| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 Feb 2019 14:44:05 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Adam Zabrocki <adamza@...rosoft.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Joonas Lahtinen <joonas.lahtinen@...ux.intel.com>,
Akash Goel <akash.goel@...el.com>,
Chris Wilson <chris@...is-wilson.co.uk>,
Tvrtko Ursulin <tvrtko.ursulin@...ux.intel.com>,
Jani Nikula <jani.nikula@...el.com>,
Tvrtko Ursulin <tvrtko.ursulin@...el.com>
Subject: [PATCH 4.14 59/62] drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joonas Lahtinen <joonas.lahtinen@...ux.intel.com>
commit 2e7bd10e05afb866b5fb13eda25095c35d7a27cc upstream.
Make sure the underlying VMA in the process address space is the
same as it was during vm_mmap to avoid applying WC to wrong VMA.
A more long-term solution would be to have vm_mmap_locked variant
in linux/mmap.h for when caller wants to hold mmap_sem for an
extended duration.
v2:
- Refactor the compare function
Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects")
Reported-by: Adam Zabrocki <adamza@...rosoft.com>
Suggested-by: Linus Torvalds <torvalds@...ux-foundation.org>
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@...ux.intel.com>
Cc: <stable@...r.kernel.org> # v4.0+
Cc: Akash Goel <akash.goel@...el.com>
Cc: Chris Wilson <chris@...is-wilson.co.uk>
Cc: Tvrtko Ursulin <tvrtko.ursulin@...ux.intel.com>
Cc: Adam Zabrocki <adamza@...rosoft.com>
Reviewed-by: Chris Wilson <chris@...is-wilson.co.uk>
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@...el.com> #v1
Link: https://patchwork.freedesktop.org/patch/msgid/20190207085454.10598-1-joonas.lahtinen@linux.intel.com
(cherry picked from commit 5c4604e757ba9b193b09768d75a7d2105a5b883f)
Signed-off-by: Jani Nikula <jani.nikula@...el.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
drivers/gpu/drm/i915/i915_gem.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -1633,6 +1633,16 @@ i915_gem_sw_finish_ioctl(struct drm_devi
return 0;
}
+static inline bool
+__vma_matches(struct vm_area_struct *vma, struct file *filp,
+ unsigned long addr, unsigned long size)
+{
+ if (vma->vm_file != filp)
+ return false;
+
+ return vma->vm_start == addr && (vma->vm_end - vma->vm_start) == size;
+}
+
/**
* i915_gem_mmap_ioctl - Maps the contents of an object, returning the address
* it is mapped to.
@@ -1691,7 +1701,7 @@ i915_gem_mmap_ioctl(struct drm_device *d
return -EINTR;
}
vma = find_vma(mm, addr);
- if (vma)
+ if (vma && __vma_matches(vma, obj->base.filp, addr, args->size))
vma->vm_page_prot =
pgprot_writecombine(vm_get_page_prot(vma->vm_flags));
else
Powered by blists - more mailing lists