From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, "Noralf Trønnes" <noralf@tronnes.org>,
"Eric Anholt" <eric@anholt.net>, "Rob Herring" <robh@kernel.org>,
"Maarten Lankhorst" <maarten.lankhorst@linux.intel.com>,
"Maxime Ripard" <mripard@kernel.org>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"David Airlie" <airlied@gmail.com>,
"Daniel Vetter" <daniel@ffwll.ch>,
dri-devel@lists.freedesktop.org, "Wachowski,
Karol" <karol.wachowski@intel.com>,
"Jacek Lawrynowicz" <jacek.lawrynowicz@linux.intel.com>,
"Daniel Vetter" <daniel.vetter@ffwll.ch>,
"Sherry Yang" <sherry.yang@oracle.com>
Subject: [PATCH 6.1 37/91] drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)
Date: Mon, 21 Oct 2024 12:24:51 +0200 [thread overview]
Message-ID: <20241021102251.270257207@linuxfoundation.org> (raw)
In-Reply-To: <20241021102249.791942892@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wachowski, Karol <karol.wachowski@intel.com>
commit 39bc27bd688066a63e56f7f64ad34fae03fbe3b8 upstream.
Lack of check for copy-on-write (COW) mapping in drm_gem_shmem_mmap
allows users to call mmap with PROT_WRITE and MAP_PRIVATE flag
causing a kernel panic due to BUG_ON in vmf_insert_pfn_prot:
BUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags));
Return -EINVAL early if COW mapping is detected.
This bug affects all drm drivers using default shmem helpers.
It can be reproduced by this simple example:
void *ptr = mmap(0, size, PROT_WRITE, MAP_PRIVATE, fd, mmap_offset);
ptr[0] = 0;
Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects")
Cc: Noralf Trønnes <noralf@tronnes.org>
Cc: Eric Anholt <eric@anholt.net>
Cc: Rob Herring <robh@kernel.org>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: David Airlie <airlied@gmail.com>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v5.2+
Signed-off-by: Wachowski, Karol <karol.wachowski@intel.com>
Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20240520100514.925681-1-jacek.lawrynowicz@linux.intel.com
[ Sherry: bp to fix CVE-2024-39497, ignore context change due to missing
commit 21aa27ddc582 ("drm/shmem-helper: Switch to reservation lock") ]
Signed-off-by: Sherry Yang <sherry.yang@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_gem_shmem_helper.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/drm_gem_shmem_helper.c
+++ b/drivers/gpu/drm/drm_gem_shmem_helper.c
@@ -638,6 +638,9 @@ int drm_gem_shmem_mmap(struct drm_gem_sh
return ret;
}
+ if (is_cow_mapping(vma->vm_flags))
+ return -EINVAL;
+
ret = drm_gem_shmem_get_pages(shmem);
if (ret)
return ret;
next prev parent reply other threads:[~2024-10-21 10:41 UTC|newest]
Thread overview: 107+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-21 10:24 [PATCH 6.1 00/91] 6.1.114-rc1 review Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 01/91] btrfs: fix uninitialized pointer free in add_inode_ref() Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 02/91] btrfs: fix uninitialized pointer free on read_alloc_one_name() error Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 03/91] ksmbd: fix user-after-free from session log off Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 04/91] ALSA: hda/conexant - Fix audio routing for HP EliteOne 1000 G2 Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 05/91] mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 06/91] udf: New directory iteration code Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 07/91] udf: Convert udf_expand_dir_adinicb() to new directory iteration Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 08/91] udf: Move udf_expand_dir_adinicb() to its callsite Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 09/91] udf: Implement searching for directory entry using new iteration code Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 10/91] udf: Provide function to mark entry as deleted using new directory " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 11/91] udf: Convert udf_rename() to " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 12/91] udf: Convert udf_readdir() to new directory iteration Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 13/91] udf: Convert udf_lookup() to use new directory iteration code Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 14/91] udf: Convert udf_get_parent() to " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 15/91] udf: Convert empty_dir() " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 16/91] udf: Convert udf_rmdir() " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 17/91] udf: Convert udf_unlink() " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 18/91] udf: Implement adding of dir entries using new " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 19/91] udf: Convert udf_add_nondir() to new directory iteration Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 20/91] udf: Convert udf_mkdir() to new directory iteration code Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 21/91] udf: Convert udf_link() " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 22/91] udf: Remove old " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 23/91] udf: Handle error when expanding directory Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 24/91] udf: Dont return bh from udf_expand_dir_adinicb() Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 25/91] net: enetc: remove xdp_drops statistic from enetc_xdp_drop() Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 26/91] net: enetc: add missing static descriptor and inline keyword Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 27/91] posix-clock: Fix missing timespec64 check in pc_clock_settime() Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 28/91] arm64: probes: Remove broken LDR (literal) uprobe support Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 29/91] arm64: probes: Fix simulate_ldr*_literal() Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 30/91] net: macb: Avoid 20s boot delay by skipping MDIO bus registration for fixed-link PHY Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 31/91] irqchip/gic-v3-its: Fix VSYNC referencing an unmapped VPE on GIC v4.1 Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 32/91] fat: fix uninitialized variable Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 33/91] mm/swapfile: skip HugeTLB pages for unuse_vma Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 34/91] devlink: drop the filter argument from devlinks_xa_find_get Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 35/91] devlink: bump the instance index directly when iterating Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 36/91] maple_tree: correct tree corruption on spanning store Greg Kroah-Hartman
2024-10-21 10:24 ` Greg Kroah-Hartman [this message]
