[PATCH] drm/panthor: Enforce DRM_PANTHOR_BO_NO_MMAP

Wed Apr 16 15:11:24 UTC 2025

On Wed, 16 Apr 2025 15:26:42 +0100
Steven Price <steven.price at arm.com> wrote:

> On 15/04/2025 11:57, Boris Brezillon wrote:
> > Right now the DRM_PANTHOR_BO_NO_MMAP flag is ignored by
> > panthor_ioctl_bo_mmap_offset(), meaning BOs with this flag set can
> > still be mmap-ed.
> > 
> > Fortunately, this bug only impacts user BOs, because kernel BOs are not
> > exposed to userspace (they don't have a BO handle), so they can't
> > be mmap-ed anyway. Given all user BOs setting this flag are private
> > anyway (not shareable), there's no potential data leak.  
> 
> Maybe I'm missing something, but I think the below check in
> panthor_gem_mmap() should also prevent this:
> 
> > static int panthor_gem_mmap(struct drm_gem_object *obj, struct vm_area_struct *vma)
> > {
> > 	struct panthor_gem_object *bo = to_panthor_bo(obj);
> > 
> > 	/* Don't allow mmap on objects that have the NO_MMAP flag set. */
> > 	if (bo->flags & DRM_PANTHOR_BO_NO_MMAP)
> > 		return -EINVAL;

Doh, how did I miss that one...

> > 
> > 	return drm_gem_shmem_object_mmap(obj, vma);
> > }  
> 
> That said, it doesn't make sense to be able to get an offset if you
> can't mmap() so this seems like a good change. Indeed potentially with
> this we no longer need panthor_gem_mmap() - although I haven't
> completely convinced myself of that yet.
> 
> > Fixes: 4bdca1150792 ("drm/panthor: Add the driver frontend block")
> > Signed-off-by: Boris Brezillon <boris.brezillon at collabora.com>  
> 
> Reviewed-by: Steven Price <steven.price at arm.com>

Okay, if we decide to keep that change, I need to reword the commit
message and drop the Fixes tag.

> 
> > ---
> >  drivers/gpu/drm/panthor/panthor_drv.c | 5 +++++
> >  1 file changed, 5 insertions(+)
> > 
> > diff --git a/drivers/gpu/drm/panthor/panthor_drv.c b/drivers/gpu/drm/panthor/panthor_drv.c
> > index 15d8e2bcf6ad..1499df07f512 100644
> > --- a/drivers/gpu/drm/panthor/panthor_drv.c
> > +++ b/drivers/gpu/drm/panthor/panthor_drv.c
> > @@ -940,6 +940,7 @@ static int panthor_ioctl_bo_mmap_offset(struct drm_device *ddev, void *data,
> >  					struct drm_file *file)
> >  {
> >  	struct drm_panthor_bo_mmap_offset *args = data;
> > +	struct panthor_gem_object *bo;
> >  	struct drm_gem_object *obj;
> >  	int ret;
> >  
> > @@ -950,6 +951,10 @@ static int panthor_ioctl_bo_mmap_offset(struct drm_device *ddev, void *data,
> >  	if (!obj)
> >  		return -ENOENT;
> >  
> > +	bo = to_panthor_bo(obj);
> > +	if (bo->flags & DRM_PANTHOR_BO_NO_MMAP)
> > +		return -EINVAL;
> > +
> >  	ret = drm_gem_create_mmap_offset(obj);
> >  	if (ret)
> >  		goto out;  
> 