[0/2] Fix purging buffers in the shmem helpers

Message ID	20210223155125.199577-1-nroberts@igalia.com (mailing list archive)
Headers	show Return-Path: <SRS0=nETQ=HZ=lists.freedesktop.org=dri-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 788F364E20 From: Neil Roberts <nroberts@igalia.com> To: Rob Herring <robh+dt@kernel.org>, Tomeu Vizoso <tomeu@tomeuvizoso.net>, Alyssa Rosenzweig <alyssa.rosenzweig@collabora.com>, Steven Price <steven.price@arm.com>, Robin Murphy <robin.murphy@arm.com> Subject: [PATCH 0/2] Fix purging buffers in the shmem helpers Date: Tue, 23 Feb 2021 16:51:23 +0100 Message-Id: <20210223155125.199577-1-nroberts@igalia.com> MIME-Version: 1.0 Precedence: list Cc: dri-devel@lists.freedesktop.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
Series	Fix purging buffers in the shmem helpers \| expand [0/2] Fix purging buffers in the shmem helpers [1/2] drm/shmem-helper: Check for purged buffers in fault handler [v2,2/2] drm/shmem-helper: Don't remove the offset in vm_area_struct pgoff

Message ID

20210223155125.199577-1-nroberts@igalia.com (mailing list archive)

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 788F364E20
From: Neil Roberts <nroberts@igalia.com>
To: Rob Herring <robh+dt@kernel.org>, Tomeu Vizoso <tomeu@tomeuvizoso.net>,
 Alyssa Rosenzweig <alyssa.rosenzweig@collabora.com>,
 Steven Price <steven.price@arm.com>, Robin Murphy <robin.murphy@arm.com>
Subject: [PATCH 0/2] Fix purging buffers in the shmem helpers
Date: Tue, 23 Feb 2021 16:51:23 +0100
Message-Id: <20210223155125.199577-1-nroberts@igalia.com>
MIME-Version: 1.0
Precedence: list
Cc: dri-devel@lists.freedesktop.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Series

Fix purging buffers in the shmem helpers | expand

Message

Neil Roberts Feb. 23, 2021, 3:51 p.m. UTC

These two patches fix a problem with the madvise purging code for the
shmem helpers where the mmaping for a purged buffer wouldn't get
invalidated correctly. This presumably ends up as a security hole
where the mapping can be accessed from user-space to read and write
random pages from other buffers. This is currently affecting Panfrost.
The second patch is a v2 from a patch that was sent standalone.

There is a WIP IGT test for Panfrost which demonstrates the bug here:

https://gitlab.freedesktop.org/nroberts/igt-gpu-tools/-/commits/panfrost-purgemap/

Neil Roberts (2):
  drm/shmem-helper: Check for purged buffers in fault handler
  drm/shmem-helper: Don't remove the offset in vm_area_struct pgoff

 drivers/gpu/drm/drm_gem_shmem_helper.c | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

Comments

Steven Price March 5, 2021, 10:22 a.m. UTC | #1

On 23/02/2021 15:51, Neil Roberts wrote:
> These two patches fix a problem with the madvise purging code for the
> shmem helpers where the mmaping for a purged buffer wouldn't get
> invalidated correctly. This presumably ends up as a security hole
> where the mapping can be accessed from user-space to read and write
> random pages from other buffers. This is currently affecting Panfrost.
> The second patch is a v2 from a patch that was sent standalone.
> 
> There is a WIP IGT test for Panfrost which demonstrates the bug here:
> 
> https://gitlab.freedesktop.org/nroberts/igt-gpu-tools/-/commits/panfrost-purgemap/
> 
> Neil Roberts (2):
>    drm/shmem-helper: Check for purged buffers in fault handler
>    drm/shmem-helper: Don't remove the offset in vm_area_struct pgoff
> 
>   drivers/gpu/drm/drm_gem_shmem_helper.c | 25 ++++++++++++++++++-------
>   1 file changed, 18 insertions(+), 7 deletions(-)
> 

Pushed to drm-misc-fixes

Thanks,

Steve