2024-10-21 10:24 ` [PATCH 6.1 38/91] iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 39/91] s390/sclp: Deactivate sclp after all its users Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 40/91] s390/sclp_vt220: Convert newlines to CRLF instead of LFCR Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 41/91] KVM: s390: gaccess: Check if guest address is in memslot Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 42/91] KVM: s390: Change virtual to physical address access in diag 0x258 handler Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 43/91] x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 44/91] x86/cpufeatures: Add a IBPB_NO_RET BUG flag Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 6.1 45/91] x86/entry: Have entry_ibpb() invalidate return predictions Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 46/91] x86/bugs: Skip RSB fill at VMEXIT Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 47/91] x86/bugs: Do not use UNTRAIN_RET with IBPB on entry Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 48/91] blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 49/91] io_uring/sqpoll: close race on waiting for sqring entries Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 50/91] scsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 51/91] drm/radeon: Fix encoder->possible_clones Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 52/91] drm/vmwgfx: Handle surface check failure correctly Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 53/91] drm/amdgpu/swsmu: Only force workload setup on init Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 54/91] drm/amdgpu: prevent BO_HANDLES error from being overwritten Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 55/91] iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 56/91] iio: dac: ltc1660: " Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 57/91] iio: dac: stm32-dac-core: add missing select REGMAP_MMIO " Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 58/91] iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER " Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 59/91] iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 60/91] iio: light: veml6030: fix ALS sensor resolution Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 61/91] iio: light: veml6030: fix IIO device retrieval from embedded device Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 62/91] iio: light: opt3001: add missing full-scale range value Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 63/91] iio: amplifiers: ada4250: add missing select REGMAP_SPI in Kconfig Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 64/91] iio: dac: ad5766: add missing select IIO_(TRIGGERED_)BUFFER " Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 65/91] iio: proximity: mb1232: " Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 66/91] iio: dac: ad3552r: " Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 67/91] iio: adc: ti-ads124s08: " Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 68/91] Bluetooth: Call iso_exit() on module unload Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 69/91] Bluetooth: Remove debugfs directory on module init failure Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 70/91] Bluetooth: ISO: Fix multiple init when debugfs is disabled Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 71/91] Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 72/91] xhci: Fix incorrect stream context type macro Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 73/91] xhci: Mitigate failed set dequeue pointer commands Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 74/91] USB: serial: option: add support for Quectel EG916Q-GL Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 75/91] USB: serial: option: add Telit FN920C04 MBIM compositions Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 76/91] usb: dwc3: Wait for EndXfer completion before restoring GUSB2PHYCFG Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 77/91] parport: Proper fix for array out-of-bounds access Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 78/91] x86/resctrl: Annotate get_mem_config() functions as __init Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 79/91] x86/apic: Always explicitly disarm TSC-deadline timer Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 80/91] x86/entry_32: Do not clobber user EFLAGS.ZF Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 81/91] x86/entry_32: Clear CPU buffers after register restore in NMI return Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 82/91] tty: n_gsm: Fix use-after-free in gsm_cleanup_mux Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 83/91] pinctrl: ocelot: fix system hang on level based interrupts Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 84/91] pinctrl: apple: check devm_kasprintf() returned value Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 85/91] irqchip/gic-v4: Dont allow a VMOVP on a dying VPE Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 86/91] irqchip/sifive-plic: Unmask interrupt in plic_irq_enable() Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 87/91] tcp: fix mptcp DSS corruption due to large pmtu xmit Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 88/91] mptcp: prevent MPC handshake on port-based signal endpoints Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 89/91] nilfs2: propagate directory read errors from nilfs_find_entry() Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 90/91] powerpc/64: Add big-endian ELFv2 flavour to crypto VMX asm generation Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 6.1 91/91] ALSA: hda/conexant - Use cached pin control for Node 0x1d on HP EliteOne 1000 G2 Greg Kroah-Hartman
2024-10-21 18:07 ` [PATCH 6.1 00/91] 6.1.114-rc1 review SeongJae Park
2024-10-21 18:24 ` Florian Fainelli
2024-10-22 8:57 ` Greg Kroah-Hartman
2024-10-21 20:08 ` Naresh Kamboju
2024-10-22 8:56 ` Greg Kroah-Hartman
2024-10-22 9:14 ` Jan Kara
2024-10-22 13:44 ` Greg Kroah-Hartman
2024-10-21 22:36 ` Shuah Khan
2024-10-22 10:00 ` Pavel Machek
2024-10-22 12:59 ` Mark Brown
2024-10-22 13:50 ` Yann Sionneau
2024-10-22 17:56 ` Jon Hunter
2024-10-22 17:58 ` Jon Hunter
2024-10-23 10:16 ` Jon Hunter
2024-10-23 10:18 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241021102251.270257207@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=airlied@gmail.com \
--cc=daniel.vetter@ffwll.ch \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=eric@anholt.net \
--cc=jacek.lawrynowicz@linux.intel.com \
--cc=karol.wachowski@intel.com \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=noralf@tronnes.org \
--cc=patches@lists.linux.dev \
--cc=robh@kernel.org \
--cc=sherry.yang@oracle.com \
--cc=stable@vger.kernel.org \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox