Skip to content

Commit 000c4f9

Browse files
icklerodrigovivi
ickle
authored and
rodrigovivi
committed
drm/i915: Sanity check mmap length against object size
We assumed that vm_mmap() would reject an attempt to mmap past the end of the filp (our object), but we were wrong. Applications that tried to use the mmap beyond the end of the object would be greeted by a SIGBUS. After this patch, those applications will be told about the error on creating the mmap, rather than at a random moment on later access. Reported-by: Antonio Argenziano <antonio.argenziano@intel.com> Testcase: igt/gem_mmap/bad-size Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Cc: Antonio Argenziano <antonio.argenziano@intel.com> Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com> Cc: stable@vger.kernel.org Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com> Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20190314075829.16838-1-chris@chris-wilson.co.uk (cherry picked from commit 794a11c) Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
1 parent 65f26e9 commit 000c4f9

File tree

1 file changed

+9
-6
lines changed

1 file changed

+9
-6
lines changed

drivers/gpu/drm/i915/i915_gem.c

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1734,8 +1734,13 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
17341734
* pages from.
17351735
*/
17361736
if (!obj->base.filp) {
1737-
i915_gem_object_put(obj);
1738-
return -ENXIO;
1737+
addr = -ENXIO;
1738+
goto err;
1739+
}
1740+
1741+
if (range_overflows(args->offset, args->size, (u64)obj->base.size)) {
1742+
addr = -EINVAL;
1743+
goto err;
17391744
}
17401745

17411746
addr = vm_mmap(obj->base.filp, 0, args->size,
@@ -1749,8 +1754,8 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
17491754
struct vm_area_struct *vma;
17501755

17511756
if (down_write_killable(&mm->mmap_sem)) {
1752-
i915_gem_object_put(obj);
1753-
return -EINTR;
1757+
addr = -EINTR;
1758+
goto err;
17541759
}
17551760
vma = find_vma(mm, addr);
17561761
if (vma && __vma_matches(vma, obj->base.filp, addr, args->size))
@@ -1768,12 +1773,10 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
17681773
i915_gem_object_put(obj);
17691774

17701775
args->addr_ptr = (u64)addr;
1771-
17721776
return 0;
17731777

17741778
err:
17751779
i915_gem_object_put(obj);
1776-
17771780
return addr;
17781781
}
17791782

0 commit comments

Comments
 (0)