From patchwork Fri Aug 30 19:26:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "T.J. Mercier" X-Patchwork-Id: 103824 Received: from am.mirrors.kernel.org ([147.75.80.249]) by linuxtv.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1sk7Gl-0007Ef-1G for patchwork@linuxtv.org; Fri, 30 Aug 2024 19:26:52 +0000 Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id CFF401F24A9B for ; Fri, 30 Aug 2024 19:26:48 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7ACB91BCA10; Fri, 30 Aug 2024 19:26:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ZradwWnG" X-Original-To: linux-media@vger.kernel.org Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com [209.85.210.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CF7A033CD1 for ; Fri, 30 Aug 2024 19:26:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725046002; cv=none; b=CuO4ktv2RtMz5pc9lsBdc2OaFCwvNzYQXrJ7utqJutPy7nCME4j7VDrMZXoJTEjf8GgnXgSGHimrXcQ826Yovns9v/F1eJ/IyLpnUETp53rOkgilpQKIhqdIcYtlIRwjQcsVI8XFEyfLId4z4mkzjFL7BqCmi6QHuJ/vK8VlEAc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725046002; c=relaxed/simple; bh=8QVHSbxNTzTLHDg1HVfV1vyaxEg8m3Y3kEmk4ONuLIw=; h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type; b=Nu9jrUbLg0SHrcs5uNZfsNH0KnaV8mnPgUL2YsGZYzBQH8AtbFfjr+M7cXJCGVtnw0jel/GEnTSuLCjiUycs4dzQQ+9pWJWqei5gvPzdVnQAFxvSRRruBCOAtwMGWxxQ44dSaYsjW7VcjuIroviBCekKgjIP7UMuMQf6zHyyic8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--tjmercier.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ZradwWnG; arc=none smtp.client-ip=209.85.210.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--tjmercier.bounces.google.com Received: by mail-pf1-f201.google.com with SMTP id d2e1a72fcca58-7143d76d29fso2395690b3a.3 for ; Fri, 30 Aug 2024 12:26:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1725046000; x=1725650800; darn=vger.kernel.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=FuDRdZr3lnXIzC7C2IwkgUCCNdeMT8LTC1OgvHLHr0o=; b=ZradwWnG8IGjO1RyDHLcT1zpjxOiiS8oTt5cQ2TqaPIlVryG5CVghopJTjq5sAAQCp EDlLJxcZrD3MQnj8P7rLI5jDr74RgzzYSqoF8USz4zV9xz7Efdkna5V6lqpRz8skk+z2 oR0DgvIIXL5FDc4c5N3HJvDgii64X3kIV7ItTWi9M98NOxSVxnOMmYpicIgvCkfvllMK fpD/KbvqLRE2FGefXlqlEPpMytlLb7zzPBbmDBFVQVpzaca09BkMu3LcWoMjyNO8MPyK wsrWPDNZvd9BlIXGYSUFZWTDGqU4kzhFlnRd+eF6TrtT5ul5hyIXu02fQVsOudKUTrfE f0Mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725046000; x=1725650800; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=FuDRdZr3lnXIzC7C2IwkgUCCNdeMT8LTC1OgvHLHr0o=; b=lfPrFIz+8WDBA1sG2v5sNtqgKW9F0gBzrL8u+HJZSdMow1zPABFPDcycqnXGzr+sJd v8a9cjymes1i1e+b1gJjBVHvKy0mEECOG4MX1yTS/S2wVLMyRNAEgqdV39lERfOO23I8 iEhCqZJsSl61Q1ZyHdAfaaFeneI9D4rUWH+8PjSbiozLqcwE2rmFZvfALxaiedKGJtKA L+Hib7OPHslP9n/4/JPrxEnx0ozsAL7+xUpwOA30OYbd5tVO9eUFIBlHV43MKtHKR6+d BtaysE2h7qvaDyUVdVOU0kLVD6dSBpcpB4KQjovvjypwEdcNY+8NVdnLWlUQxKeMKx6r NaKw== X-Forwarded-Encrypted: i=1; AJvYcCWsG1dv/ckw2pm0UW2/6u4DuI553gwvitK3U0lR8+Bd32BEj1N1ZpZu1IneawxaLZPfFIX9WBoVCGUOXg==@vger.kernel.org X-Gm-Message-State: AOJu0YzhUukHUYBIOBdhu0YjvM1GSUuvbW9kKPdLY6o4sZjaJW3/r7kq IxAuPV4f+HMJc+O4pxbd3wvbw3qu8DefjAm/HDIr3x9MVaJviBjr/HIDGA4+4Z6HpsZngw/iKgw eB1vWi2nxhGRN0g== X-Google-Smtp-Source: AGHT+IEYDT5yTYPujoEQ0Ej+aCUk5iv9pvxNQHghRZEWhY4u/r1jH/tjVnZ/WpOzBL4HVQ0C2o97rg0PjRinvWA= X-Received: from tj-virt.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5683]) (user=tjmercier job=sendgmr) by 2002:a05:6a00:8585:b0:714:1436:1cef with SMTP id d2e1a72fcca58-717307cbc9bmr7143b3a.6.1725045999943; Fri, 30 Aug 2024 12:26:39 -0700 (PDT) Date: Fri, 30 Aug 2024 19:26:26 +0000 Precedence: bulk X-Mailing-List: linux-media@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Mailer: git-send-email 2.46.0.469.g59c65b2a67-goog Message-ID: <20240830192627.2546033-1-tjmercier@google.com> Subject: [PATCH] dma-buf: heaps: Fix off-by-one in CMA heap fault handler From: "T.J. Mercier" To: Sumit Semwal , Benjamin Gaignard , Brian Starkey , John Stultz , "T.J. Mercier" , " =?utf-8?q?Christian_K=C3=B6nig?= " Cc: android-mm@google.com, Xingyu Jin , stable@vger.kernel.org, John Stultz , Brian Starkey , linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org, linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org X-LSpam-Score: -14.8 (--------------) X-LSpam-Report: No, score=-14.8 required=5.0 tests=ARC_SIGNED=0.001,ARC_VALID=-0.1,BAYES_00=-1.9,DKIMWL_WL_MED=-1,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DMARC_PASS=-0.001,HEADER_FROM_DIFFERENT_DOMAINS=0.5,MAILING_LIST_MULTI=-1,RCVD_IN_VALIDITY_CERTIFIED=-3,RCVD_IN_VALIDITY_RPBL=1.31,RCVD_IN_VALIDITY_SAFE=-2,SPF_HELO_NONE=0.001,SPF_PASS=-0.001,USER_IN_DEF_DKIM_WL=-7.5 autolearn=unavailable autolearn_force=no Until VM_DONTEXPAND was added in commit 1c1914d6e8c6 ("dma-buf: heaps: Don't track CMA dma-buf pages under RssFile") it was possible to obtain a mapping larger than the buffer size via mremap and bypass the overflow check in dma_buf_mmap_internal. When using such a mapping to attempt to fault past the end of the buffer, the CMA heap fault handler also checks the fault offset against the buffer size, but gets the boundary wrong by 1. Fix the boundary check so that we don't read off the end of the pages array and insert an arbitrary page in the mapping. Reported-by: Xingyu Jin Fixes: a5d2d29e24be ("dma-buf: heaps: Move heap-helper logic into the cma_heap implementation") Cc: stable@vger.kernel.org # Applicable >= 5.10. Needs adjustments only for 5.10. Signed-off-by: T.J. Mercier Acked-by: John Stultz --- drivers/dma-buf/heaps/cma_heap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma-buf/heaps/cma_heap.c b/drivers/dma-buf/heaps/cma_heap.c index c384004b918e..93be88b805fe 100644 --- a/drivers/dma-buf/heaps/cma_heap.c +++ b/drivers/dma-buf/heaps/cma_heap.c @@ -165,7 +165,7 @@ static vm_fault_t cma_heap_vm_fault(struct vm_fault *vmf) struct vm_area_struct *vma = vmf->vma; struct cma_heap_buffer *buffer = vma->vm_private_data; - if (vmf->pgoff > buffer->pagecount) + if (vmf->pgoff >= buffer->pagecount) return VM_FAULT_SIGBUS; return vmf_insert_pfn(vma, vmf->address, page_to_pfn(buffer->pages[vmf->pgoff]));