On Mon, Sep 16, 2024 at 04:34:41AM +0000, T.J. Mercier wrote:
> commit ea5ff5d351b520524019f7ff7f9ce418de2dad87 upstream.
>
> Until VM_DONTEXPAND was added in commit 1c1914d6e8c6 ("dma-buf: heaps:
> Don't track CMA dma-buf pages under RssFile") it was possible to obtain
> a mapping larger than the buffer size via mremap and bypass the overflow
> check in dma_buf_mmap_internal. When using such a mapping to attempt to
> fault past the end of the buffer, the CMA heap fault handler also checks
> the fault offset against the buffer size, but gets the boundary wrong by
> 1. Fix the boundary check so that we don't read off the end of the pages
> array and insert an arbitrary page in the mapping.
>
> Reported-by: Xingyu Jin <xingyuj@xxxxxxxxxx>
> Fixes: a5d2d29e24be ("dma-buf: heaps: Move heap-helper logic into the cma_heap implementation")
This commit is in 5.11, so why:
> Cc: stable@xxxxxxxxxxxxxxx # Applicable >= 5.10. Needs adjustments only for 5.10.
does this say 5.10?
thanks,
greg k-h
