Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp50182imu; Thu, 24 Jan 2019 20:56:25 -0800 (PST) X-Google-Smtp-Source: ALg8bN6ge+ClLpSwDSVJC0ymzubfnBCeB1EkTGHO2/QOT43bI7gRv28HPZSvFkODHdIMTeCRgsvQ X-Received: by 2002:a63:bf0b:: with SMTP id v11mr8803938pgf.302.1548392185220; Thu, 24 Jan 2019 20:56:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548392185; cv=none; d=google.com; s=arc-20160816; b=WMtLemquCLT3wO2o178g6wgah+sA5GDSQO2f/4/rXeQVCfNW9YwtKw9FjeG+v3MTQ0 aE1cNmtF6CuSV367EHSPRdKvj/lbQujJGWdzfPb4xjH+ZHrU9R6YGl1uSA90rYzr/jN7 NtGThDbC629Zv1KNbp/oebXDJ86+stQZypmmvmQfKJo79/YTGxDf6EF1y5Bsv/tnwWKw 1mkaujBghjyMHhIpUHddwyMfjrcG98OjcXOcv/tCmObIAw6Ao/NAt6hrhaPrHXsdLd7s OrfIomAadscfpnymvSLdECqaQxG0l21xi063dhJcbmZw8pk/gGUBpLggeL9sZyg1Iyah mWJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=C/JMwhxLuu6m6SIs9Oh+wPosmqrDzte6hFP2JULDCc4=; b=XDioyzDgnScDBrqrHDeOzLrpJPuxfxTYiqDWghGH/xi/5Shg32vN/VNHqpBwdjn4M3 CQQSVVH40aQVSpcG5Ye088ndEk1xspo1CDRyX24dJLJCtsN6PYw7Eliin3WVDCOtzGdT oPZ17jyLsFzswTVOI9hHLkoD1ktHLicAY0qbgd73PzpirDEiZJLZvRELkAlVZLMvkcEV 25F3/SHeUYH7fSCJV6LKU4zNKVvJ1Af4wtj3dmX5w7rIVYAMVe+a9KIBxW60xtNxhMZB 6vRr6C11uCBSErNvJMExsKcwf7XNt1mBqWEr7+9Z4cqEx0GKmIncYuiwesZTf0Xpjvc1 abZg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=dly1TwWz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m11si23503964plt.26.2019.01.24.20.56.08; Thu, 24 Jan 2019 20:56:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=dly1TwWz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727618AbfAYE4E (ORCPT + 99 others); Thu, 24 Jan 2019 23:56:04 -0500 Received: from mail-lf1-f67.google.com ([209.85.167.67]:34766 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726271AbfAYE4D (ORCPT ); Thu, 24 Jan 2019 23:56:03 -0500 Received: by mail-lf1-f67.google.com with SMTP id p6so6039498lfc.1; Thu, 24 Jan 2019 20:56:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=C/JMwhxLuu6m6SIs9Oh+wPosmqrDzte6hFP2JULDCc4=; b=dly1TwWzlEjzTmbOOZejw9fX4Z4HPWT5IuOLxsP492/+AwlNJDJ1r1Hw844+MFqLXp VPYrFSKwQtg4qx/peWt31A9iL4OGiMsVv7Bi+6437vD3jzIE059BlpT4KESCt54C3R3l /pX0yRxYNoACe/8TSpHJf9oPgqklqHeYhnqkuQQCVaGVhaHclXUPSZ/zduaMsMzrvaIv MxeeQtQE4Kx6dV8Z0B8/5UN0eG3l1HLoUqimDKF+XEVEub3djBjjl6QsKc0/mJPkiolB si1xaQ+PVQCz+ei9YecLBva1/JN/7o2tgA3IqKKPvUnHW/Q90kYtaFfUe64r72SjYfMx F7Yw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=C/JMwhxLuu6m6SIs9Oh+wPosmqrDzte6hFP2JULDCc4=; b=ZcL1sH9jO6PXcUaj+QaTiGvYZAGDZbHI+TLsrm1bo34QlFQFIweMcZK6uP6cIv7Hjg /VxS9oJ6sQj408pDs3St3IJP9AufLwrNHe9ZJC16l8pPOULgJbne2x+996id/hsSg+OM I6v9SOakAEC/6eGvmFL4h86pdGPz4JBjTB0r/aQR3S1hdtt/Dh7Tr576xWzfpgq6/yRW WLDS/IOEfwWsWB6xPN9GI1czVrNeD0V6NunbjKvTZOT2BfOYBtNM+AVzxZdyDdFc2oDw 7/CkuTvPO1rM6ABvUHfG8uURNeH8ml1Jbp57h8N4M59cch8orE/kvCmfoJrKgZ5OzYrk VPvA== X-Gm-Message-State: AJcUukdrXddz8KJ/XSHqPJtwmV8iXDnKhPSOK3eTmqFYEoDUX1+TxI6T 0T27EETsXUhg0EtqDMleeWLsvb52ylTnm1s2I7s= X-Received: by 2002:a19:645b:: with SMTP id b27mr7194430lfj.14.1548392160400; Thu, 24 Jan 2019 20:56:00 -0800 (PST) MIME-Version: 1.0 References: <20190111151154.GA2819@jordon-HP-15-Notebook-PC> <241810e0-2288-c59b-6c21-6d853d9fe84a@samsung.com> In-Reply-To: <241810e0-2288-c59b-6c21-6d853d9fe84a@samsung.com> From: Souptick Joarder Date: Fri, 25 Jan 2019 10:25:48 +0530 Message-ID: Subject: Re: [PATCH 7/9] videobuf2/videobuf2-dma-sg.c: Convert to use vm_insert_range_buggy To: Marek Szyprowski Cc: Andrew Morton , Matthew Wilcox , Michal Hocko , pawel@osciak.com, Kyungmin Park , mchehab@kernel.org, Russell King - ARM Linux , robin.murphy@arm.com, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Linux-MM Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Marek, On