[Intel-gfx] [PATCH] drm/i915: Sanity check mmap length against object size
Chris Wilson
chris at chris-wilson.co.uk
Mon Mar 18 12:16:13 UTC 2019
Quoting Chris Wilson (2019-03-18 12:10:12)
> Quoting Chris Wilson (2019-03-14 11:44:37)
> > Quoting Tvrtko Ursulin (2019-03-14 11:33:43)
> > > I am only wondering what happens to reads/write to the trailing area?
> > > Does shmemfs expands the backing store for this mmap and we just end up
> > > with otherwise unused chunk at the end?
> >
> > My expectation would be that they generate a SIGBUS since the filp
> > should not be extended to cover the absent pages. So it would be the
> > equivalent of mmaping a file then calling ftruncate(0).
>
> Ok, having just checked, what actually happens is that shmemfs quite
> happily allocates the extra page beyond the end of the object and
> userspace can freely read/write into that address space with only the
> mere consequence that those pages are not mapped to the GPU.
Or egg-on-face moment, wrong kernel (already had the safety check!)
ickle at kabylake:~/intel-gpu-tools$ sudo ./build/tests/gem_mmap --run bad-size
IGT-Version: 1.23-g3fc026d3e (x86_64) (Linux: 5.0.0+ x86_64)
Starting subtest: bad-size
Received signal SIGBUS.
Stack trace:
#0 [fatal_sig_handler+0xd5]
#1 [killpg+0x40]
#2 [__real_main119+0x1b6]
#3 [main+0x44]
#4 [__libc_start_main+0xeb]
#5 [_start+0x2a]
Subtest bad-size: CRASH (0.001s)
SIGBUS!
-Chris
More information about the Intel-gfx
mailing list