sgt->sgl; sg; sg = sg_next(sg)) {
 		if (sg_page(sg)) {
+			/* if sg is too large for the VMA, so truncate it to fit */
+			if (check_add_overflow(vma->vm_start, offset, &remap_start))
+				return -EINVAL;
+			if (check_add_overflow(remap_start, sg->length, &remap_end))
+				return -EINVAL;
+			if (remap_end >= vma->vm_end)
+				length = vma->vm_end - remap_start;
+			else
+				length = sg->length;
+
+			if (length <= 0)
+				goto out;
+
 			ret = remap_pfn_range(vma, vma->vm_start + offset, page_to_pfn(sg_page(sg)),
-					      sg->length, vma->vm_page_prot);
+					      length, vma->vm_page_prot);
 			if (ret)
 				goto out;
-			offset += sg->length;
+			offset += length;
 		}
 	}
 
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] accel/qaic: Add overflow check to remap_pfn_range during mmap
  2026-04-23 20:44 [PATCH] accel/qaic: Add overflow check to remap_pfn_range during mmap Zack McKevitt
@ 2026-04-24  5:39 ` Karol Wachowski
  0 siblings, 0 replies; 2+ messages in thread
From: Karol Wachowski @ 2026-04-24  5:39 UTC (permalink / raw)
  To: Zack McKevitt, youssef.abdulrahman, jeff.hugo, carl.vanderlip,
	troy.hanson
  Cc: ogabbay, lizhi.hou, linux-arm-msm, dri-devel, Lukas Maar

On 4/23/2026 10:44 PM, Zack McKevitt wrote:
> The call to remap_pfn_range in qaic_gem_object_mmap is susceptible to
> (re)mapping beyond the VMA if the BO is too large. This can cause use
> after free issues when munmap() unmaps only the VMA region and not the
> additional mappings. To prevent this, check the remaining size of the
> VMA before remapping and truncate the remapped length if sg->length is
> too large.
> 
> Reported-by: Lukas Maar <lukas.maar@tugraz.at>
> Fixes: ff13be830333 ("accel/qaic: Add datapath")
> Signed-off-by: Zack McKevitt <zachary.mckevitt@oss.qualcomm.com>
> ---
>  drivers/accel/qaic/qaic_data.c | 20 ++++++++++++++++++--
>  1 file changed, 18 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c
> index 95300c2f7d8a..8a6948f11346 100644
> --- a/drivers/accel/qaic/qaic_data.c
> +++ b/drivers/accel/qaic/qaic_data.c
> @@ -606,8 +606,11 @@ static const struct vm_operations_struct drm_vm_ops = {
>  static int qaic_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct *vma)
>  {
>  	struct qaic_bo *bo = to_qaic_bo(obj);
> +	unsigned long remap_start;
>  	unsigned long offset = 0;
> +	unsigned long remap_end;
>  	struct scatterlist *sg;
> +	unsigned long length;
>  	int ret = 0;
>  
>  	if (drm_gem_is_imported(obj))
> @@ -615,11 +618,24 @@ static int qaic_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struc
>  
>  	for (sg = bo->sgt->sgl; sg; sg = sg_next(sg)) {
>  		if (sg_page(sg)) {
> +			/* if sg is too large for the VMA, so truncate it to fit */
> +			if (check_add_overflow(vma->vm_start, offset, &remap_start))
> +				return -EINVAL;
> +			if (check_add_overflow(remap_start, sg->length, &remap_end))
> +				return -EINVAL;
> +			if (remap_end >= vma->vm_end)

nit: seems that remap_end == vma->vmd_end would fit, shouldn't this
check be?
if (remap_end > vma->vm_end)

> +				length = vma->vm_end - remap_start;
> +			else
> +				length = sg->length;
> +
> +			if (length <= 0)
nit: unsigned long length can't really go negative
> +				goto out;
> +
>  			ret = remap_pfn_range(vma, vma->vm_start + offset, page_to_pfn(sg_page(sg)),
> -					      sg->length, vma->vm_page_prot);
> +					      length, vma->vm_page_prot);
>  			if (ret)
>  				goto out;
> -			offset += sg->length;
> +			offset += length;
>  		}
>  	}
>  

With these
Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-04-24  5:39 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-23 20:44 [PATCH] accel/qaic: Add overflow check to remap_pfn_range during mmap Zack McKevitt
2026-04-24  5:39 ` Karol Wachowski

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox