1. Patchew
  2. linux
  3. View series

[PATCH v1] dmaengine: idxd: Fix allowing write() from different address spaces

Vinicius Costa Gomes posted 1 patch 8 months, 1 week ago 
drivers/dma/idxd/cdev.c | 3 +++
1 file changed, 3 insertions(+)
[PATCH v1] dmaengine: idxd: Fix allowing write() from different address spaces
Posted by Vinicius Costa Gomes 8 months, 1 week ago 
Check if the process submitting the descriptor belongs to the same
address space as the one that opened the file, reject otherwise.

Fixes: 6827738dc684 ("dmaengine: idxd: add a write() method for applications to submit work")
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
---
 drivers/dma/idxd/cdev.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c
index ff94ee892339..373c622fcddc 100644
--- a/drivers/dma/idxd/cdev.c
+++ b/drivers/dma/idxd/cdev.c
@@ -473,6 +473,9 @@ static ssize_t idxd_cdev_write(struct file *filp, const char __user *buf, size_t
 	ssize_t written = 0;
 	int i;
 
+	if (current->mm != ctx->mm)
+		return -EPERM;
+
 	for (i = 0; i < len/sizeof(struct dsa_hw_desc); i++) {
 		int rc = idxd_submit_user_descriptor(ctx, udesc + i);
 
-- 
2.49.0
Re: [PATCH v1] dmaengine: idxd: Fix allowing write() from different address spaces
Posted by Nathan Lynch 8 months, 1 week ago 
Vinicius Costa Gomes <vinicius.gomes@intel.com> writes:
> Check if the process submitting the descriptor belongs to the same
> address space as the one that opened the file, reject otherwise.

I assume this can happen after a fork.

Do idxd_cdev_mmap() and idxd_cdev_poll() need similar protection?

>
> Fixes: 6827738dc684 ("dmaengine: idxd: add a write() method for applications to submit work")
> Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
> ---
>  drivers/dma/idxd/cdev.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c
> index ff94ee892339..373c622fcddc 100644
> --- a/drivers/dma/idxd/cdev.c
> +++ b/drivers/dma/idxd/cdev.c
> @@ -473,6 +473,9 @@ static ssize_t idxd_cdev_write(struct file *filp, const char __user *buf, size_t
>  	ssize_t written = 0;
>  	int i;
>  
> +	if (current->mm != ctx->mm)
> +		return -EPERM;
> +
>  	for (i = 0; i < len/sizeof(struct dsa_hw_desc); i++) {
>  		int rc = idxd_submit_user_descriptor(ctx, udesc + i);
>  
> -- 
> 2.49.0
Re: [PATCH v1] dmaengine: idxd: Fix allowing write() from different address spaces
Posted by Dave Jiang 8 months ago 

On 4/16/25 8:10 AM, Nathan Lynch wrote:
> Vinicius Costa Gomes <vinicius.gomes@intel.com> writes:
>> Check if the process submitting the descriptor belongs to the same
>> address space as the one that opened the file, reject otherwise.
> 
> I assume this can happen after a fork.
> 
> Do idxd_cdev_mmap() and idxd_cdev_poll() need similar protection?

Seems reasonable. Vinicius is on sabbatical. I'll respin his code and add the suggested checks. Thanks Nathan.

DJ

> 
>>
>> Fixes: 6827738dc684 ("dmaengine: idxd: add a write() method for applications to submit work")
>> Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
>> ---
>>  drivers/dma/idxd/cdev.c | 3 +++
>>  1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c
>> index ff94ee892339..373c622fcddc 100644
>> --- a/drivers/dma/idxd/cdev.c
>> +++ b/drivers/dma/idxd/cdev.c
>> @@ -473,6 +473,9 @@ static ssize_t idxd_cdev_write(struct file *filp, const char __user *buf, size_t
>>  	ssize_t written = 0;
>>  	int i;
>>  
>> +	if (current->mm != ctx->mm)
>> +		return -EPERM;
>> +
>>  	for (i = 0; i < len/sizeof(struct dsa_hw_desc); i++) {
>>  		int rc = idxd_submit_user_descriptor(ctx, udesc + i);
>>  
>> -- 
>> 2.49.0
Re: [PATCH v1] dmaengine: idxd: Fix allowing write() from different address spaces
Posted by Dave Jiang 8 months, 1 week ago 

On 4/15/25 7:52 PM, Vinicius Costa Gomes wrote:
> Check if the process submitting the descriptor belongs to the same
> address space as the one that opened the file, reject otherwise.
> 
> Fixes: 6827738dc684 ("dmaengine: idxd: add a write() method for applications to submit work")
> Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>

Reviewed-by: Dave Jiang <dave.jiang@intel.com>

> ---
>  drivers/dma/idxd/cdev.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c
> index ff94ee892339..373c622fcddc 100644
> --- a/drivers/dma/idxd/cdev.c
> +++ b/drivers/dma/idxd/cdev.c
> @@ -473,6 +473,9 @@ static ssize_t idxd_cdev_write(struct file *filp, const char __user *buf, size_t
>  	ssize_t written = 0;
>  	int i;
>  
> +	if (current->mm != ctx->mm)
> +		return -EPERM;
> +
>  	for (i = 0; i < len/sizeof(struct dsa_hw_desc); i++) {
>  		int rc = idxd_submit_user_descriptor(ctx, udesc + i);
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.