From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ADF2AC43381 for ; Sun, 24 Mar 2019 19:53:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 7A7372133F for ; Sun, 24 Mar 2019 19:53:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553457223; bh=FIZ0smESEdp6ZRsXQxBxPf++Xy5BkSdyO9ct0iIeC/4=; h=Subject:To:Cc:From:Date:List-ID:From; b=HnSAlmagSpqugQb8DmVa51ZLTIaujo5Q6orIxBQjnox1Qxcwfnoy16HkBZs2i/BTZ tURcpWGQGeZb5QWZfeJ1ZU2yxS06vSTlfbEO1KvhcEaeUbTGNcWS+xOIvMgVBhSIfO MJHAofrvDu/Zo1Kf6VtLaRER1qFda/RRvFCEZ/Ic= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727163AbfCXTxn (ORCPT ); Sun, 24 Mar 2019 15:53:43 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:38713 "EHLO out3-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726139AbfCXTxn (ORCPT ); Sun, 24 Mar 2019 15:53:43 -0400 Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id E18EE20D87; Sun, 24 Mar 2019 15:53:41 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Sun, 24 Mar 2019 15:53:41 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=RNBnDI KFW5hOvYH/A2awLPwshlA+TYvjR+k7qiBoVRk=; b=CtMlWr/gn6iIPLJL2CVXVW sgMAuoBiy9/SHOotWu3SLmPipIKPNfSR860j5T6fo6lrxyDfzBxxdoRAyDiUjzCT DNiGwRQGlqQLUmuY+9S7xDs5B7S9+h9gsP7ts4BnLC6dXvLWT09GGb6wSRZ6zlRs la1N0M+krEmWsFF344384UECBunwNtlXqV5esuLCxgg8LUgycHz/wj/CAHrdClji yddcUjFSKtLwIAp1QtJSChNqREgo2u4qFjdryHm+7NeZu15lmShk8i1wOu7bU/2G 66XPipTTSkQXqg0Mq9mix0fclrATXj+P/pcByeBWrbKWayyRLeSN49Gb7TAy+vfw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrjeeigddufeduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefuvffhfffkgggtgfesthekredttd dtlfenucfhrhhomhepoehgrhgvghhkhheslhhinhhugihfohhunhgurghtihhonhdrohhr gheqnecuffhomhgrihhnpehfrhgvvgguvghskhhtohhprdhorhhgnecukfhppeekkedrud dvkedrkedtrddvudeinecurfgrrhgrmhepmhgrihhlfhhrohhmpehgrhgvgheskhhrohgr hhdrtghomhenucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: from localhost (unknown [88.128.80.216]) by mail.messagingengine.com (Postfix) with ESMTPA id 28784E409D; Sun, 24 Mar 2019 15:53:38 -0400 (EDT) Subject: FAILED: patch "[PATCH] drm/i915: Sanity check mmap length against object size" failed to apply to 5.0-stable tree To: chris@chris-wilson.co.uk, antonio.argenziano@intel.com, joonas.lahtinen@linux.intel.com, rodrigo.vivi@intel.com, tvrtko.ursulin@intel.com Cc: From: Date: Sun, 24 Mar 2019 20:31:33 +0100 Message-ID: <155345589383229@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org The patch below does not apply to the 5.0-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to . thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 000c4f90e3f0194eef218ff2c6a8fd8ca1de4313 Mon Sep 17 00:00:00 2001 From: Chris Wilson Date: Thu, 14 Mar 2019 07:58:29 +0000 Subject: [PATCH] drm/i915: Sanity check mmap length against object size We assumed that vm_mmap() would reject an attempt to mmap past the end of the filp (our object), but we were wrong. Applications that tried to use the mmap beyond the end of the object would be greeted by a SIGBUS. After this patch, those applications will be told about the error on creating the mmap, rather than at a random moment on later access. Reported-by: Antonio Argenziano Testcase: igt/gem_mmap/bad-size Signed-off-by: Chris Wilson Cc: Antonio Argenziano Cc: Joonas Lahtinen Cc: Tvrtko Ursulin Cc: stable@vger.kernel.org Reviewed-by: Tvrtko Ursulin Reviewed-by: Joonas Lahtinen Link: https://patchwork.freedesktop.org/patch/msgid/20190314075829.16838-1-chris@chris-wilson.co.uk (cherry picked from commit 794a11cb67201ad1bb61af510bb8460280feb3f3) Signed-off-by: Rodrigo Vivi diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index 30d516e975c6..8558e81fdc2a 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -1734,8 +1734,13 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, * pages from. */ if (!obj->base.filp) { - i915_gem_object_put(obj); - return -ENXIO; + addr = -ENXIO; + goto err; + } + + if (range_overflows(args->offset, args->size, (u64)obj->base.size)) { + addr = -EINVAL; + goto err; } addr = vm_mmap(obj->base.filp, 0, args->size, @@ -1749,8 +1754,8 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, struct vm_area_struct *vma; if (down_write_killable(&mm->mmap_sem)) { - i915_gem_object_put(obj); - return -EINTR; + addr = -EINTR; + goto err; } vma = find_vma(mm, addr); if (vma && __vma_matches(vma, obj->base.filp, addr, args->size)) @@ -1768,12 +1773,10 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data, i915_gem_object_put(obj); args->addr_ptr = (u64)addr; - return 0; err: i915_gem_object_put(obj); - return addr; }