| Message ID | 20250415105710.1490623-1-boris.brezillon@collabora.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | drm/panthor: Enforce DRM_PANTHOR_BO_NO_MMAP | expand |
On Tue, 15 Apr 2025 12:57:10 +0200 Boris Brezillon <boris.brezillon@collabora.com> wrote: > Right now the DRM_PANTHOR_BO_NO_MMAP flag is ignored by > panthor_ioctl_bo_mmap_offset(), meaning BOs with this flag set can > still be mmap-ed. > > Fortunately, this bug only impacts user BOs, because kernel BOs are not > exposed to userspace (they don't have a BO handle), so they can't > be mmap-ed anyway. Given all user BOs setting this flag are private > anyway (not shareable), there's no potential data leak. > > Fixes: 4bdca1150792 ("drm/panthor: Add the driver frontend block") > Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> > --- > drivers/gpu/drm/panthor/panthor_drv.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/gpu/drm/panthor/panthor_drv.c b/drivers/gpu/drm/panthor/panthor_drv.c > index 15d8e2bcf6ad..1499df07f512 100644 > --- a/drivers/gpu/drm/panthor/panthor_drv.c > +++ b/drivers/gpu/drm/panthor/panthor_drv.c > @@ -940,6 +940,7 @@ static int panthor_ioctl_bo_mmap_offset(struct drm_device *ddev, void *data, > struct drm_file *file) > { > struct drm_panthor_bo_mmap_offset *args = data; > + struct panthor_gem_object *bo; > struct drm_gem_object *obj; > int ret; > > @@ -950,6 +951,10 @@ static int panthor_ioctl_bo_mmap_offset(struct drm_device *ddev, void *data, > if (!obj) > return -ENOENT; > > + bo = to_panthor_bo(obj); > + if (bo->flags & DRM_PANTHOR_BO_NO_MMAP) > + return -EINVAL; Maybe it should be EPERM instead of EINVAL here. > + > ret = drm_gem_create_mmap_offset(obj); > if (ret) > goto out;
On Tue, Apr 15, 2025 at 01:18:42PM +0200, Boris Brezillon wrote: > On Tue, 15 Apr 2025 12:57:10 +0200 > Boris Brezillon <boris.brezillon@collabora.com> wrote: > > > Right now the DRM_PANTHOR_BO_NO_MMAP flag is ignored by > > panthor_ioctl_bo_mmap_offset(), meaning BOs with this flag set can > > still be mmap-ed. > > > > Fortunately, this bug only impacts user BOs, because kernel BOs are not > > exposed to userspace (they don't have a BO handle), so they can't > > be mmap-ed anyway. Given all user BOs setting this flag are private > > anyway (not shareable), there's no potential data leak. > > > > Fixes: 4bdca1150792 ("drm/panthor: Add the driver frontend block") > > Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> > > --- > > drivers/gpu/drm/panthor/panthor_drv.c | 5 +++++ > > 1 file changed, 5 insertions(+) > > > > diff --git a/drivers/gpu/drm/panthor/panthor_drv.c b/drivers/gpu/drm/panthor/panthor_drv.c > > index 15d8e2bcf6ad..1499df07f512 100644 > > --- a/drivers/gpu/drm/panthor/panthor_drv.c > > +++ b/drivers/gpu/drm/panthor/panthor_drv.c > > @@ -940,6 +940,7 @@ static int panthor_ioctl_bo_mmap_offset(struct drm_device *ddev, void *data, > > struct drm_file *file) > > { > > struct drm_panthor_bo_mmap_offset *args = data; > > + struct panthor_gem_object *bo; > > struct drm_gem_object *obj; > > int ret; > > > > @@ -950,6 +951,10 @@ static int panthor_ioctl_bo_mmap_offset(struct drm_device *ddev, void *data, > > if (!obj) > > return -ENOENT; > > > > + bo = to_panthor_bo(obj); > > + if (bo->flags & DRM_PANTHOR_BO_NO_MMAP) > > + return -EINVAL; > > Maybe it should be EPERM instead of EINVAL here. Yeah, I agree. With that change: Reviewed-by: Liviu Dudau <liviu.dudau@arm.com> Best regards, Liviu > > > + > > ret = drm_gem_create_mmap_offset(obj); > > if (ret) > > goto out; >
On 15/04/2025 11:57, Boris Brezillon wrote: > Right now the DRM_PANTHOR_BO_NO_MMAP flag is ignored by > panthor_ioctl_bo_mmap_offset(), meaning BOs with this flag set can > still be mmap-ed. > > Fortunately, this bug only impacts user BOs, because kernel BOs are not > exposed to userspace (they don't have a BO handle), so they can't > be mmap-ed anyway. Given all user BOs setting this flag are private > anyway (not shareable), there's no potential data leak. Maybe I'm missing something, but I think the below check in panthor_gem_mmap() should also prevent this: > static int panthor_gem_mmap(struct drm_gem_object *obj, struct vm_area_struct *vma) > { > struct panthor_gem_object *bo = to_panthor_bo(obj); > > /* Don't allow mmap on objects that have the NO_MMAP flag set. */ > if (bo->flags & DRM_PANTHOR_BO_NO_MMAP) > return -EINVAL; > > return drm_gem_shmem_object_mmap(obj, vma); > } That said, it doesn't make sense to be able to get an offset if you can't mmap() so this seems like a good change. Indeed potentially with this we no longer need panthor_gem_mmap() - although I haven't completely convinced myself of that yet. > Fixes: 4bdca1150792 ("drm/panthor: Add the driver frontend block") > Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> Reviewed-by: Steven Price <steven.price@arm.com> > --- > drivers/gpu/drm/panthor/panthor_drv.