[PATCH 1/2] drm/etnaviv: Use FOLL_FORCE for userptr
Daniel Vetter
daniel at ffwll.ch
Fri Mar 19 19:09:59 UTC 2021
On Mon, Mar 01, 2021 at 10:52:53AM +0100, Daniel Vetter wrote:
> Nothing checks userptr.ro except this call to pup_fast, which means
> there's nothing actually preventing userspace from writing to this.
> Which means you can just read-only mmap any file you want, userptr it
> and then write to it with the gpu. Not good.
>
> The right way to handle this is FOLL_WRITE | FOLL_FORCE, which will
> break any COW mappings and update tracking for MAY_WRITE mappings so
> there's no exploit and the vm isn't confused about what's going on.
> For any legit use case there's no difference from what userspace can
> observe and do.
>
> Cc: stable at vger.kernel.org
> Cc: John Hubbard <jhubbard at nvidia.com>
> Signed-off-by: Daniel Vetter <daniel.vetter at intel.com>
> Cc: Lucas Stach <l.stach at pengutronix.de>
> Cc: Russell King <linux+etnaviv at armlinux.org.uk>
> Cc: Christian Gmeiner <christian.gmeiner at gmail.com>
> Cc: etnaviv at lists.freedesktop.org
Can I please have an ack on this so I can apply it? It's stuck.
Thanks, Daniel
> ---
> drivers/gpu/drm/etnaviv/etnaviv_gem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gem.c b/drivers/gpu/drm/etnaviv/etnaviv_gem.c
> index 6d38c5c17f23..a9e696d05b33 100644
> --- a/drivers/gpu/drm/etnaviv/etnaviv_gem.c
> +++ b/drivers/gpu/drm/etnaviv/etnaviv_gem.c
> @@ -689,7 +689,7 @@ static int etnaviv_gem_userptr_get_pages(struct etnaviv_gem_object *etnaviv_obj)
> struct page **pages = pvec + pinned;
>
> ret = pin_user_pages_fast(ptr, num_pages,
> - !userptr->ro ? FOLL_WRITE : 0, pages);
> + FOLL_WRITE | FOLL_FORCE, pages);
> if (ret < 0) {
> unpin_user_pages(pvec, pinned);
> kvfree(pvec);
> --
> 2.30.0
>
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
More information about the dri-devel
mailing list