mmap locking in atomisp staging driver looks bogus

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I noticed this code in alloc_user_pages() in
drivers/staging/media/atomisp/pci/hmm/hmm_bo.c:

/*
 * Convert user space virtual address into pages list
 */
static int alloc_user_pages(struct hmm_buffer_object *bo,
                            const void __user *userptr, bool cached)
{
        int page_nr;
        int i;
        struct vm_area_struct *vma;
        struct page **pages;

        pages = [...]
[...]
        mmap_read_lock(current->mm);
        vma = find_vma(current->mm, (unsigned long)userptr);
        mmap_read_unlock(current->mm);
        if (!vma) {
[...]
                return -EFAULT;
        }
[...]
        /*
         * Handle frame buffer allocated in other kerenl space driver
         * and map to user space
         */
[...]
        if (vma->vm_flags & (VM_IO | VM_PFNMAP)) {
                page_nr = pin_user_pages((unsigned long)userptr, bo->pgnr,
                                         FOLL_LONGTERM | FOLL_WRITE,
                                         pages, NULL);
                bo->mem_type = HMM_BO_MEM_TYPE_PFN;
        } else {
                /*Handle frame buffer allocated in user space*/
[...]
                page_nr = get_user_pages_fast((unsigned long)userptr,
                                              (int)(bo->pgnr), 1, pages);
[...]
        }
[...]
}


This code looks extremely dodgy to me. After
mmap_read_unlock(current->mm), the vma can be freed, and the following
access to vma->vm_flags can be a use-after-free. Also,
pin_user_pages() must be called with the mmap lock held, and you're
calling it without holding that lock.




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux