Commit 000c4f90 authored by Chris Wilson's avatar Chris Wilson Committed by Rodrigo Vivi

drm/i915: Sanity check mmap length against object size

We assumed that vm_mmap() would reject an attempt to mmap past the end of
the filp (our object), but we were wrong.

Applications that tried to use the mmap beyond the end of the object
would be greeted by a SIGBUS. After this patch, those applications will
be told about the error on creating the mmap, rather than at a random
moment on later access.
Reported-by: default avatarAntonio Argenziano <antonio.argenziano@intel.com>
Testcase: igt/gem_mmap/bad-size
Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
Cc: Antonio Argenziano <antonio.argenziano@intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: stable@vger.kernel.org
Reviewed-by: default avatarTvrtko Ursulin <tvrtko.ursulin@intel.com>
Reviewed-by: default avatarJoonas Lahtinen <joonas.lahtinen@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190314075829.16838-1-chris@chris-wilson.co.uk
(cherry picked from commit 794a11cb)
Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
parent 65f26e97
...@@ -1734,8 +1734,13 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, ...@@ -1734,8 +1734,13 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
* pages from. * pages from.
*/ */
if (!obj->base.filp) { if (!obj->base.filp) {
i915_gem_object_put(obj); addr = -ENXIO;
return -ENXIO; goto err;
}
if (range_overflows(args->offset, args->size, (u64)obj->base.size)) {
addr = -EINVAL;
goto err;
} }
addr = vm_mmap(obj->base.filp, 0, args->size, addr = vm_mmap(obj->base.filp, 0, args->size,
...@@ -1749,8 +1754,8 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, ...@@ -1749,8 +1754,8 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
struct vm_area_struct *vma; struct vm_area_struct *vma;
if (down_write_killable(&mm->mmap_sem)) { if (down_write_killable(&mm->mmap_sem)) {
i915_gem_object_put(obj); addr = -EINTR;
return -EINTR; goto err;
} }
vma = find_vma(mm, addr); vma = find_vma(mm, addr);
if (vma && __vma_matches(vma, obj->base.filp, addr, args->size)) if (vma && __vma_matches(vma, obj->base.filp, addr, args->size))
...@@ -1768,12 +1773,10 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, ...@@ -1768,12 +1773,10 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
i915_gem_object_put(obj); i915_gem_object_put(obj);
args->addr_ptr = (u64)addr; args->addr_ptr = (u64)addr;
return 0; return 0;
err: err:
i915_gem_object_put(obj); i915_gem_object_put(obj);
return addr; return addr;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment