The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 39bc27bd688066a63e56f7f64ad34fae03fbe3b8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to 'stable@vger.kernel.org' --in-reply-to '2024061944-culture-agreeable-2b0e@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^..
Possible dependencies:
39bc27bd6880 ("drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)") 21aa27ddc582 ("drm/shmem-helper: Switch to reservation lock") 67fe7487fe89 ("drm/shmem-helper: Don't use vmap_use_count for dma-bufs") 3f6a1e22fae9 ("drm/shmem-helper: Switch to use drm_* debug helpers") aa8c85affe3f ("drm/shmem-helper: Fix locking for drm_gem_shmem_get_pages_sgt()") 09bf649a7457 ("drm/shmem-helper: Avoid vm_open error paths") 24013314be6e ("drm/shmem-helper: Remove errant put in error path") df4aaf015775 ("drm/shmem-helper: Add missing vunmap on error") 7938f4218168 ("dma-buf-map: Rename to iosys-map") ae710a458f0a ("drm: Replace kernel.h with the necessary inclusions") c47160d8edcd ("drm/mipi-dbi: Remove dependency on GEM CMA helper library") e580ea25c08d ("drm/cma-helper: Pass GEM CMA object in public interfaces") 05b1de51df07 ("drm/cma-helper: Export dedicated wrappers for GEM object functions") d0c4e34db0b0 ("drm/cma-helper: Move driver and file ops to the end of header") 6a2d2ddf2c34 ("drm: Move nomodeset kernel parameter to the DRM subsystem") d76f25d66ec8 ("drm/vboxvideo: Drop CONFIG_VGA_CONSOLE guard to call vgacon_text_force()") 35f7775f81bf ("drm: Don't print messages if drivers are disabled due nomodeset") a713ca234ea9 ("Merge drm/drm-next into drm-misc-next")
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 39bc27bd688066a63e56f7f64ad34fae03fbe3b8 Mon Sep 17 00:00:00 2001 From: "Wachowski, Karol" karol.wachowski@intel.com Date: Mon, 20 May 2024 12:05:14 +0200 Subject: [PATCH] drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
Lack of check for copy-on-write (COW) mapping in drm_gem_shmem_mmap allows users to call mmap with PROT_WRITE and MAP_PRIVATE flag causing a kernel panic due to BUG_ON in vmf_insert_pfn_prot: BUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags));
Return -EINVAL early if COW mapping is detected.
This bug affects all drm drivers using default shmem helpers. It can be reproduced by this simple example: void *ptr = mmap(0, size, PROT_WRITE, MAP_PRIVATE, fd, mmap_offset); ptr[0] = 0;
Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects") Cc: Noralf Trønnes noralf@tronnes.org Cc: Eric Anholt eric@anholt.net Cc: Rob Herring robh@kernel.org Cc: Maarten Lankhorst maarten.lankhorst@linux.intel.com Cc: Maxime Ripard mripard@kernel.org Cc: Thomas Zimmermann tzimmermann@suse.de Cc: David Airlie airlied@gmail.com Cc: Daniel Vetter daniel@ffwll.ch Cc: dri-devel@lists.freedesktop.org Cc: stable@vger.kernel.org # v5.2+ Signed-off-by: Wachowski, Karol karol.wachowski@intel.com Signed-off-by: Jacek Lawrynowicz jacek.lawrynowicz@linux.intel.com Signed-off-by: Daniel Vetter daniel.vetter@ffwll.ch Link: https://patchwork.freedesktop.org/patch/msgid/20240520100514.925681-1-jacek....
diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c index e435f986cd13..1ff0678be7c7 100644 --- a/drivers/gpu/drm/drm_gem_shmem_helper.c +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c @@ -610,6 +610,9 @@ int drm_gem_shmem_mmap(struct drm_gem_shmem_object *shmem, struct vm_area_struct return ret; }
+ if (is_cow_mapping(vma->vm_flags)) + return -EINVAL; + dma_resv_lock(shmem->base.resv, NULL); ret = drm_gem_shmem_get_pages(shmem); dma_resv_unlock(shmem->base.resv);