From: Karol Wachowski <karol.wachowski@linux.intel.com>
To: Zack McKevitt <zachary.mckevitt@oss.qualcomm.com>,
youssef.abdulrahman@oss.qualcomm.com, jeff.hugo@oss.qualcomm.com,
carl.vanderlip@oss.qualcomm.com, troy.hanson@oss.qualcomm.com
Cc: ogabbay@kernel.org, lizhi.hou@amd.com,
linux-arm-msm@vger.kernel.org, dri-devel@lists.freedesktop.org,
Lukas Maar <lukas.maar@tugraz.at>
Subject: Re: [PATCH] accel/qaic: Add overflow check to remap_pfn_range during mmap
Date: Fri, 24 Apr 2026 07:39:15 +0200 [thread overview]
Message-ID: <2a4e7ce2-64dc-4c17-ae51-5e53c59669cf@linux.intel.com> (raw)
In-Reply-To: <20260423204412.2861046-1-zachary.mckevitt@oss.qualcomm.com>
On 4/23/2026 10:44 PM, Zack McKevitt wrote:
> The call to remap_pfn_range in qaic_gem_object_mmap is susceptible to
> (re)mapping beyond the VMA if the BO is too large. This can cause use
> after free issues when munmap() unmaps only the VMA region and not the
> additional mappings. To prevent this, check the remaining size of the
> VMA before remapping and truncate the remapped length if sg->length is
> too large.
>
> Reported-by: Lukas Maar <lukas.maar@tugraz.at>
> Fixes: ff13be830333 ("accel/qaic: Add datapath")
> Signed-off-by: Zack McKevitt <zachary.mckevitt@oss.qualcomm.com>
> ---
> drivers/accel/qaic/qaic_data.c | 20 ++++++++++++++++++--
> 1 file changed, 18 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c
> index 95300c2f7d8a..8a6948f11346 100644
> --- a/drivers/accel/qaic/qaic_data.c
> +++ b/drivers/accel/qaic/qaic_data.c
> @@ -606,8 +606,11 @@ static const struct vm_operations_struct drm_vm_ops = {
> static int qaic_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct *vma)
> {
> struct qaic_bo *bo = to_qaic_bo(obj);
> + unsigned long remap_start;
> unsigned long offset = 0;
> + unsigned long remap_end;
> struct scatterlist *sg;
> + unsigned long length;
> int ret = 0;
>
> if (drm_gem_is_imported(obj))
> @@ -615,11 +618,24 @@ static int qaic_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struc
>
> for (sg = bo->sgt->sgl; sg; sg = sg_next(sg)) {
> if (sg_page(sg)) {
> + /* if sg is too large for the VMA, so truncate it to fit */
> + if (check_add_overflow(vma->vm_start, offset, &remap_start))
> + return -EINVAL;
> + if (check_add_overflow(remap_start, sg->length, &remap_end))
> + return -EINVAL;
> + if (remap_end >= vma->vm_end)
nit: seems that remap_end == vma->vmd_end would fit, shouldn't this
check be?
if (remap_end > vma->vm_end)
> + length = vma->vm_end - remap_start;
> + else
> + length = sg->length;
> +
> + if (length <= 0)
nit: unsigned long length can't really go negative
> + goto out;
> +
> ret = remap_pfn_range(vma, vma->vm_start + offset, page_to_pfn(sg_page(sg)),
> - sg->length, vma->vm_page_prot);
> + length, vma->vm_page_prot);
> if (ret)
> goto out;
> - offset += sg->length;
> + offset += length;
> }
> }
>
With these
Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
prev parent reply other threads:[~2026-04-24 5:39 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-23 20:44 [PATCH] accel/qaic: Add overflow check to remap_pfn_range during mmap Zack McKevitt
2026-04-24 5:39 ` Karol Wachowski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2a4e7ce2-64dc-4c17-ae51-5e53c59669cf@linux.intel.com \
--to=karol.wachowski@linux.intel.com \
--cc=carl.vanderlip@oss.qualcomm.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=jeff.hugo@oss.qualcomm.com \
--cc=linux-arm-msm@vger.kernel.org \
--cc=lizhi.hou@amd.com \
--cc=lukas.maar@tugraz.at \
--cc=ogabbay@kernel.org \
--cc=troy.hanson@oss.qualcomm.com \
--cc=youssef.abdulrahman@oss.qualcomm.com \
--cc=zachary.mckevitt@oss.qualcomm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox