From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:60820 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752793AbcEAXVU (ORCPT ); Sun, 1 May 2016 19:21:20 -0400 Subject: Patch "drm/radeon: forbid mapping of userptr bo through radeon device file" has been added to the 4.4-stable tree To: jglisse@redhat.com, alexander.deucher@amd.com, christian.koenig@amd.com, gregkh@linuxfoundation.org Cc: , From: Date: Sun, 01 May 2016 16:21:18 -0700 Message-ID: <14621448789123@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled drm/radeon: forbid mapping of userptr bo through radeon device file to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: drm-radeon-forbid-mapping-of-userptr-bo-through-radeon-device-file.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From b5dcec693f87cb8475f2291c0075b2422addd3d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Glisse?= Date: Tue, 19 Apr 2016 09:07:50 -0400 Subject: drm/radeon: forbid mapping of userptr bo through radeon device file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Jérôme Glisse commit b5dcec693f87cb8475f2291c0075b2422addd3d6 upstream. Allowing userptr bo which are basicly a list of page from some vma (so either anonymous page or file backed page) would lead to serious corruption of kernel structures and counters (because we overwrite the page->mapping field when mapping buffer). This will already block if the buffer was populated before anyone does try to mmap it because then TTM_PAGE_FLAG_SG would be set in in the ttm_tt flags. But that flag is check before ttm_tt_populate in the ttm vm fault handler. So to be safe just add a check to verify_access() callback. Reviewed-by: Christian König Signed-off-by: Jérôme Glisse Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/radeon/radeon_ttm.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/gpu/drm/radeon/radeon_ttm.c +++ b/drivers/gpu/drm/radeon/radeon_ttm.c @@ -235,6 +235,8 @@ static int radeon_verify_access(struct t { struct radeon_bo *rbo = container_of(bo, struct radeon_bo, tbo); + if (radeon_ttm_tt_has_userptr(bo->ttm)) + return -EPERM; return drm_vma_node_verify_access(&rbo->gem_base.vma_node, filp); } Patches currently in stable-queue which might be from jglisse@redhat.com are queue-4.4/drm-radeon-forbid-mapping-of-userptr-bo-through-radeon-device-file.patch