Tue, Jan 22, 2019 at 8:37 PM Marek Szyprowski wrote: > > Hi Souptick, > > On 2019-01-11 16:11, Souptick Joarder wrote: > > Convert to use vm_insert_range_buggy to map range of kernel memory > > to user vma. > > > > This driver has ignored vm_pgoff. We could later "fix" these drivers > > to behave according to the normal vm_pgoff offsetting simply by > > removing the _buggy suffix on the function name and if that causes > > regressions, it gives us an easy way to revert. > > Just a generic note about videobuf2: videobuf2-dma-sg is ignoring vm_pgof= f by design. vm_pgoff is used as a 'cookie' to select a buffer to mmap and = videobuf2-core already checks that. If userspace provides an offset, which = doesn't match any of the registered 'cookies' (reported to userspace via se= parate v4l2 ioctl), an error is returned. Ok, it means once the buf is selected, videobuf2-dma-sg should always mapped buf->pages[i] from index 0 ( irrespective of vm_pgoff value). So although we are replacing the code with vm_insert_range_buggy(), *_buggy* suffix will mislead others and should not be used. And if we replace this code with vm_insert_range(), this will introduce bug for *non zero* value of vm_pgoff. Please correct me if my understanding is wrong. So what your opinion about this patch ? Shall I drop this patch from current series ? or, There is any better way to handle this scenario ? > > > There is an existing bug inside gem_mmap_obj(), where user passed > > length is not checked against buf->num_pages. For any value of > > length > buf->num_pages it will end up overrun buf->pages[i], > > which could lead to a potential bug. It is not gem_mmap_obj(), it should be vb2_dma_sg_mmap(). Sorry about it. What about this issue ? Does it looks like a valid issue ? > > > > This has been addressed by passing buf->num_pages as input to > > vm_insert_range_buggy() and inside this API error condition is > > checked which will avoid overrun the page boundary. > > > > Signed-off-by: Souptick Joarder > > --- > > drivers/media/common/videobuf2/videobuf2-dma-sg.c | 22 ++++++---------= ------- > > 1 file changed, 6 insertions(+), 16 deletions(-) > > > > diff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/driver= s/media/common/videobuf2/videobuf2-dma-sg.c > > index 015e737..ef046b4 100644 > > --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c > > +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c > > @@ -328,28 +328,18 @@ static unsigned int vb2_dma_sg_num_users(void *bu= f_priv) > > static int vb2_dma_sg_mmap(void *buf_priv, struct vm_area_struct *vma) > > { > > struct vb2_dma_sg_buf *buf =3D buf_priv; > > - unsigned long uaddr =3D vma->vm_start; > > - unsigned long usize =3D vma->vm_end - vma->vm_start; > > - int i =3D 0; > > + int err; > > > > if (!buf) { > > printk(KERN_ERR "No memory to map\n"); > > return -EINVAL; > > } > > > > - do { > > - int ret; > > - > > - ret =3D vm_insert_page(vma, uaddr, buf->pages[i++]); > > - if (ret) { > > - printk(KERN_ERR "Remapping memory, error: %d\n", = ret); > > - return ret; > > - } > > - > > - uaddr +=3D PAGE_SIZE; > > - usize -=3D PAGE_SIZE; > > - } while (usize > 0); > > - > > + err =3D vm_insert_range_buggy(vma, buf->pages, buf->num_pages); > > + if (err) { > > + printk(KERN_ERR "Remapping memory, error: %d\n", err); > > + return err; > > + } > > > > /* > > * Use common vm_area operations to track buffer refcount. > > Best regards > -- > Marek Szyprowski, PhD > Samsung R&D Institute Poland >