On Mon, Sep 16, 2024 at 12:44 AM Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On Mon, Sep 16, 2024 at 12:38:26AM -0700, T.J. Mercier wrote:
> > On Mon, Sep 16, 2024 at 12:02 AM Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> > >
> > > On Mon, Sep 16, 2024 at 04:34:41AM +0000, T.J. Mercier wrote:
> > > > commit ea5ff5d351b520524019f7ff7f9ce418de2dad87 upstream.
> > > >
> > > > Until VM_DONTEXPAND was added in commit 1c1914d6e8c6 ("dma-buf: heaps:
> > > > Don't track CMA dma-buf pages under RssFile") it was possible to obtain
> > > > a mapping larger than the buffer size via mremap and bypass the overflow
> > > > check in dma_buf_mmap_internal. When using such a mapping to attempt to
> > > > fault past the end of the buffer, the CMA heap fault handler also checks
> > > > the fault offset against the buffer size, but gets the boundary wrong by
> > > > 1. Fix the boundary check so that we don't read off the end of the pages
> > > > array and insert an arbitrary page in the mapping.
> > > >
> > > > Reported-by: Xingyu Jin <xingyuj@xxxxxxxxxx>
> > > > Fixes: a5d2d29e24be ("dma-buf: heaps: Move heap-helper logic into the cma_heap implementation")
> > >
> > > This commit is in 5.11, so why:
> > >
> > > > Cc: stable@xxxxxxxxxxxxxxx # Applicable >= 5.10. Needs adjustments only for 5.10.
> > >
> > > does this say 5.10?
> > >
> > > thanks,
> > >
> > > greg k-h
> >
> > a5d2d29e24be ("dma-buf: heaps: Move heap-helper logic into the
> > cma_heap implementation") moved the code from this heap-helpers.c file
> > to cma_heap.c in 5.11, which is the only place it lives upstream now.
> > The bug still exists in the original location in this heap-helpers.c
> > file on 5.10.
>
> Ah, then that was the wrong Fixes: tag :(
>
> thanks, I'll go queue this up now.
>
> greg k-h
Ok sorry about that. Thanks.
