Received: by 10.192.165.148 with SMTP id m20csp400492imm; Fri, 20 Apr 2018 00:49:59 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+DHSDQpeV+JyfdSA6P3AWqnqjZJ+HPsAuLe/L69Sm7obJ0BN8H/bIIfUs55skIjvgagFUJ X-Received: by 10.98.242.67 with SMTP id y3mr5663018pfl.159.1524210599789; Fri, 20 Apr 2018 00:49:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524210599; cv=none; d=google.com; s=arc-20160816; b=JTxijQuN+vaSVMSQld69Y1pNDYwst8J3NNI99cgYOt8jGZAomsdIqv3UH3pH3U73HH oCwD93sLv0l1Z/J7vWH4GBJtizz7R5x6ivoj+8Mtma6OvHlQemWjQzgLvQXtPCJq0WMR AAhBzBMmd5VAnXkBhWPu1lK/VKy3KEUt9a+qNHODCyBXJxYLHjDCI0Wad/+hZ8XCwq0U nD9q2LojC/AMrX2UJ4cK2XbrTEYfGKbsocyrKnCF6k9t7WXTV60hInY4IrRWpBY1QNHc w7swxe6fSV/mdqle+iIRsxs9pcw4aH3M5xvIIGzKjkeIw4bLgeeOPgAXYyzkvTR3dD43 TlVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature :arc-authentication-results; bh=YT410jLdhgzR3am4oGn5mtejawEmxvqyV7hoi8tGmfY=; b=Nt/dK/2bfe7phhW1lUUv+VCH2JUse81Z1I6EhF5zFzX9j/VJKQY6Zvs4F3RfK2OKjX bYY+uSrb3F1/gJMSXY0llN7BbyGX9vkgb3u8wsRY06ND9mfB5c92tzWoeqWw7M5XCyLr vzLDeYNinZ0bno/Qzd1Q5BDzO4yYsk5fyV8C1Cjlh8DqTibE0JX24HkY1jSYXeMOqRPM ZbBL1BQC5Qae+4lrWaRUiAQuyKLdKny4ZslC0bGjouEefPx/9lGMSjCSu830L3G0Xq7o 5ArZLK31zWxV6kNjJD95E0mpaRMxaZOy+zbWjqx4srkGeGEhaVM1IPKzN3Sh4lVhIzKZ ol1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@ffwll.ch header.s=google header.b=Xe/T3qMK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m18si4892754pfi.296.2018.04.20.00.49.44; Fri, 20 Apr 2018 00:49:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@ffwll.ch header.s=google header.b=Xe/T3qMK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754026AbeDTHsY (ORCPT + 99 others); Fri, 20 Apr 2018 03:48:24 -0400 Received: from mail-wr0-f195.google.com ([209.85.128.195]:45569 "EHLO mail-wr0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753765AbeDTHsW (ORCPT ); Fri, 20 Apr 2018 03:48:22 -0400 Received: by mail-wr0-f195.google.com with SMTP id u11-v6so20338609wri.12 for ; Fri, 20 Apr 2018 00:48:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; h=sender:date:from:to:cc:subject:message-id:mail-followup-to :references:mime-version:content-disposition:in-reply-to:user-agent; bh=YT410jLdhgzR3am4oGn5mtejawEmxvqyV7hoi8tGmfY=; b=Xe/T3qMKvLF/8UV6Iee1cYCsyjnYsm1l4W+l6G3y8H9mjCtlq4HIfWL+G7yVcq0MQB jirHAlV5gqQvL7GnD9FkHBEO3gc0WWmE+rJtOMU8GDuKvuUKTNgTteMDOObNwYKqj52r JLg8Guc9Yq5w/EVTeSlmnEYEVrwarKMVOtIsc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=YT410jLdhgzR3am4oGn5mtejawEmxvqyV7hoi8tGmfY=; b=MaoqDioidAEh+vXa0x/u/63dj8ItkEqmX2yxwKAS5IxPmvSJzH/XSPXB/w+daU2s6Y ZiZk2XQwnk+Ikh2FUWrxePoKRVgEMM+XbKnDP9f/8tn3HxU0cyUq+E6P9ldwuQiHFXze gRq+b1oKxdOIAICHKU3B6GhMyBgLJAD9FtvvOZs1nUfujTOU7FPiBPpEGeLJryuLOOAG LqD73Q9Bp2fKWlFO/pHKVhktTCzZuCNVN2oHFIU9ECFdW9Okix40pTAirc+4P+1eAhFw wBKTDDmnv6vj5VMtkuq0ruyOKALmYgFNM7Ug4+uQtvlmUMFykX9jSFNgdrEMdIIB0nkL fBfg== X-Gm-Message-State: ALQs6tBhf1vxPzCQxkZs7N68bNxlH3qWlgu1f9bYFLYu9AEGNpSx4CIj DNu1fRfYfJQSZIjzEfAk3KZAAA== X-Received: by 10.80.182.44 with SMTP id b41mr6865663ede.255.1524210501467; Fri, 20 Apr 2018 00:48:21 -0700 (PDT) Received: from phenom.ffwll.local ([2a02:168:5635:0:39d2:f87e:2033:9f6]) by smtp.gmail.com with ESMTPSA id e6sm397412eds.20.2018.04.20.00.48.20 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 20 Apr 2018 00:48:20 -0700 (PDT) Date: Fri, 20 Apr 2018 09:48:18 +0200 From: Daniel Vetter To: Gerd Hoffmann Cc: dri-devel@lists.freedesktop.org, David Airlie , Dave Airlie , open list , "open list:DRM DRIVER FOR QXL VIRTUAL GPU" Subject: Re: [PATCH 1/2] qxl: fix qxl_release_{map,unmap} Message-ID: <20180420074818.GL31310@phenom.ffwll.local> Mail-Followup-To: Gerd Hoffmann , dri-devel@lists.freedesktop.org, David Airlie , Dave Airlie , open list , "open list:DRM DRIVER FOR QXL VIRTUAL GPU" References: <20180418054257.15388-1-kraxel@redhat.com> <20180418054257.15388-2-kraxel@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180418054257.15388-2-kraxel@redhat.com> X-Operating-System: Linux phenom 4.15.0-1-amd64 User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 18, 2018 at 07:42:56AM +0200, Gerd Hoffmann wrote: > s/PAGE_SIZE/PAGE_MASK/ > > Luckily release_offset is never larger than PAGE_SIZE, so the bug has no > bad side effects and managed to stay unnoticed for years that way ... > > Signed-off-by: Gerd Hoffmann Sweeet. Since the buggy code uses the same expression for page frame and offset I don't think there's a security bug. You might still want to cc: stable (since without you defacto can't ever use this feature). Reviewed-by: Daniel Vetter > --- > drivers/gpu/drm/qxl/qxl_ioctl.c | 4 ++-- > drivers/gpu/drm/qxl/qxl_release.c | 6 +++--- > 2 files changed, 5 insertions(+), 5 deletions(-) > > diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c > index e238a1a2ec..6cc9f3367f 100644 > --- a/drivers/gpu/drm/qxl/qxl_ioctl.c > +++ b/drivers/gpu/drm/qxl/qxl_ioctl.c > @@ -182,9 +182,9 @@ static int qxl_process_single_command(struct qxl_device *qdev, > goto out_free_reloc; > > /* TODO copy slow path code from i915 */ > - fb_cmd = qxl_bo_kmap_atomic_page(qdev, cmd_bo, (release->release_offset & PAGE_SIZE)); > + fb_cmd = qxl_bo_kmap_atomic_page(qdev, cmd_bo, (release->release_offset & PAGE_MASK)); > unwritten = __copy_from_user_inatomic_nocache > - (fb_cmd + sizeof(union qxl_release_info) + (release->release_offset & ~PAGE_SIZE), > + (fb_cmd + sizeof(union qxl_release_info) + (release->release_offset & ~PAGE_MASK), > u64_to_user_ptr(cmd->command), cmd->command_size); > > { > diff --git a/drivers/gpu/drm/qxl/qxl_release.c b/drivers/gpu/drm/qxl/qxl_release.c > index 5d84a66fed..a0b4244d28 100644 > --- a/drivers/gpu/drm/qxl/qxl_release.c > +++ b/drivers/gpu/drm/qxl/qxl_release.c > @@ -411,10 +411,10 @@ union qxl_release_info *qxl_release_map(struct qxl_device *qdev, > struct qxl_bo_list *entry = list_first_entry(&release->bos, struct qxl_bo_list, tv.head); > struct qxl_bo *bo = to_qxl_bo(entry->tv.bo); > > - ptr = qxl_bo_kmap_atomic_page(qdev, bo, release->release_offset & PAGE_SIZE); > + ptr = qxl_bo_kmap_atomic_page(qdev, bo, release->release_offset & PAGE_MASK); > if (!ptr) > return NULL; > - info = ptr + (release->release_offset & ~PAGE_SIZE); > + info = ptr + (release->release_offset & ~PAGE_MASK); > return info; > } > > @@ -426,7 +426,7 @@ void qxl_release_unmap(struct qxl_device *qdev, > struct qxl_bo *bo = to_qxl_bo(entry->tv.bo); > void *ptr; > > - ptr = ((void *)info) - (release->release_offset & ~PAGE_SIZE); > + ptr = ((void *)info) - (release->release_offset & ~PAGE_MASK); > qxl_bo_kunmap_atomic_page(qdev, bo, ptr); > } > > -- > 2.9.3 > > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/dri-devel -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch