• Daniel Vetter's avatar
    drm/etnaviv: Use FOLL_FORCE for userptr · cd5297b0
    Daniel Vetter authored
    Nothing checks userptr.ro except this call to pup_fast, which means
    there's nothing actually preventing userspace from writing to this.
    Which means you can just read-only mmap any file you want, userptr it
    and then write to it with the gpu. Not good.
    
    The right way to handle this is FOLL_WRITE | FOLL_FORCE, which will
    break any COW mappings and update tracking for MAY_WRITE mappings so
    there's no exploit and the vm isn't confused about what's going on.
    For any legit use case there's no difference from what userspace can
    observe and do.
    Reviewed-by: default avatarLucas Stach <l.stach@pengutronix.de>
    Cc: stable@vger.kernel.org
    Cc: John Hubbard <jhubbard@nvidia.com>
    Signed-off-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
    Cc: Lucas Stach <l.stach@pengutronix.de>
    Cc: Russell King <linux+etnaviv@armlinux.org.uk>
    Cc: Christian Gmeiner <christian.gmeiner@gmail.com>
    Cc: etnaviv@lists.freedesktop.org
    Link: https://patchwork.freedesktop.org/patch/msgid/20210301095254.1946084-1-daniel.vetter@ffwll.ch
    cd5297b0
etnaviv_gem.c 18.8 KB