| Message ID | 1461071271-16072-1-git-send-email-jglisse@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
There are also checks in (amdgpu|radeon)_gem_mmap_ioctl() to prevent this as well. But it shouldn't hurt us to check that here as well. So both patches are Reviewed-by: Christian König <christian.koenig@amd.com> Regards, Christian. Am 19.04.2016 um 15:07 schrieb Jérôme Glisse: > Allowing userptr bo which are basicly a list of page from some vma > (so either anonymous page or file backed page) would lead to serious > corruption of kernel structures and counters (because we overwrite > the page->mapping field when mapping buffer). > > This will already block if the buffer was populated before anyone does > try to mmap it because then TTM_PAGE_FLAG_SG would be set in in the > ttm_tt flags. But that flag is check before ttm_tt_populate in the ttm > vm fault handler. > > So to be safe just add a check to verify_access() callback. > > Signed-off-by: Jérôme Glisse <jglisse@redhat.com> > Cc: <stable@vger.kernel.org> > --- > drivers/gpu/drm/radeon/radeon_ttm.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c > index 7dddfdc..90f7394 100644 > --- a/drivers/gpu/drm/radeon/radeon_ttm.c > +++ b/drivers/gpu/drm/radeon/radeon_ttm.c > @@ -235,6 +235,8 @@ static int radeon_verify_access(struct ttm_buffer_object *bo, struct file *filp) > { > struct radeon_bo *rbo = container_of(bo, struct radeon_bo, tbo); > > + if (radeon_ttm_tt_has_userptr(bo->ttm)) > + return -EPERM; > return drm_vma_node_verify_access(&rbo->gem_base.vma_node, filp); > } >
On Wed, Apr 20, 2016 at 9:26 AM, Christian König <deathsimple@vodafone.de> wrote: > There are also checks in (amdgpu|radeon)_gem_mmap_ioctl() to prevent this as > well. > > But it shouldn't hurt us to check that here as well. So both patches are > Reviewed-by: Christian König <christian.koenig@amd.com> Applied both. Thanks! Alex > > Regards, > Christian. > > Am 19.04.2016 um 15:07 schrieb Jérôme Glisse: >> >> Allowing userptr bo which are basicly a list of page from some vma >> (so either anonymous page or file backed page) would lead to serious >> corruption of kernel structures and counters (because we overwrite >> the page->mapping field when mapping buffer). >> >> This will already block if the buffer was populated before anyone does >> try to mmap it because then TTM_PAGE_FLAG_SG would be set in in the >> ttm_tt flags. But that flag is check before ttm_tt_populate in the ttm >> vm fault handler. >> >> So to be safe just add a check to verify_access() callback. >> >> Signed-off-by: Jérôme Glisse <jglisse@redhat.com> >> Cc: <stable@vger.kernel.org> >> --- >> drivers/gpu/drm/radeon/radeon_ttm.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c >> b/drivers/gpu/drm/radeon/radeon_ttm.c >> index 7dddfdc..90f7394 100644 >> --- a/drivers/gpu/drm/radeon/radeon_ttm.c >> +++ b/drivers/gpu/drm/radeon/radeon_ttm.c >> @@ -235,6 +235,8 @@ static int radeon_verify_access(struct >> ttm_buffer_object *bo, struct file *filp) >> { >> struct radeon_bo *rbo = container_of(bo, struct radeon_bo, tbo); >> + if (radeon_ttm_tt_has_userptr(bo->ttm)) >> + return -EPERM; >> return drm_vma_node_verify_access(&rbo->gem_base.vma_node, filp); >> } >> > > > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/dri-devel
diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c index 7dddfdc..90f7394 100644 --- a/drivers/gpu/drm/radeon/radeon_ttm.c +++ b/drivers/gpu/drm/radeon/radeon_ttm.c @@ -235,6 +235,8 @@ static int radeon_verify_access(struct ttm_buffer_object *bo, struct file *filp) { struct radeon_bo *rbo = container_of(bo, struct radeon_bo, tbo); + if (radeon_ttm_tt_has_userptr(bo->ttm)) + return -EPERM; return drm_vma_node_verify_access(&rbo->gem_base.vma_node, filp); }
Allowing userptr bo which are basicly a list of page from some vma (so either anonymous page or file backed page) would lead to serious corruption of kernel structures and counters (because we overwrite the page->mapping field when mapping buffer). This will already block if the buffer was populated before anyone does try to mmap it because then TTM_PAGE_FLAG_SG would be set in in the ttm_tt flags. But that flag is check before ttm_tt_populate in the ttm vm fault handler. So to be safe just add a check to verify_access() callback. Signed-off-by: Jérôme Glisse <jglisse@redhat.com> Cc: <stable@vger.kernel.org> --- drivers/gpu/drm/radeon/radeon_ttm.c | 2 ++ 1 file changed, 2 insertions(+)