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/gpu/drm/panthor/panthor_drv.c b/drivers/gpu/drm/panthor/panthor_drv.c > index 15d8e2bcf6ad..1499df07f512 100644 > --- a/drivers/gpu/drm/panthor/panthor_drv.c > +++ b/drivers/gpu/drm/panthor/panthor_drv.c > @@ -940,6 +940,7 @@ static int panthor_ioctl_bo_mmap_offset(struct drm_device *ddev, void *data, > struct drm_file *file) > { > struct drm_panthor_bo_mmap_offset *args = data; > + struct panthor_gem_object *bo; > struct drm_gem_object *obj; > int ret; > > @@ -950,6 +951,10 @@ static int panthor_ioctl_bo_mmap_offset(struct drm_device *ddev, void *data, > if (!obj) > return -ENOENT; > > + bo = to_panthor_bo(obj); > + if (bo->flags & DRM_PANTHOR_BO_NO_MMAP) > + return -EINVAL; > + > ret = drm_gem_create_mmap_offset(obj); > if (ret) > goto out;
On Wed, 16 Apr 2025 15:26:42 +0100 Steven Price <steven.price@arm.com> wrote: > On 15/04/2025 11:57, Boris Brezillon wrote: > > Right now the DRM_PANTHOR_BO_NO_MMAP flag is ignored by > > panthor_ioctl_bo_mmap_offset(), meaning BOs with this flag set can > > still be mmap-ed. > > > > Fortunately, this bug only impacts user BOs, because kernel BOs are not > > exposed to userspace (they don't have a BO handle), so they can't > > be mmap-ed anyway. Given all user BOs setting this flag are private > > anyway (not shareable), there's no potential data leak. > > Maybe I'm missing something, but I think the below check in > panthor_gem_mmap() should also prevent this: > > > static int panthor_gem_mmap(struct drm_gem_object *obj, struct vm_area_struct *vma) > > { > > struct panthor_gem_object *bo = to_panthor_bo(obj); > > > > /* Don't allow mmap on objects that have the NO_MMAP flag set. */ > > if (bo->flags & DRM_PANTHOR_BO_NO_MMAP) > > return -EINVAL; Doh, how did I miss that one... > > > > return drm_gem_shmem_object_mmap(obj, vma); > > } > > That said, it doesn't make sense to be able to get an offset if you > can't mmap() so this seems like a good change. Indeed potentially with > this we no longer need panthor_gem_mmap() - although I haven't > completely convinced myself of that yet. > > > Fixes: 4bdca1150792 ("drm/panthor: Add the driver frontend block") > > Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> > > Reviewed-by: Steven Price <steven.price@arm.com> Okay, if we decide to keep that change, I need to reword the commit message and drop the Fixes tag. > > > --- > > drivers/gpu/drm/panthor/panthor_drv.c | 5 +++++ > > 1 file changed, 5 insertions(+) > > > > diff --git a/drivers/gpu/drm/panthor/panthor_drv.c b/drivers/gpu/drm/panthor/panthor_drv.c > > index 15d8e2bcf6ad..1499df07f512 100644 > > --- a/drivers/gpu/drm/panthor/panthor_drv.c > > +++ b/drivers/gpu/drm/panthor/panthor_drv.c > > @@ -940,6 +940,7 @@ static int panthor_ioctl_bo_mmap_offset(struct drm_device *ddev, void *data, > > struct drm_file *file) > > { > > struct drm_panthor_bo_mmap_offset *args = data; > > + struct panthor_gem_object *bo; > > struct drm_gem_object *obj; > > int ret; > > > > @@ -950,6 +951,10 @@ static int panthor_ioctl_bo_mmap_offset(struct drm_device *ddev, void *data, > > if (!obj) > > return -ENOENT; > > > > + bo = to_panthor_bo(obj); > > + if (bo->flags & DRM_PANTHOR_BO_NO_MMAP) > > + return -EINVAL; > > + > > ret = drm_gem_create_mmap_offset(obj); > > if (ret) > > goto out; >
diff --git a/drivers/gpu/drm/panthor/panthor_drv.c b/drivers/gpu/drm/panthor/panthor_drv.c index 15d8e2bcf6ad..1499df07f512 100644 --- a/drivers/gpu/drm/panthor/panthor_drv.c +++ b/drivers/gpu/drm/panthor/panthor_drv.c @@ -940,6 +940,7 @@ static int panthor_ioctl_bo_mmap_offset(struct drm_device *ddev, void *data, struct drm_file *file) { struct drm_panthor_bo_mmap_offset *args = data; + struct panthor_gem_object *bo; struct drm_gem_object *obj; int ret; @@ -950,6 +951,10 @@ static int panthor_ioctl_bo_mmap_offset(struct drm_device *ddev, void *data, if (!obj) return -ENOENT; + bo = to_panthor_bo(obj); + if (bo->flags & DRM_PANTHOR_BO_NO_MMAP) + return -EINVAL; + ret = drm_gem_create_mmap_offset(obj); if (ret) goto out;
Right now the DRM_PANTHOR_BO_NO_MMAP flag is ignored by panthor_ioctl_bo_mmap_offset(), meaning BOs with this flag set can still be mmap-ed. Fortunately, this bug only impacts user BOs, because kernel BOs are not exposed to userspace (they don't have a BO handle), so they can't be mmap-ed anyway. Given all user BOs setting this flag are private anyway (not shareable), there's no potential data leak. Fixes: 4bdca1150792 ("drm/panthor: Add the driver frontend block") Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> --- drivers/gpu/drm/panthor/panthor_drv.c | 5 +++++ 1 file changed, 5 insertions(+)