From patchwork Tue Jan 5 17:46:06 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jiri Slaby X-Patchwork-Id: 59207 Delivered-To: patch@linaro.org Received: by 10.112.130.2 with SMTP id oa2csp6119054lbb; Tue, 5 Jan 2016 10:10:19 -0800 (PST) X-Received: by 10.66.139.234 with SMTP id rb10mr134175998pab.82.1452017419022; Tue, 05 Jan 2016 10:10:19 -0800 (PST) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 195si49454691pfc.19.2016.01.05.10.10.18; Tue, 05 Jan 2016 10:10:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753421AbcAESKL (ORCPT + 29 others); Tue, 5 Jan 2016 13:10:11 -0500 Received: from mx2.suse.de ([195.135.220.15]:50394 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752552AbcAERrc (ORCPT ); Tue, 5 Jan 2016 12:47:32 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "References" Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 0CCDBAD6A; Tue, 5 Jan 2016 17:47:30 +0000 (UTC) From: Jiri Slaby To: stable@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Marek Szyprowski , Russell King , Jiri Slaby Subject: [PATCH 3.12 22/91] ARM: 8426/1: dma-mapping: add missing range check in dma_mmap() Date: Tue, 5 Jan 2016 18:46:06 +0100 Message-Id: <3e8936ea3ce4c67f1d129bc7e76aaf19fa45a976.1452015822.git.jslaby@suse.cz> X-Mailer: git-send-email 2.6.4 In-Reply-To: References: In-Reply-To: References: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Marek Szyprowski 3.12-stable review patch. If anyone has any objections, please let me know. -- 2.6.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ =============== commit 371f0f085f629fc0f66695f572373ca4445a67ad upstream. dma_mmap() function in IOMMU-based dma-mapping implementation lacked a check for valid range of mmap parameters (offset and buffer size), what might have caused access beyond the allocated buffer. This patch fixes this issue. Signed-off-by: Marek Szyprowski Signed-off-by: Russell King Signed-off-by: Jiri Slaby --- arch/arm/mm/dma-mapping.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c index 79cff8fdbaf3..f817f3064d67 100644 --- a/arch/arm/mm/dma-mapping.c +++ b/arch/arm/mm/dma-mapping.c @@ -1378,12 +1378,17 @@ static int arm_iommu_mmap_attrs(struct device *dev, struct vm_area_struct *vma, unsigned long uaddr = vma->vm_start; unsigned long usize = vma->vm_end - vma->vm_start; struct page **pages = __iommu_get_pages(cpu_addr, attrs); + unsigned long nr_pages = PAGE_ALIGN(size) >> PAGE_SHIFT; + unsigned long off = vma->vm_pgoff; vma->vm_page_prot = __get_dma_pgprot(attrs, vma->vm_page_prot); if (!pages) return -ENXIO; + if (off >= nr_pages || (usize >> PAGE_SHIFT) > nr_pages - off) + return -ENXIO; + do { int ret = vm_insert_page(vma, uaddr, *pages++); if (ret) {