| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFqt6zZU6c3MyVQpCegntu1ZxtFri=HMwZJ3xg+tCxRARo3zMA@mail.gmail.com>
Date: Wed, 2 Jan 2019 16:23:15 +0530
From: Souptick Joarder <jrdr.linux@...il.com>
To: Andrew Morton <akpm@...ux-foundation.org>,
Matthew Wilcox <willy@...radead.org>,
Michal Hocko <mhocko@...e.com>, pawel@...iak.com,
Marek Szyprowski <m.szyprowski@...sung.com>,
Kyungmin Park <kyungmin.park@...sung.com>, mchehab@...nel.org,
Russell King - ARM Linux <linux@...linux.org.uk>,
robin.murphy@....com
Cc: linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
Linux-MM <linux-mm@...ck.org>
Subject: Re: [PATCH v5 7/9] videobuf2/videobuf2-dma-sg.c: Convert to use vm_insert_range
On Mon, Dec 24, 2018 at 6:53 PM Souptick Joarder <jrdr.linux@...il.com> wrote:
>
> Convert to use vm_insert_range to map range of kernel memory
> to user vma.
>
> Signed-off-by: Souptick Joarder <jrdr.linux@...il.com>
> Reviewed-by: Matthew Wilcox <willy@...radead.org>
> Acked-by: Marek Szyprowski <m.szyprowski@...sung.com>
> Acked-by: Mauro Carvalho Chehab <mchehab+samsung@...nel.org>
> ---
> drivers/media/common/videobuf2/videobuf2-dma-sg.c | 23 +++++++----------------
> 1 file changed, 7 insertions(+), 16 deletions(-)
>
> diff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
> index 015e737..898adef 100644
> --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c
> +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
> @@ -328,28 +328,19 @@ static unsigned int vb2_dma_sg_num_users(void *buf_priv)
> static int vb2_dma_sg_mmap(void *buf_priv, struct vm_area_struct *vma)
> {
> struct vb2_dma_sg_buf *buf = buf_priv;
> - unsigned long uaddr = vma->vm_start;
> - unsigned long usize = vma->vm_end - vma->vm_start;
> - int i = 0;
> + unsigned long page_count = vma_pages(vma);
> + int err;
>
> if (!buf) {
> printk(KERN_ERR "No memory to map\n");
> return -EINVAL;
> }
>
> - do {
> - int ret;
> -
> - ret = vm_insert_page(vma, uaddr, buf->pages[i++]);
> - if (ret) {
> - printk(KERN_ERR "Remapping memory, error: %d\n", ret);
> - return ret;
> - }
> -
> - uaddr += PAGE_SIZE;
> - usize -= PAGE_SIZE;
> - } while (usize > 0);
> -
> + err = vm_insert_range(vma, vma->vm_start, buf->pages, page_count);
> + if (err) {
> + printk(KERN_ERR "Remapping memory, error: %d\n", err);
> + return err;
> + }
>
Looking into the original code -
drivers/media/common/videobuf2/videobuf2-dma-sg.c
Inside vb2_dma_sg_alloc(),
...
buf->num_pages = size >> PAGE_SHIFT;
buf->dma_sgt = &buf->sg_table;
buf->pages = kvmalloc_array(buf->num_pages, sizeof(struct page *),
GFP_KERNEL | __GFP_ZERO);
...
buf->pages has index upto *buf->num_pages*.
now inside vb2_dma_sg_mmap(),
unsigned long usize = vma->vm_end - vma->vm_start;
int i = 0;
...
do {
int ret;
ret = vm_insert_page(vma, uaddr, buf->pages[i++]);
if (ret) {
printk(KERN_ERR "Remapping memory, error:
%d\n", ret);
return ret;
}
uaddr += PAGE_SIZE;
usize -= PAGE_SIZE;
} while (usize > 0);
...
is it possible for any value of *i > (buf->num_pages)*,
buf->pages[i] is going to overrun the page boundary ?
Powered by blists - more mailing lists