drm/i915: Sanity check mmap length against object size

We assumed that vm_mmap() would reject an attempt to mmap past the end of the filp (our object), but we were wrong. Applications that tried to use the mmap beyond the end of the object would be greeted by a SIGBUS. After this patch, those applications will be told about the error on creating the mmap, rather than at a random moment on later access. Reported-by: Antonio Argenziano <antonio.argenziano@intel.com> Testcase: igt/gem_mmap/bad-size Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Cc: Antonio Argenziano <antonio.argenziano@intel.com> Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com> Cc: stable@vger.kernel.org Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com> Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20190314075829.16838-1-chris@chris-wilson.co.uk (cherry picked from commit 794a11cb67201ad1bb61af510bb8460280feb3f3) Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
author: Chris Wilson <chris@chris-wilson.co.uk> 2019-03-14 07:58:29 +0000
committer: Rodrigo Vivi <rodrigo.vivi@intel.com> 2019-03-18 13:59:42 -0700
commit: 000c4f90e3f0194eef218ff2c6a8fd8ca1de4313 (patch)
tree: 4bed2fed5f66dbd28c42f7039844489cc27f9a28 /drivers/gpu
parent: 65f26e978d7c55c3c3d04296058d95cf7b6e3f14 (diff)
download: linux-000c4f90e3f0194eef218ff2c6a8fd8ca1de4313.tar.bz2
1 files changed, 9 insertions, 6 deletions
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index 30d516e975c6..8558e81fdc2a 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -1734,8 +1734,13 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
 	 * pages from.
 	 */
 	if (!obj->base.filp) {
-		i915_gem_object_put(obj);
-		return -ENXIO;
+		addr = -ENXIO;
+		goto err;
+	}
+
+	if (range_overflows(args->offset, args->size, (u64)obj->base.size)) {
+		addr = -EINVAL;
+		goto err;
 	}
 
 	addr = vm_mmap(obj->base.filp, 0, args->size,
@@ -1749,8 +1754,8 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
 		struct vm_area_struct *vma;
 
 		if (down_write_killable(&mm->mmap_sem)) {
-			i915_gem_object_put(obj);
-			return -EINTR;
+			addr = -EINTR;
+			goto err;
 		}
 		vma = find_vma(mm, addr);
 		if (vma && __vma_matches(vma, obj->base.filp, addr, args->size))
@@ -1768,12 +1773,10 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
 	i915_gem_object_put(obj);
 
 	args->addr_ptr = (u64)addr;
-
 	return 0;
 
 err:
 	i915_gem_object_put(obj);
-
 	return addr;
 }
author	Chris Wilson <chris@chris-wilson.co.uk>	2019-03-14 07:58:29 +0000
committer	Rodrigo Vivi <rodrigo.vivi@intel.com>	2019-03-18 13:59:42 -0700
commit	000c4f90e3f0194eef218ff2c6a8fd8ca1de4313 (patch)
tree	4bed2fed5f66dbd28c42f7039844489cc27f9a28 /drivers/gpu
parent	65f26e978d7c55c3c3d04296058d95cf7b6e3f14 (diff)
download	linux-000c4f90e3f0194eef218ff2c6a8fd8ca1de4313.tar.bz2