ACK: [PATCH 1/1] drm/i915/gvt: Fix mmap range check

Tue Jun 4 14:06:34 UTC 2019

On 5/29/19 3:52 PM, Timo Aaltonen wrote:
> From: Zhenyu Wang <zhenyuw at linux.intel.com>
> 
> This is to fix missed mmap range check on vGPU bar2 region
> and only allow to map vGPU allocated GMADDR range, which means
> user space should support sparse mmap to get proper offset for
> mmap vGPU aperture. And this takes care of actual pgoff in mmap
> request as original code always does from beginning of vGPU
> aperture.
> 
> Fixes: 659643f7d814 ("drm/i915/gvt/kvmgt: add vfio/mdev support to KVMGT")
> Cc: "Monroy, Rodrigo Axel" <rodrigo.axel.monroy at intel.com>
> Cc: "Orrala Contreras, Alfredo" <alfredo.orrala.contreras at intel.com>
> Cc: stable at vger.kernel.org # v4.10+
> Reviewed-by: Hang Yuan <hang.yuan at intel.com>
> Signed-off-by: Zhenyu Wang <zhenyuw at linux.intel.com>
> 
> CVE-2019-11085
> 
> (cherry picked from commit 51b00d8509dc69c98740da2ad07308b630d3eb7d)
> Signed-off-by: Timo Aaltonen <timo.aaltonen at canonical.com>

Acked-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>

> ---
>  drivers/gpu/drm/i915/gvt/kvmgt.c | 14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/i915/gvt/kvmgt.c b/drivers/gpu/drm/i915/gvt/kvmgt.c
> index 14dce5c201d5..8f23d1f064c6 100644
> --- a/drivers/gpu/drm/i915/gvt/kvmgt.c
> +++ b/drivers/gpu/drm/i915/gvt/kvmgt.c
> @@ -940,7 +940,7 @@ static int intel_vgpu_mmap(struct mdev_device *mdev, struct vm_area_struct *vma)
>  {
>  	unsigned int index;
>  	u64 virtaddr;
> -	unsigned long req_size, pgoff = 0;
> +	unsigned long req_size, pgoff, req_start;
>  	pgprot_t pg_prot;
>  	struct intel_vgpu *vgpu = mdev_get_drvdata(mdev);
>  
> @@ -958,7 +958,17 @@ static int intel_vgpu_mmap(struct mdev_device *mdev, struct vm_area_struct *vma)
>  	pg_prot = vma->vm_page_prot;
>  	virtaddr = vma->vm_start;
>  	req_size = vma->vm_end - vma->vm_start;
> -	pgoff = vgpu_aperture_pa_base(vgpu) >> PAGE_SHIFT;
> +	pgoff = vma->vm_pgoff &
> +		((1U << (VFIO_PCI_OFFSET_SHIFT - PAGE_SHIFT)) - 1);
> +	req_start = pgoff << PAGE_SHIFT;
> +
> +	if (!intel_vgpu_in_aperture(vgpu, req_start))
> +		return -EINVAL;
> +	if (req_start + req_size >
> +	    vgpu_aperture_offset(vgpu) + vgpu_aperture_sz(vgpu))
> +		return -EINVAL;
> +
> +	pgoff = (gvt_aperture_pa_base(vgpu->gvt) >> PAGE_SHIFT) + pgoff;
>  
>  	return remap_pfn_range(vma, virtaddr, pgoff, req_size, pg_prot);
>  }
>