drm/i915/gvt: Fix mmap range check

author Zhenyu Wang <zhenyuw@linux.intel.com>

Fri, 11 Jan 2019 05:58:53 +0000 (13:58 +0800)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Tue, 22 Jan 2019 20:40:33 +0000 (21:40 +0100)
author Zhenyu Wang <zhenyuw@linux.intel.com>
Fri, 11 Jan 2019 05:58:53 +0000 (13:58 +0800)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 22 Jan 2019 20:40:33 +0000 (21:40 +0100)
diff --git a/drivers/gpu/drm/i915/gvt/kvmgt.c b/drivers/gpu/drm/i915/gvt/kvmgt.c

index 9ad89e3..12e4203 100644 (file)
--- a/drivers/gpu/drm/i915/gvt/kvmgt.c
+++ b/drivers/gpu/drm/i915/gvt/kvmgt.c
@@ -996,7 +996,7 @@ static int intel_vgpu_mmap(struct mdev_device *mdev, struct vm_area_struct *vma)
  {
         unsigned int index;
         u64 virtaddr;
-       unsigned long req_size, pgoff = 0;
+       unsigned long req_size, pgoff, req_start;
         pgprot_t pg_prot;
         struct intel_vgpu *vgpu = mdev_get_drvdata(mdev);
  
@@ -1014,7 +1014,17 @@ static int intel_vgpu_mmap(struct mdev_device *mdev, struct vm_area_struct *vma)
         pg_prot = vma->vm_page_prot;
         virtaddr = vma->vm_start;
         req_size = vma->vm_end - vma->vm_start;
-       pgoff = vgpu_aperture_pa_base(vgpu) >> PAGE_SHIFT;
+       pgoff = vma->vm_pgoff &
+               ((1U << (VFIO_PCI_OFFSET_SHIFT - PAGE_SHIFT)) - 1);
+       req_start = pgoff << PAGE_SHIFT;
+
+       if (!intel_vgpu_in_aperture(vgpu, req_start))
+               return -EINVAL;
+       if (req_start + req_size >
+           vgpu_aperture_offset(vgpu) + vgpu_aperture_sz(vgpu))
+               return -EINVAL;
+
+       pgoff = (gvt_aperture_pa_base(vgpu->gvt) >> PAGE_SHIFT) + pgoff;
  
         return remap_pfn_range(vma, virtaddr, pgoff, req_size, pg_prot);
  }
author	Zhenyu Wang <zhenyuw@linux.intel.com>
	Fri, 11 Jan 2019 05:58:53 +0000 (13:58 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 22 Jan 2019 20:40:33 +0000 (21:40 +0100)